Hi,
I have setup my vault with auto-unseal using KMS using bank-vault’s operator and it all went well. I am just stuck on a very simple thing : how do I decrypt the root token that was uploaded to my s3 bucket?
I stumbled upon kelsey highwater’s complete setup example for GCS/Cloud KMS (https://github.com/kelseyhightower/vault-on-google-kubernetes-engine) and I am looking for the equivalent command to this one but for aws kms :
export VAULT_TOKEN=$(gsutil cat gs://${GCS_BUCKET_NAME}/root-token.enc | \
base64 --decode | \
gcloud kms decrypt \
--project ${PROJECT_ID} \
--location global \
--keyring vault \
--key vault-init \
--ciphertext-file - \
--plaintext-file -
)
I tried using : aws kms decrypt and aws-encryption-cli to decrypt the encrypted root key but no success.
Any suggestions?
Thanks