Connect to existing secrets in GCS from new Vault GKE cluster
bryan831 opened this issue · 3 comments
Question
What are the modifications necessary to connect to existing secrets in GCS from a new Vault cluster in GKE?
Considerations
n.a
Hi guys, after trying this demo and playing around with Vault, my team is keen on implementing Vault for some of our systems.
One last concern I was tasked to investigate -- is it possible to connect to existing secrets in GCS in the event of an unintended loss of Vault cluster (e.g. human accidentally deleted Vault cluster in GKE, other problem with Vault cluster)?
If so, what are the necessary modifications required?
I tried several modifications (the KMS keys, GCS bucket name) to the terraform files to achieve this. The best I was able to achieve was a newly created Vault cluster, and terraform apply returned the same root token as the previous cluster. However, in Vault UI, I was unable to login with this same root token.
Thanks!
Hi @bryan831
When you say "connect to existing secrets in GCS" which of the following do you mean:
- An existing GCS bucket that Vault was using to store data
- An existing GCS bucket where you put your own data
Vault's storage backend is pluggable, if you spin up vault-cluster-1 against GCS bucket foo, tear it down, and then spin up vault-cluster-2 against the same GCS bucket, it will have the same secrets, same unseal keys, same root token, etc.
Does that answer your question? Sorry I'm not sure I completely understand the issue.
Hi @sethvargo thanks for your reply.
I am referring to 1, exactly the scenario you have mentioned.
I'm having difficulty modifying the demo terraform files to get it to spin up a new Vault cluster against existing Vault GCS secrets bucket.
Could you let me know the only fields I have to change in the terraform files to achieve this?
I think I might have modified more fields than necessary, or missed out some, that is why I cannot login to my new Vault cluster.
Thank you very much