Error initializing OCI KMS client

stedon · June 1, 2022, 2:34pm

Hi,
I’m trying unsuccessfully to setup kms auto unseal with OCI.

I get the following error on startup:
“Error parsing Seal configuration: error initializing OCI KMS client: failed creating NewKmsCryptoClientWithConfigurationProvider: can not create client, bad configuration: did not find a proper configuration for tenancy”

This is my configuration:

file /etc/vault.d/vault.env


OCI_CLI_USER="ocid1.user.oc1..[...]"
OCI_CLI_REGION="eu-milan-1"
OCI_CLI_FINGERPRINT="ec:[...]"
OCI_CLI_KEY_FILE="/etc/vault.d/certs/oci_api_key.pem"
OCI_CLI_TENANCY="ocid1.tenancy.oc1..[...]"
OCI_CLI_AUTH="api_key"

file /etc/vault.d/vault.hcl


seal "ocikms" {
  auth_type_api_key = "true"
  key_id = "ocid1.key.oc1.eu-milan-1.[...]"
  crypto_endpoint     = "https://[...]-crypto.kms.eu-milan-1.oci.oraclecloud.com"
  management_endpoint = "https://[...]-management.kms.eu-milan-1.oci.oraclecloud.com"
}

What am I doing wrong?

thanks

ricardonima · August 3, 2025, 4:15pm

Hello @stedon, I have the same issue, Did you fix it ? how ?. thank you

jonathanfrappier · August 4, 2025, 12:33am

What version of Vault? Have you checked out:

github.com/hashicorp/vault

Oracle KMS seal: "did not find a proper configuration for private key"

opened 02:16AM - 09 Jan 22 UTC

closed 01:09PM - 29 May 24 UTC

fhilgers

docs core/seal cryptosec

**Describe the bug** When using the ocikms seal provider with `auth_type_api_ke…y = true` I am getting the following error: Error parsing Seal configuration: error initializing OCI KMS client: failed creating NewKmsCryptoClientWithConfigurationProvider: can not create client, bad configuration: did not find a proper configutation for private key I've already checked that my configuration file in `~/.oci/config` is correct and can confirm that it works with both the cli and the oci-go-sdk library. **To Reproduce** Steps to reproduce the behavior: 1. Use the ocikms seal stanza and ensure that `auth_type_api_key = true`: 2. Run `vault server -config ./config.hcl` 3. See error **Expected behavior** I expected Vault to run normally and use the Oracle KMS provider. **Environment:** * Vault Server Version (retrieve with `vault status`): 1.9.2 * Vault CLI Version (retrieve with `vault version`): 1.9.2 * Server Operating System/Architecture: Ubuntu 20.04 Vault server configuration file(s): ```hcl # Paste your Vault config here. # Be sure to scrub any sensitive values storage "inmem" {} listener "tcp" { address = "127.0.0.1:8200" tls_disable = true } seal "ocikms" { key_id = "XXX" crypto_endpoint = "XXX" management_endpoint = "XXX" auth_type_api_key = true } ``` **Additional context** I have already submitted an issue to hashicorp/go-kms-wrapping#45 which is as far as I am aware the source of this problem. It uses a very old version (v13.1.0+incompatible) of the oracle/oci-go-sdk. Updating the version of the oracle sdk in go-kms-wrapping fixes my issue. I have also noticed that vault is using the oracle sdk in some other places as well and also uses the same old version as hashicorp/go-kms-wrapping. This might also need updating as there were quite a lot of changes made to this library since 2019.

or

stedon · August 4, 2025, 10:59am

Hi @ricardonima,
I’m no longer using Vault, but based on the analysis I performed at the time, I determined that the issue was due to the version of the oci-go-sdk module, which did not support the eu-milan-1 region.

Update oracle/oci-go-sdk to v24.3.0+incompatible or directly to v54 · Issue #45 · hashicorp/go-kms-wrapping

Topic		Replies	Views
OCI KMS unseal working or not? Vault vault	3	455	January 17, 2024
Deploying vault on OCI gives sealtype shamir not ocikms Vault vault	0	132	January 28, 2024
Couldn't init vault: barrier reports initialized but no seal configuration found. KMS? Vault vault	3	1622	February 3, 2022
Vault failed to unseal core Vault k8s , helm	3	7500	November 18, 2021
Error initializing GCP CKMS wrapper client Vault k8s , vault	2	395	July 25, 2023

Error initializing OCI KMS client

Related topics