How recover our vault services after lost access to AWS

Hi guys.

Sorry for requesting your support during the holidays.

I’m trying to help my previous company to recover their infra UP and Running. The history in short is:
The company was closed 90 days ago, during this period AWS account was locked, so I can’t access the AWS resources.
The vault was configured to use as storage an S3 bucket in his config file.
May I restore the vault services locally having access to the secrets stored there while they take care of AWS invoices? In that way, I can restart all services to put the company back in production.

Thks for any suggestions or guides on how to fix the issue, and happy time.

You seem to be saying that your Vault data is stored in S3, but you don’t have access to S3.

Clearly(?) if your Vault data is inaccessible, you won’t be able to access it to run this Vault instance?!

Hi, sorry for my silence, I feel a bit seek.
In fact, our vault server runs locally, but the config file show that the storage is on a S3 bucket.

sudo cat /etc/vault.d/vault_main.hcl
cluster_name = “my_dcv1”
max_lease_ttl = “768h”
default_lease_ttl = “768h”

disable_clustering = “True”
cluster_addr = “https://MyIPAddress:8201
api_addr = “https://MyIPAddress:8200

plugin_directory = “/usr/local/lib/vault/plugins”

listener “tcp” {
address = “MyIPAddress:8200”
cluster_address = “MyIPAddress:8201”
tls_cert_file = “MyPath_to.pem”
tls_key_file = “MyPath_to.key”
tls_min_version = “tls12”
tls_prefer_server_cipher_suites = “false”
tls_disable = “false”

storage “s3” {
access_key = “My_AccessKey”
secret_key = “My_SecretKey”
bucket = “My_BucketName”
region = “AWS_Region”
disable_ssl = “False”

vault_s3_max_parallel = “128”
vault_s3_force_path_style = “False”
ui = true

So the thing is: When try to re-run the vault service it fail, when try to run the command:

sudo /usr/local/bin/vault server -config=/etc/vault.d/vault_main.hcl
Error initializing storage of type s3: unable to access bucket

The the question is?? May I replace the storage “s3” section for something like “file” and successfully restart the service and have access to my secrets values?

I guess I will need to unseal first with the unseal token


No, because they’re all stored in S3.

Well, we are F…K.


This is one of the reasons why I use local autounseal (transit key with a local instance), so that I don’t have to be dependent on an external service like that, especially when it comes to something as sensitive as Vault.

Nonetheless using a remote storage (s3) with a local instance does seem like a weird setup. You wouldn’t normally do that, right? Or am I missing something here?