Error initializing GCP CKMS wrapper client

balajinaidu · July 25, 2023, 11:46am

I’m running vault on a kubernetes cluster with the below seal configuration

seal "gcpckms" {
        credentials = "/vault/userconfig/vault-serviceaccount/vault-serviceaccount.json"
        project     = "fake-project-name"
        region      = "global"
        key_ring    = "vault-auto-unseal"
        crypto_key  = "vault-auto-unseal"
      }

Using GCP KMS to auto-unseal the vault, while I have this same configuration on 3 clusters it works on 2 and doesn’t work on the 3rd one and I can’t figure out what’s the issue. Vault pods are crashlooping and from logs I can see this

Error parsing Seal configuration: error initializing GCP CKMS wrapper client: failed to create KMS client: invalid character 'e' looking for beginning of value

maxb · July 25, 2023, 12:09pm

e is the first character of a JSON object that is base64-encoded. I wonder if your

is erroneously base64-encoded?

balajinaidu · July 25, 2023, 12:40pm

Thanks @maxb , indeed it was wrongly encoded

Topic		Replies	Views
Error initializing OCI KMS client Vault	0	376	June 1, 2022
Problem with vault Vault	1	516	September 9, 2023
Error parsing Seal configuration: error fetching AWS KMS wrapping key information: InvalidSignatureException: Vault	0	1969	February 1, 2021
Stored unseal keys are supported, but none were found Vault	7	5058	January 7, 2021
Vault auto-unseal for gcp kms failing on init [context deadline exceeded] Vault	5	500	July 12, 2022

Error initializing GCP CKMS wrapper client

Related topics