Issue on gcpKMS

bertrand_baudinet · November 17, 2023, 9:52am

Hello,

We try to upgrade our test version of boundary from 0.11.2 to latest version 0.14.2 and we encoutered an issue.

We also tried to run a boundary from scratch (new db) same configuration who works with the version 0.11.2 and we faced the same issue:

/usr/local/bin/boundary server -config /etc/boundary-controller.hcl -log-level=trace
Error initializing controller: error registering aws host plugin: error adding config keys to kms: kms.(Kms).AddExternalWrappers: unable to add root wrapper: unknown: error #0: kms.addKey: wrapper has no key version ID: invalid parameter

Do you know why the log is talking about aws because we don’t use aws at all?
Do you have any clue to fix this issue?

Please find below the kms configuration:

kms "gcpckms" {
    purpose     = "config"
    credentials = "/<path to the SA>/sa.json"
    project     = "<my project id>"
    region      = "<my region>"
    key_ring    = "boundary-test"  
    crypto_key  = "config-test"
}

kms "gcpckms" {
    purpose     = "worker-auth-storage"
    credentials = "/<path to the SA>/sa.json"
    project     = "<my project id>"
    region      = "<my region>"
    key_ring    = "boundary-test"  
    crypto_key  = "worker-auth-storage-test"
}

kms "gcpckms" {
    purpose     = "worker-auth"
    credentials = "/<path to the SA>/sa.json"
    project     = "<my project id>"
    region      = "<my region>"
    key_ring    = "boundary-test"  
    crypto_key  = "worker-auth-test"
}

kms "gcpckms" {
    purpose     = "root"
    credentials = "/<path to the SA>/sa.json"
    project     = "<my project id>"
    region      = "<my region>"
    key_ring    = "boundary-test"  
    crypto_key  = "root-test"
}

jeff · November 17, 2023, 3:43pm

@jimlambrt any ideas?

jimlambrt · November 21, 2023, 2:17pm

Yes and I’m working on a PR to fix this. FYI: @bertrand_baudinet

bertrand_baudinet · November 21, 2023, 2:22pm

@jimlambrt Thanks for your answer.

jimlambrt · November 22, 2023, 10:46am

I’ve opened a go-kms-wrapping PR. Once it’s appropriately reviewed, I’ll open a Boundary PR to update the dependency. Right now, the fix would go out in the upcoming 0.14.3 release. It will likely get back ported to 0.14.x releases.

jimlambrt · November 24, 2023, 11:40am

Boundary PR is under review.

bertrand_baudinet · November 27, 2023, 10:23am

Hello @jimlambrt,

Thank you for update.

bertrand_baudinet · January 15, 2024, 2:04pm

Hello @jimlambrt

I wish you an happy new year.
I didn’t find time earlier to test 0.14.3, you PR is working well and I haven’t issue anymore with gcpkms.

Thank you

Topic		Replies	Views
Failed to start controller with gcpckms Boundary boundary	4	399	September 28, 2023
Error creating global-scope KMS keys Boundary	0	297	August 2, 2023
Boundary setup initial auth failing when using AWS kms Boundary	7	598	September 28, 2022
Using Azure Key Vault KMS for Boundary Boundary	5	755	May 23, 2022
Unable to connect to instance though SSH Boundary	2	1203	June 27, 2022

Issue on gcpKMS

Related topics