Failed to start controller with gcpckms

Boundary
1

Hi,

I get the following error when I start the controller with gcpckms :

Error initializing controller: error registering aws host plugin: error adding config keys to kms: kms.(Kms).AddExternalWrappers: unable to add root wrapper: unknown: error #0: kms.addKey: wrapper has no key version ID: invalid parameter

Regards,

Antoine

2

gcpckms is a GCP KMS configuration but the error message you have there mentions AWS. What does your kms configuration look like for the controller?

3

Hi,

Thanks for your reply.
my conf:

disable_mlock = false

controller {
name = “controller”

database {
url = “postgresql://XXXX:XXXX@localhost/boundary”
}
public_cluster_addr = “XX.XX.XXX.XXX”
audit {
log_raw = true
log_path = “/var/log/boundary/audit.log”
log_format = “json”

}

}
listener “tcp” {
address = “0.0.0.0”
purpose = “api”
tls_disable = false

tls_min_version = “tls11”

tls_max_version = “tls12”

tls_cert_file = “/etc/boundary/letsencrypt/live/XXXX.XXX.com/fullchain.pem”
tls_key_file = “/etc/boundary/letsencrypt/live/XXXX.XXX.com/privkey.pem”
}
listener “tcp” {
address = “0.0.0.0”
purpose = “cluster”
tls_disable = false
}

kms “gcpckms” {
purpose = “root”
credentials = “/etc/boundary/bastion-XXX.json”
project = “bastion-xxx”
region = “global”
key_ring = “boundary-keyring”
crypto_key = “worker-auth”
}

kms “gcpckms” {
purpose = “worker-auth”
credentials = “/etc/boundary/bastion-XXX.json”
project = “bastion-xxx”
region = “global”
key_ring = “boundary-keyring”
crypto_key = “aead”
}
kms “gcpckms” {
purpose = “recovery”
credentials = “/etc/boundary/bastion-XXX.json”
project = “bastion-xxx”
region = “global”
key_ring = “boundary-keyring”
crypto_key = “keys-1”
}

events {
audit_enabled = true
observations_enabled = true
sysevents_enabled = true

sink “stderr” {
name = “all-events”
description = “All events sent to stderr”
event_types = [“*”]
format = “cloudevents-json”
}

sink {
name = “controller-audit-sink”
description = “Audit sent to a file”
event_types = [“audit”]
format = “cloudevents-json”

file {
  path      = "/var/log/boundary"
  file_name = "controller.log"
}

audit_config {
  audit_filter_overrides {
    secret    = "encrypt"
    sensitive = "hmac-sha256"
  }
}

}
}

4

What version of Boundary are you using? Is it a binary running on the host, or a container?

5

Hi,
Faced with the similar error running Boundary in Kubernetes.
Versions were 0.13.1 and 0.13.0.
Error disappeared after downgrading to 0.12.2 version.