Error while running vault operator init

Vault
#1

I am getting an error when I run the command vault operator init
The error I get is Error initializing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:

  • failed to initialize barrier: failed to persist keyring: AccessDenied: Access Denied
    status code: 403,

I followed steps mentioned on this article:

I can see that my vault service is running when I check the status using the systemctl command. However, the init command fails.

#2

Welcome! :grinning:

I think we’re going to need a bit more info to get to the bottom of this. As a start, I would say that this tutorial is now more complex than it needs to be: if this is your first time working with Vault, you might want to consider using one of the official HashiCorp packages, instead of doing a manual installation.

That said, I would say that that isn’t your problem. It’s likely that Vault doesn’t have the proper permissions to write to your S3 bucket.

Can you share some of what systemctl / journalctl are showing as logged around the time of this error? And maybe your Vault configuration file (without the secrets)?

#3

Thank you for your reply!

I’ve attached the systemctl logs:

systemctl logs
systemctl logs1920×1080 151 KB

and here is my vault-config.hcl file

listener “tcp” {
address = “0.0.0.0:8200”
tls_cert_file="/etc/vault.d/.ssl/server.crt"
tls_key_file="/etc/vault.d/.ssl/server.key"
}
backend “s3” {
bucket = “”
region = “”
}
disable_mlock=true

Please let me know if something else is needed.
I will check on the policies to the attached IAM role on the EC2 where I am running this.
Do we also need to configure a bucket policy in this setup?

#4

Found this one:

Btw: your api_addr is not set. :wink:

#5

Thank you for your reply!

So I have not set S3 with KMS. Its just a normal S3 bucket with default settings, nothing different.
I checked the role attached to the EC2 instance and it has list and put object access to the given S3 bucket.
I am new to Vault, so can you tell me about the api_addr paramter actually. I looked up in the documentation but still do not have a clear understanding on what it should be set to.
Can anyone please provide links or videos for the same?

My use case is to setup vault so that I can store the keys that I use to encrypt data stored in S3. If anyone can provide links or videos to this as well that would be really helpful!