Unseal vault when AWS KMS is not reachable


I have deployed Vault with AWS KMS auto-unseal, but when connection to AWS is lost and Vault service restarted, Vault start is failing with error:
Error parsing Seal configuration: error fetching AWS KMS wrapping key information: RequestError: send request failed caused by: Post “https://kms.eu-central-1.amazonaws.com/”: dial tcp: lookup kms.eu-central-1.amazonaws.com

Is there a way to unseal vault (using Shamir keys) for seal stanza set to “awskms” when AWS is not reachable?

Best regards

No. Vault using a KMS to unseal (thus constructing the master key) relies on the KMS being high-available (or at least available as much as Vault is up). If you think you cannot rely on your KMS, you will need to use Shamir.

Many Vault clusters unseal reliably with cloud KMS - I’d recommend resolving your connectivity issue from your Vault cluster (or whatever this might be) and continuing to use it.