KMS and Vault Transit tokens (doc)

r2d2leboss · April 12, 2023, 12:12pm

Hi,

I understand we can use Vault Transit as KMS for root, recovery and worker-auth. However, it’s unclear in the documentation if we should / must use separate Vault token with policy targeting only one specific Vault Transit or instead having only one Vault Token with a policy allowing access to all Vault Transit.
In case we need different tokens, how to use different env vars ? It looks like “env://xxxx” is not working.

Thanks

jeff · April 18, 2023, 10:36am

Hi @r2d2leboss

You only need a policy that provides access to the transit key you want to use for Boundary KMS purposes.

The “env://” syntax is not supported for KMS blocks at this time. However, it will honor the VAULT_TOKEN env var if it’s set.

Topic		Replies	Views
How to separate KMS with vault-transit engine in boundary enterprise ( seft-managed )? Boundary boundary	0	18	November 20, 2024
Use Vault token from environment when creating credential store Boundary k8s , vault	4	411	June 19, 2022
How to change vault transit kms to aws kms Boundary	3	503	September 28, 2021
[Vault KMS] Unauthenticated, or invalid token Boundary	1	473	September 30, 2021
Approle in configuration file Boundary	1	303	May 3, 2022

KMS and Vault Transit tokens (doc)

Related topics