Vault version: 1.4.0 (Docker)
I’ve setup auto unseal as per the guide here (https://learn.hashicorp.com/vault/operations/autounseal-transit)
I’m a little hazy on how this works under the hood, but I “think” the token I’m using to talk to the ‘upstream’ vault (step 2.2 in the guide) is being auto-renewed, but the renewed tokens are only stored in memory and are lost if I restart the vault.
I pass this token into the vault via /etc/sysconfig/vault as an environment variable at start time (because the guide strongly recommends against putting it into the vault config file).
The thing is, if I restart the downstream vault after a month of it being up, it won’t restart (with the following error):
Error parsing Seal configuration: Error making API request. URL: PUT https://upstream_server:8200/v1/transit/encrypt/downstream_server Code: 403. Errors: * permission denied
The token I’m providing via the environment has expired (because it was generated > 1 month ago).
My question is, how do I set up a seamless method of remote unseal, where I don’t have to take manual action to generate new unseal tokens every month? (how come this important consideration is this not covered in the tutorial?). If the downstream vault is successfully renewing its token, is there a way I can get it to spit out the renewed tokens so that I can put them back into the /etc/sysconfig/vault file?