We are currently in the process of migrating our vault clusters from etcd backend to dynamo db.On our test cluster we were able to migrate 1.6GB data in 50 mins.I have couple of questions regarding the migration.
1.Can we migrate the data when vault is online(only apps reading the secrets,We will not perform any writes)?
2.Is there any way to get the count of entries?This will help us validate the count before and after migration?
Appreciate any feedback.
I think migrate is intended to be an offline activity. I know you can’t start Vault if a migration is happening, but have never tried do a migrate while Vault is online either. I wouldn’t recommend it TBH.
@Neutrollized We run vault cluster in k8’s cluster.When you offline means shutting down vault pods?Because we run migrate cmd from vault pod.Please clarify.
“vault operator migrate -config migration.hcl”
I’ve never done it from a Vault cluster, but from a VM, the Vault service is stopped.
EDIT: from what I understand,
vault operator migrate just needs access to your backend. It doesn’t need Vault to be run or anything, because after you migrate, you still need to unseal at your target location.
Thanks for the info.
Any idea if we can get a count of entries to confirm all the data is coped?
Does any one know if it is possible to get the count.
Is there any way to get the count of entries?This will help us validate the count before and after migration?
Kinda. I have Prometheus/Grafana running on my Raspberry Pi lab at home and one of the things it can report on is the number of secrets you have, but I think that’s about it.
vault operator migrate used to be the hacky way to backup open-source Vault (migrate it to a file and you can restore that file if shit happens), and in the times that I’ve used it, I’ve not had any issues with it. I know it’s a very small sample size and really the answer you were looking for, but it is what it is. You can always keep your existing backend around for a while as something to fall back on if you do notice that the number of entries doesn’t look right or if there are secrets you suddenly can’t pull after you migrate.