Error while running vault operator init

I am getting an error when I run the command vault operator init
The error I get is Error initializing: Error making API request.

Code: 400. Errors:

  • failed to initialize barrier: failed to persist keyring: AccessDenied: Access Denied
    status code: 403,

I followed steps mentioned on this article:

I can see that my vault service is running when I check the status using the systemctl command. However, the init command fails.

Welcome! :grinning:

I think we’re going to need a bit more info to get to the bottom of this. As a start, I would say that this tutorial is now more complex than it needs to be: if this is your first time working with Vault, you might want to consider using one of the official HashiCorp packages, instead of doing a manual installation.

That said, I would say that that isn’t your problem. It’s likely that Vault doesn’t have the proper permissions to write to your S3 bucket.

Can you share some of what systemctl / journalctl are showing as logged around the time of this error? And maybe your Vault configuration file (without the secrets)?

Thank you for your reply!

I’ve attached the systemctl logs:

and here is my vault-config.hcl file

listener “tcp” {
address = “”
backend “s3” {
bucket = “”
region = “”

Please let me know if something else is needed.
I will check on the policies to the attached IAM role on the EC2 where I am running this.
Do we also need to configure a bucket policy in this setup?

Found this one:

Btw: your api_addr is not set. :wink:

Thank you for your reply!

So I have not set S3 with KMS. Its just a normal S3 bucket with default settings, nothing different.
I checked the role attached to the EC2 instance and it has list and put object access to the given S3 bucket.
I am new to Vault, so can you tell me about the api_addr paramter actually. I looked up in the documentation but still do not have a clear understanding on what it should be set to.
Can anyone please provide links or videos for the same?

My use case is to setup vault so that I can store the keys that I use to encrypt data stored in S3. If anyone can provide links or videos to this as well that would be really helpful!