Vault on AWS AutoScaling Group with DynamoDB backend

rradecki-migo · December 1, 2020, 2:23pm

Hi,

I created manually a working Vault cluster in HA mode with 3 EC2 instances behind ALB on AWS. Everything is working fine. Now I would like to automate my setup with Ansible (our current infra and provisioning tool). It makes sense for me to use an AutoScaling for Vault EC2 instances but I could not find howtos for such setup with DynamoDB backend. I found several ones for Consul backend which I would like to avoid due to additional complexity.

Has anyone implemented such setup on AWS? Is it easily possible to use DynamoDB as data and HA backend in Vault if EC2 instances are managed inside an AutoScaling Group?

Thanks in advance for all info!

Best Regards,
Rafal.

rradecki-migo · December 1, 2020, 3:53pm

I am thinking about:

adding a python script in user_data which will use https://python-dynamodb-lock.readthedocs.io/en/latest/usage.html to acquire a lock and initialize vault for the first time if needed, if lock exists other EC2 instances will not try to initialize Vault
rely on KMS auto unseal once Vault cluster will be initialized by first EC2 instance to avoid manual unseal operations

Any potential problems with such an approach? Above lock would be only needed to coordinate initial Vault initialization.

Best Regards,
Rafal.

Topic		Replies	Views
Vault HA member replacement - dynamoDB storage Vault	3	333	May 11, 2023
Vault helmchart examples? Vault k8s	4	1518	October 16, 2020
Vault auto unseal for on prem vault using AWS KMS? Vault	6	1206	November 2, 2020
Vault - Integrated Storage AWS EC2 Best Practices Vault raft	0	820	June 27, 2021
Configuring HA and AutoSeal On Premises Only Vault	1	552	January 3, 2022

Vault on AWS AutoScaling Group with DynamoDB backend

Related topics