Upgrade Vault using Helm with AWS-KMS auto unseal - Production ENV

We are upgrading Vault helm to 0.20.0

  • Running Raft storage / 3 replicas / single Cluster / HA mode active
  • Using aws kms seal and auto unseal.
  • Persistent volumes host the vault config behind.

Recovery Seal type is Shamir, we do not have the Root key (Shamir) from when the Vault was originally deployed.

  1. Launched new Node Group, new Vault Pods created and initialised correctly assigning the Leader. 3 pods were unsealed using aws-kms
  2. We have done a Dry Run of Helm install and receive no errors.
  3. Snapshot was taken from exec inside the Vault Pods using backup procedure: vault operator raft snapshot save backup.snap

Seal/Unseal - Upon running the new Helm Vault version image the new Pods will launch using aws-kms unsealing/sealing process.
Once the New Pods are created, will it require the Shamir keys to unseal?
Or - Will aws-kms key handle this correctly and unseal similarly to when new node group was launched?

Can we continue upgrading Vault versions without Shamir root, using auto unseal aws-kms or should we deploy a totally new Vault app install?

Vault is currently running in Production cluster and requires version upgrade but we were not provided Shamir.

Support would be appreciated.