How to configure AWS RDS postgresql as a persistent storage for Hashicorp vault


I have been using the Hashicorp vault on AWS EKS Fargate and want to use the AWS RDS Postgres as the persistent storage Backend so that all the data stored on the vault resides inside it.

I have been trying this setup for a quite long but am not successful. Please help me with the steps to do so if anyone has done this already on their end.

Hi @Desh-Deepak-Dhobi , welcome to the forum.

This is an example of a bad way to ask for help. You’ve provided no details whatsoever about the problems you’re experiencing.

You will generally not find volunteers with so much time on their hands, that they want to write lengthy custom walkthroughs for individual people.

On the other hand, if you are able to ask a specific question about a point at which you are stuck, you can benefit from people who will quickly offer some pointers to get you moving forwards again.

I suggest you start by reading the documentation at PostgreSQL - Storage Backends - Configuration | Vault | HashiCorp Developer and then try it out - then post about your specific issues.

Be sure to include copy/pastes of actual commands run, configuration files created, and error messages observed.

I tried to dockerize the hashicorp vault and use the docker image to run on Kubernetes. But when I tested the Image to run locally, it is not running.

Here are the steps and files that I have created.

  1. Created a config.hcl file (with following code)
storage "postgresql" {
  connection_url = "postgresql://"
  table          = "vault"

listener "tcp" {
  address       = ""
  tls_disable   = 1

disable_mlock = true

api_addr = ""

ui = true

Here, the database details are of the AWS Postgres DB.

  1. Created a file named

vault server -config=/vault/config/config.hcl &
sleep 5

export VAULT_ADDR=http://localhost:8200

vault operator init -recovery-shares=1 -recovery-threshold=1 > /vault/keys.txt

echo "Initialization complete. Unseal key and initial root token are saved in /vault/keys.txt"

tail -f /dev/null
  1. Created a file named Dockerfile.
FROM vault:latest

# Install PostgreSQL client
RUN apk add --no-cache postgresql-client

# Copy and set up configuration files
COPY config.hcl /vault/config/
COPY /vault/

# Set necessary environment variables
ENV VAULT_LOCAL_CONFIG=/vault/config/config.hcl
ENV VAULT_ADDR=http://localhost:8200

# Expose the Vault server port

# Run the initialization script
ENTRYPOINT ["/vault/"]
  1. Then run the following commands to build the image.
    docker build -t deshvaultimage .

  2. And Run the container using the image build.
    docker run -d -p 8200:8200 --name deshvaultcontainer deshvaultimage

  3. Used localhost:8200 on my local PC but there was no output.

Please help me know where I am making mistakes or need to configure something extra.

Look… I want to be helpful but how do you expect anyone to be able to help when you’re leaving so much information out?

Vault emits logging on stderr - show it.

This could mean so many things. You should show an exact copy/paste of your terminal window including the commands run.

I am new to Hashicorp vault and struggling to implement it with postgresdb as a backend.

The following is the error form the docker container of vault running.

Error initializing storage of type postgresql: failed to check for native upsert: cannot parse `postgresql://`: failed to parse as URL (parse "postgresql://postgres:admin": invalid port ":admin" after host)
2023-06-19T05:31:09.132Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
Get "http://localhost:8200/v1/sys/seal-status": dial tcp connect: connection refused
Initialization complete. Unseal key and initial root token are saved in /vault/keys.txt

The error reveals that the # character in your password is unacceptable unescaped in an URL.

1 Like

Thank you, that worked. And now I can see the vault on my browser at localhost:8200.

But I am not able to get the keys at the specified location which said “Unseal key and initial root token are saved in /vault/keys.txt”

This is the error that I am getting.

==> Vault server started! Log data will stream in below:

2023-06-19T09:04:13.552Z [INFO]  core: security barrier not initialized
2023-06-19T09:04:13.830Z [INFO]  core: seal configuration missing, not initialized
Error initializing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/init
Code: 400. Errors:

* parameters recovery_shares,recovery_threshold not applicable to seal type shamir
Initialization complete. Unseal key and initial root token are saved in /vault/keys.txt
2023-06-19T09:04:16.129Z [INFO]  core: security barrier not initialized
2023-06-19T09:04:16.403Z [INFO]  core: seal configuration missing, not initialized
2023-06-19T09:04:19.593Z [INFO]  core: security barrier not initialized
2023-06-19T09:04:31.126Z [INFO]  core: security barrier not initialized
2023-06-19T09:04:31.128Z [INFO]  core: security barrier not initialized

Clear error message from Vault:

Incorrect message from your custom script, which has been written to print this regardless of previous errors:

1 Like

I am getting this error.