KMS looks to us-east-1 when running in a different region
DrStrangepork opened this issue · 6 comments
All my services run in eu-west-1, so I modified the /operations/aws-kms-unseal-ha/terraform to use that region:
aws-kms-unseal-ha/terraform/variables.tf:
variable aws_region {
default = "eu-west-1"
}
userdata.tpl:
cat << EOF > /etc/vault.d/vault.hcl
storage "consul" {
address = "127.0.0.1:8500"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
seal "awskms" {
aws_region = "${aws_region}"
kms_key_id = "${kms_key}"
}
ui=true
EOF
However, when the vault service starts, it looks to region us-east-1 for its KMS seal key:
# vault server -config /etc/vault.d -log-level DEBUG
Error parsing Seal configuration: error fetching AWS KMS sealkey information: NotFoundException: Key 'arn:aws:kms:us-east-1:507527533403:key/c769aa01-5e52-4be2-981e-ecc43d1bd0ef' does not exist
This is correct: the key referenced above does exist but in eu-west-1. Why is vault looking to us-east-1 even though it is configured to use eu-west-1?
I manually created a key in us-east-1, and vault started up fine using it. That is only a work-around though.
It looks like your seal configuration should be corrected like so:
seal "awskms" {
region = "${aws_region}"
kms_key_id = "${kms_key}"
}
(change aws_region to region)
https://www.vaultproject.io/docs/configuration/seal/awskms.html#awskms-example
Vault defaults to us-east-1 when not set.
Then it appears some of your documentation is off, because on https://www.hashicorp.com/resources/getting-vault-enterprise-installed-running it says this:
seal "awskms" {
aws_region = "us-east-1"
access_key = "..."
secret_key = "..."
kms_key_id = "..."
}
I'll try region on Monday
Thanks for pointing that out error, and sorry you've ran into issues. Let me know if the config change resolves your issue.
The https://www.hashicorp.com/resources/getting-vault-enterprise-installed-running doc was updated. Thank you for bringing this up.
region setting works fine, thanks for updating documentation