KMS and Vault Transit tokens (doc)


I understand we can use Vault Transit as KMS for root, recovery and worker-auth. However, it’s unclear in the documentation if we should / must use separate Vault token with policy targeting only one specific Vault Transit or instead having only one Vault Token with a policy allowing access to all Vault Transit.
In case we need different tokens, how to use different env vars ? It looks like “env://xxxx” is not working.


Hi @r2d2leboss

You only need a policy that provides access to the transit key you want to use for Boundary KMS purposes.

The “env://” syntax is not supported for KMS blocks at this time. However, it will honor the VAULT_TOKEN env var if it’s set.