Hi team,
We’ve a vault setup on EKS with helm chart and RDS (postgres) configured as backend storage. We are planning on migrating the setup to a new VPC, and basic flow for that what we are currently doing is -
1. Restore the vault backend from the current RDS backup
2. Deploy the vault helm on the new cluster
3. Update the vault config to make use of the new kms (provided it has all the required access)
4. Unseal the vault
ref doc: AWS KMS to AWS KMS Seal Migration – HashiCorp Help Center
Now what is noticed while testing this out is, in the new setup (EKS + Helm) I updated the vault config with the new KMS key from older KMS and newly restored RDS endpoint, and it got unsealed (which i believe shouldn’t be the case in ref to above doc since it’s sealed with older KMS config). Same I verified from the logs as well as from the UI.
vault pods logs say:
2023-10-17T09:15:05.309Z [INFO] core: vault is unsealed
2023-10-17T09:15:05.309Z [INFO] core: entering standby mode
2023-10-17T09:15:05.478Z [INFO] core: unsealed with stored key
config which is used with helm:
extraconfig-from-values.hcl: |-
disable_mlock = true
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
}
seal "awskms" {
region = "ap-south-1"
kms_key_id = "<NEW-KMS-KEY>"
}
log_level = "Debug"
storage "postgresql" {
ha_enabled = "true"
connection_url = "<NEW-RESTORED-RDS-ENDPOINT"
}
telemetry {
disable_hostname = true
prometheus_retention_time = "12h"
}
If i disabled the seal kms in the above config, and restart vault. It then asks for the older recovery key which is expected. But not in the case when it uses a new KMS key enabled.
Please help me understand if this is the expected behaviour when we do this via restored backup or something is missing here.
ENV:
- Vault helm chart (0.14.0)
- EKS (1.28)
- RDS postgres (AWS)