tl;dr: can I run multiple vaults on different laptops against the same GCPKMS/GCS backend, assuming I can be reasonably certain they don’t try to access the storage concurrently?
I just finished getting an SSH certificate authority set up using vault. It’s awesome! I have it using GCP KMS for sealing and GCS for storage backend. These bits all work great.
However, at the moment I’m running inside a docker-compose and wiring it up to GCP/GCS. The idea being that I run this on my laptop and I can use it to create certs for me. And my thinking is that I’ll run this on any “source” machine I have that has an SSH key I would want to sign keys on. I have thought of firing up the vault on demand when I want to sign certs, and since I’m signing with 1 week TTLs at the moment, that’s not a huge pain. But I feel like if I just leave it running that would be best.
Vault’s HA is a primary-secondary model rather than some sort of per-transaction locking mechanism, and that’s fine, but in this case, I wouldn’t expect all of the potential vaults to be able to talk to each other, so that sort of setup isn’t really practical. Also, having a vault that is just running somewhere that my laptop can connect to isn’t something I’d like to do at the moment, I don’t want to deal with either running vault on a public IP or getting my laptop VPN’d in to talk to the server or whatever.
So, can I run vault on multiple machines using the same GCS backend at once, so long as I can be reasonably certain they won’t both write to GCS at the same time? Or does vault keep local state that it doesn’t refresh from the backend storage, or some other limitation in doing this?