Oracle Cloud - OCI Object Storage

CGC-UK · April 16, 2020, 6:36pm

Part of my work at the moment is configuring vault to work in a private OKE cluster in Oracle Cloud.

We are able to deploy vault into AWS EKS and connect it to postgresql to store configuration, but I am finding it a challenge to deploy vault using oracle cloud buckets as the medium of storing configuration.

I have seen the following page https://www.vaultproject.io/docs/configuration/storage/oci-object-storage but consistently receive the following error:
Error initializing storage of type oci: failed creating NewObjectStorageClientWithConfigurationProvider: can not create client, bad configuration: did not find a proper configuration for tenancy

I have run oci setup config and the ~/.oci/config file contains the necessaries; what further configuration is needed to get past this issue?

rramge · April 17, 2020, 10:38am

Hi,

I’m afraid we need to dive a bit deeper into your tenancy configuration here. There are multiple potential causes for this, for example if proper security policies and security lists are in place.

I’ll try the link you provided myself and come back to you. Will take some time though, won’t happen today.

Cheers,

Ralf

twmcelroy · April 17, 2020, 2:18pm

I have successfully set this up before. The only thing you need to make sure of is that the bucket is treated as secure and critical, you don’t want people to mess with it, or put policies that archive the objects onto it.
In terms of getting it to work, Using Instance Principals and Dynamic Groups is one way to enable this to work. https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm?Highlight=instance%20principals

Another way would be for it to use a service gateway. I have not tested this method: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm?Highlight=service%20gateway.

rramge · April 18, 2020, 9:41am

Hi,

great, thanks for saving me some research here

Just a comment: The “best practice” would be using a service gateway, because then the traffic doesn’t traverse the internet. Which would make sense in this use case, it’s Vault data after all.
Make sure you choose the correct Route Table when creating the Service Gateway, in case you created your own tables.

CGC-UK · April 21, 2020, 9:00am

Thanks both. We’ve settled with not using HA mode for now, but I will spend some time looking into the service gateway method.