Unable to migrate unseal from shamir to azure

Vault
1

I’m trying to migrate from a manual unseal process using the shamir keys to an Azure based autounseal. However the migration instructions here: Seal/Unseal | Vault | HashiCorp Developer have proven to be impossible to follow.

I’ve got an Azure key store set up and have added the

seal “azurekeyvault” {

}

config to the vault.hcl file with the credentials. The instructions suggest that to migrate the seal all I need to do is to start the vault and then unlock it using the command line tool with -migrate flag . The problem is that the vault won’t start, I get this error in the log:

RESPONSE 404: 404 Not Found
ERROR CODE: KeyNotFound

{
“error”: {
“code”: “KeyNotFound”,
“message”: “A key with (name/id) autounsealkey was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see Azure Key Vault recovery overview | Microsoft Learn
}
}

I would consider this error to be expected prior to the migration process being completed, the problem is that the vault process exits straight after this error with no further explanation (and if I take out the azure config it works again). So when I use the command line tool with the -migrate flag, I just get a connection refused error because the vault isn’t running.

I’ve checked and re-checked the documentation and I can’t see what I might have missed so have reached an impasse. To migrate to azure autounseal I need to start the vault with azure configured, but the vault won’t start if the azure config is present. My expectation was that with an un-migrated autounseal configuration, the vault would start but remain sealed until I performed the migration. Is there any way to persuade the vault process to not exit if unseal fails?

I’m using v1.17.2. Thanks in anticipation!

2

Ok, I’ve worked out the missing step. I was expecting Vault to create it’s key in the Azure Key Vault if it wasn’t present. I had made this assumption because there was nothing in the migration instructions that I could see telling you to create this manually so assumed it must be automatic.

There are also some catches when trying to create the key via the azure portal. Despite being logged in as the subscription owner, I was denied permission to create a key. Fixing this required me to go into the IAM roles for the resource group and add key administrator permission to my own account. There was also a further issue where key creation was only allowed for trusted networks, so I had to add my fixed IP address to the azure key vault network settings.

I think the problem here is that the full instructions for setting up Vault with Azure auto-unseal rely partly on the use of terraform for the deployment, so important steps aren’t listed in the documentation because terraform does that for you. Which is fine if you want to create an entirely new vault with azure auto-unseal.

However, since terraform sets up a new resource group and Azure VM for the vault, this approach isn’t suitable if you have a pre-existing vault installation that you want to migrate to azure autounseal. The instructions for migrating to azure autounseal give no information on how to set up the azure key vault itself, they just tell you what to put in the vault config. So there was a certain amount of guesswork involved looking at the instructions for a new vault with azure autounseal and trying to work out which bits were needed for the migration.