Error initializing GCP CKMS wrapper client

balajinaidu · July 25, 2023, 11:46am

I’m running vault on a kubernetes cluster with the below seal configuration

seal "gcpckms" {
        credentials = "/vault/userconfig/vault-serviceaccount/vault-serviceaccount.json"
        project     = "fake-project-name"
        region      = "global"
        key_ring    = "vault-auto-unseal"
        crypto_key  = "vault-auto-unseal"
      }

Using GCP KMS to auto-unseal the vault, while I have this same configuration on 3 clusters it works on 2 and doesn’t work on the 3rd one and I can’t figure out what’s the issue. Vault pods are crashlooping and from logs I can see this

Error parsing Seal configuration: error initializing GCP CKMS wrapper client: failed to create KMS client: invalid character 'e' looking for beginning of value

maxb · July 25, 2023, 12:09pm

e is the first character of a JSON object that is base64-encoded. I wonder if your

is erroneously base64-encoded?

balajinaidu · July 25, 2023, 12:40pm

Thanks @maxb , indeed it was wrongly encoded