Unseal vault when AWS KMS is not reachable

sowiy40421 · February 10, 2021, 2:18pm

Hi,

I have deployed Vault with AWS KMS auto-unseal, but when connection to AWS is lost and Vault service restarted, Vault start is failing with error:
Error parsing Seal configuration: error fetching AWS KMS wrapping key information: RequestError: send request failed caused by: Post “https://kms.eu-central-1.amazonaws.com/”: dial tcp: lookup kms.eu-central-1.amazonaws.com

Is there a way to unseal vault (using Shamir keys) for seal stanza set to “awskms” when AWS is not reachable?

Best regards

mikegreen · February 10, 2021, 3:02pm

No. Vault using a KMS to unseal (thus constructing the master key) relies on the KMS being high-available (or at least available as much as Vault is up). If you think you cannot rely on your KMS, you will need to use Shamir.

Many Vault clusters unseal reliably with cloud KMS - I’d recommend resolving your connectivity issue from your Vault cluster (or whatever this might be) and continuing to use it.

Topic		Replies	Views
Unseal Vault with Recovery Key ( Lost AWS KMS used for Auto unseal ) Vault	0	343	March 31, 2021
Restore Vault if auto-unseal failure Vault	1	134	April 2, 2024
Vault failed to unseal core Vault k8s , helm	3	7122	November 18, 2021
How to restore raft snapshot (from a vault with AWS KMS auto-unseal) on a fresh vault server Vault	4	1119	August 11, 2022
AWS KMS auto-unseal fail after enabling TLS Vault	6	757	October 20, 2021

Unseal vault when AWS KMS is not reachable

Related topics