Multiple instances of vault with S3 as storage

seguidor777 · September 17, 2020, 8:07pm

Hi,

My team want to setup a development environment using vault 1.4.2 with Amazon S3 as storage, every developer has his own vault instance running on a kind cluster.
We need to use the same S3 bucket to store the secrets and configuration, so every time a new vault instance is launched and connects to the bucket, it reuses its contents.
We have been experiencing some issues with this kind of setup, as we do not share the same content in our vault instances.

First of all, I wonder if this setup is actually supported?

mikegreen · September 18, 2020, 4:01pm

You want a single S3 data store with, seemingly unknown and random, multiple Vault instances running, and not in a cluster?
No, not supported and will get an unexpected experience.

What is the actual use case/requirement?

seguidor777 · September 18, 2020, 5:28pm

Yes, but each instance is running on its own kind cluster.

The use case is just to have different vault instances running on its own local cluster each one and using the same S3 bucket as data store.

Could you please let me know if this is possible? Or do I need to use different S3 bucket for each instance?

jeroenjacobs79 · September 18, 2020, 9:13pm

You should use a different S3 bucket for each instance, or you will get really weird results. Multiple instances using the same backend is only supported in a HA-setup, but even then, only one instance is considered “active”, so this will not help in your scenario.

seguidor777 · September 18, 2020, 10:02pm

Ok, that explains why we saw multiple inconsistencies between the data from each instance

We actually have HA enabled for our vault servers, but I imagine that it does not apply to the scenario I am commenting on, because only one instance must be active at a time

Thanks for the clarification

jeroenjacobs79 · September 19, 2020, 2:01pm

I’m wondering if you could use S3 replication, to create an “initial” bucket for each instance you need… That way all your instances have their own bucket, but start with the same initial data.

seguidor777 · September 19, 2020, 3:24pm

I think It may be possible, I’ll consider that

That way, we’d only need to initialize Vault once

DevOpsRob · September 22, 2020, 7:31am

The only thing i’m unsure about with this approach is whether each cluster would be able to decrypt the data as they all have their own cryptographic keys generated at init-time. Personally i would stay away from multiple clusters sharing the same storage backend. separation of concerns is the pragmatic approach i think

seguidor777 · September 22, 2020, 3:25pm

Ok confirmed, I’ll go for the approach you mention. Thanks for your help