Hello there,
Im trying to deploy Vault on AWS, manual installation and with mySQL as storage. Buy I’m kinda stuck in an error.
I do the vault server config and I’m getting this:
bash-4.2$ vault server -config /vault/config/config.hcl
==> Vault server configuration:
Api Address: https://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Go Version: go1.17.5
Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
Log Level: debug
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: mysql (HA disabled)
Version: Vault v1.9.2
Version Sha: f4c6d873e2767c0d6853b5d9ffc77b0d297bfbdf
==> Vault server started! Log data will stream in below:
2022-01-30T03:58:26.308Z [DEBUG] storage.cache: creating LRU cache: size=0
2022-01-30T03:58:26.310Z [INFO] core: Initializing VersionTimestamps for core
2022-01-30T03:58:26.310Z [DEBUG] cluster listener addresses synthesized: cluster_addresses=[[::]:8201]
2022-01-30T03:58:26.310Z [DEBUG] would have sent systemd notification (systemd not present): notification=READY=1
2022-01-30T03:58:26.310Z [INFO] core: stored unseal keys supported, attempting fetch
2022-01-30T03:58:26.311Z [WARN] failed to unseal core: error=“stored unseal keys are supported, but none were found”
2022-01-30T03:58:31.311Z [INFO] core: stored unseal keys supported, attempting fetch
2022-01-30T03:58:31.312Z [WARN] failed to unseal core: error=“stored unseal keys are supported, but none were found”
2022-01-30T03:58:36.312Z [INFO] core: stored unseal keys supported, attempting fetch
2022-01-30T03:58:36.313Z [WARN] failed to unseal core: error=“stored unseal keys are supported, but none were found”
And this error “stored unseal keys are supported” is showing up every 5 seconds.
My Config file looks like this:
listener “tcp” {
address = “[::]:8200”
cluster_address = “[::]:8201”
tls_disable = 0
tls_cert_file = “/vault/config/certs/xxxxxxxxxxxxxxxx.pem”
tls_key_file = “/vault/config/certs/xxxxxxxxxxxxxxxxx.key”
}
seal “awskms” {
region = “eu-west-1”
kms_key_id = “arn:aws:kms:my-zone:XXXXXXXXXXXXX:key/xxxxxxxxxx-xxxx-xxxxxxxx-xxxxxxx”
}
storage “mysql” {
address = “xxxxxxxxxxxxxxxxxxx:3306”
database = “xxxx”
username = “XXXXXXX”
password = “XXXXXXXXXXXXX”
table = “xxxx”
ha_enabled = 0
plaintext_credentials_transmission = 0
}
disable_mlock = 1
log_level = “Debug”
api_addr = “https://127.0.0.1:8200”
I try to do a “vault status” and then I get this error:
Error checking seal status: Error making API request.
URL: GET https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:8200/v1/sys/seal-status
Code: 500. Errors:
- core: barrier reports initialized but no seal configuration found
If I do “vault operator init” it returns the same output. and this is really where I stucked because I dont know that to do now.
Does this has anything to do with the KMS access from the EC2? Because sometimes in the documentation it looks like a seal stanza is optional, and sometimes seems required. (if I remove the seal in the configuration file, it returns kinda the same output.
Another theory is if I am missing the “aws access key” and a “aws secret” but again sometimes in the doc it seems optional and other times seems required key.AWS KMS - Seals - Configuration | Vault by HashiCorp
By the way from what user do I have to obtain the “access/secret key” if this is the problem? Or how does that works?
Any help is apretiated.