Hi together,
Is it possible to set up a multi-hop worker setup with separate KMS using the Vault’s Transit Secret Engine in boundary enterprise?
The Documentation says:
For Multi-Hop workers, It is also possible to specify a
kmsblock with thedownstream-worker-authpurpose. If specified, this will be a separate KMS that can be used for authenticating new downstream nodes. Blocks with this purpose can be specified multiple times.
Unfortunately I have not succeeded so far and I don’t really know why.
The woker starts normally if only one KMS Block with purpose downstream-worker-auth is present.
As soon as a second or third is activated, the worker aborts and throws this error message:
The transit keys in Vault were created in advance.
Vault and controller logs do not provide any information.
I have also tested with the latest version 0.18.0. Unfortunately without success.
Here is my worker configuration:
OS: Ubuntu 20.04.
Version: boundary-enterprise=0.16.3+ent-1
Vault: 1.17.2
#boundary-worker.hcl
disable_mlock = true
listener "tcp" {
address = "0.0.0.0:9202"
purpose = "proxy"
}
worker {
name = "boundary-ingress-worker"
description = "Boundary ingress worker"
...
}
events {
...
}
kms "transit" {
purpose = "worker-auth"
address = "https://vault..."
token = "hvs.CAESILw6..."
disable_renewal = "false"
key_name = "vpc-boundary"
mount_path = "transit/"
}
kms "transit" {
purpose = "downstream-worker-auth"
address = "https://vault..."
token = "hvs.CAESIK02hSQafH..."
disable_renewal = "false"
key_name = "downstream_test1"
mount_path = "transit/"
}
kms "transit" {
purpose = "downstream-worker-auth"
address = "https://vault..."
token = "hvs.CAESIK02Qf..."
disable_renewal = "false"
key_name = "downstream_test2"
mount_path = "transit/"
}
kms "transit" {
purpose = "downstream-worker-auth"
address = "https://vault..."
token = " hvs.CAESIK02iTVBi..."
disable_renewal = "false"
key_name = "downstream_test3"
mount_path = "transit/"
}
Many thanks for any support.