In the process of restoration of the vault from the same back end I observed the vault is already initiated but in a sealed state, the backend perfectly configured, when I am trying to unseal it using the keys which are collected prior installation of vault I see it is not allowed.
Note: Auto unseal enabled not allowing to change seal to unseal or vice-versa
Expectation: when all the nodes in vault down and wanted to recover then, provisioning new vault with same back end table should allow to access the secrets.
configuration:
[ec2-user@ip ~]$ more /opt/vault/config/default.hcl
ui = true
seal “awskms” {
kms_key_id = “adXXXXXXXXad”
region = “us-west-1”
}
listener “tcp” {
address = “0.0.0.0:8200”
cluster_address = “0.0.0.0:8201”
tls_cert_file = “/opt/vault/tlscert/vault.crt.pem”
tls_key_file = “/opt/vault/tlscert/vault.key”
tls_disable_client_certs = “true”
}
storage “dynamodb” {
ha_enabled = “true”
region = “us-west-1”
table = “vault-table”
}
HA settings
cluster_addr = “https://:8201”
api_addr = “https://:8200”
Error:
[ec2-user@ip- ~]$ vault operator unseal -tls-skip-verify
Unseal Key (will be hidden):
Error unsealing: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:
- failed to decrypt encrypted stored keys: error decrypting data encryption key: AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
status code: 400, request id: a4gh789-59ba-4a8841aef4c6-411a-8c91
VAULT_ADDRESS ENV pointing to cluster