How to properly restore a PITR DynamoDB backend


We are setting up a Vault Cluster (DynamoDB backed), and we’re testing recovery scenarios.

One of the scenario is to recover a deleted KV engine by inadvertance.
Our response is to perform a DynamoDB PITR restore before the deletion to another table, then start a new Vault cluster using this DynamoDB storage backend.

This is working ok, but we’re facing the issue that the restore-server will revoke leases (DB engines mainly) that might have been extended on the “normal operating” vault instance.

Question :

  • is there any way to boot a Vault instance up and preventing any lease revokation, at startup and while the server is running ?

  • is there a smarter way to restore a mistakenly deleted KV engine ?

Thanks !

As far as I know, the only option is to use a firewall to prevent the restored Vault from talking to other services in which it manages leases.

No, you are already doing the right thing there.