vault
vault copied to clipboard
hashicorp
seal OCI KMS don't find key_id
Describe the bug After updating to 1.12.0 (actual latest in RPM repository), vault can't start
To Reproduce Steps to reproduce the behavior:
- Having a working Vault 1.11.4 with seal OCI KMS
- Upgrading to 1.12.0
- See error when restarting the service
/usr/bin/vault server -config=/etc/vault.d/vault.hcl
Error parsing Seal configuration: 'key_id' not found for OCI KMS seal configuration
2022-10-13T04:07:07.570Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
Expected behavior Everything working like before
Environment:
- Vault v1.12.0 (558abfa75702b5dab4c98e86b802fb9aef43b0eb), built 2022-10-10T18:14:33Z
- Server Operating System/Architecture: racle Linux Server 9.0 - aarch64
Vault server configuration file(s):
ui = true
api_addr = "http://10.0.0.10:8200"
cluster_addr = "http://10.0.0.10:8201"
disable_mlock = true
storage "raft" {
path = "/opt/vault/raft/data"
node_id = "lab0"
retry_join {
leader_api_addr = "http://10.0.0.11:8200"
}
retry_join {
leader_api_addr = "http://10.0.0.12:8200"
}
}
# HTTP listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
service_registration "consul" {
address = "127.0.0.1:8500"
}
seal "ocikms" {
key_id = "ocid1.key.oc1.sa-saopaulo-1.xxxxxxx"
crypto_endpoint = "https://xxxxxxx-crypto.kms.sa-saopaulo-1.oraclecloud.com"
management_endpoint = "https://xxxxxxx-management.kms.sa-saopaulo-1.oraclecloud.com"
}
I have the same type of problem, but for GCP:
disable_mlock = true
ui=true
cluster_addr = "https://XXXX:8201"
api_addr = "https://XXXX:8200"
storage "consul" {
path = "vault/"
token = "XXXX"
address = "https://127.0.0.1:8501"
scheme = "https"
tls_ca_file = "/etc/ssl/rootCA.pem"
tls_cert_file = "/etc/vault-server/consul-client-crt.pem"
tls_key_file = "/etc/vault-server/consul-client-key.pem"
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/etc/vault-server/vault-server-crt.pem"
tls_key_file = "/etc/vault-server/vault-server-key.pem"
tls_client_ca_file = "/etc/ssl/rootCA.pem"
}
seal "gcpckms" {
credentials = "/etc/vault-server/gcpkms-credentials.json"
project = "test-prokect"
region = "europe"
key_ring = "testing"
crypto_key = "test-key"
}
The file /etc/vault-server/gcpkms-credentials.json exists and was working correctly 2 days ago. The error message is:
Error parsing Seal configuration: error checking key existence: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeys.get' denied on resource 'projects/XXX/locations/europe/keyRings/testing/cryptoKeys/YYY' (or it may not exist).
I have downgraded from version 1.12.0-1 to 1.11.4-1 and with this older version it works perfectly:
$ sudo apt install vault=1.11.4-1
having the same issue on moving from 1.11.4 to 1.12.0
vault Error parsing Seal configuration: error checking key existence: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeys.get' denied on resource 'projects/xxxx b/locations/xxx/keyRings/xxxx/vault-init' (or it may not exist).
No update but the issue is very huge, now it's 3 cloud seals concerned with the same issue (KMS unusable):
- Oracle Cloud: this issue + #13607
- GCP: #17850
- AWS: #17551
It's becoming critical… not everyone can/wants to migrate from Cloud seal to Shamir seal
Sorted my issue was exactly what it said a missing permission, why it worked up to version 1.11.4 with out it, i have not looked in too, but adding "cloudkms.cryptoKeys.get" allows update to 1.12.0
Sorted my issue was exactly what it said a missing permission, why it worked up to version 1.11.4 with out it, i have not looked in too, but adding "cloudkms.cryptoKeys.get" allows update to 1.12.0
For GCP (#17850), good news but it's not the same for AWS (#17551) or Oracle (this issue)
I have just run into this problem when upgrading from NixOS 22.05 to 22.11 (ocikms seal). Downgrading vault to 1.11.6 seems to work for now.
https://github.com/viperML/neoinfra/blob/2e45d3a6f2e28c15791a911d34d8eab5b1608029/packages/vault-bin.nix
Hello all,
I believe the issue in regards to missing key_id should be resolved in the next minor release of Vault 1.12, should be 1.12.3, by the recent back-porting of https://github.com/hashicorp/vault/pull/17612.
Answers have been added for the separate issues in regards to the AWS and GCP issues linked in this issue respectively.
why close this when 1.12.3 is not released yet. the fix is not in..
Hello! We close issues when a PR is merged that will fix the issue. This is partially due to administrative overhead; manually closing issues only at release time would be cumbersome and might lead to issues being incorrectly left open. The fix is in the source, so if you have immediate need for the fix in your environment, you could build from source code. Otherwise, it will be included in the next releases (major and minor). Thanks for your understanding!
facing same issue with hashicorp/vault:1.14.0 and helm chart version is 0.25.0
set {
name = "server.extraEnvironmentVars.VAULT_SEAL_TYPE"
value = "ocikms"
}
set {
name = "server.extraEnvironmentVars.VAULT_OCIKMS_SEAL_KEY_ID"
value = "xxx"
}
set {
name = "server.extraEnvironmentVars.VAULT_OCIKMS_CRYPTO_ENDPOINT"
value = "https://xxx"
}
set {
name = "server.extraEnvironmentVars.VAULT_OCIKMS_MANAGEMENT_ENDPOINT"
value = "https://xxx"
}
facing same issue with
hashicorp/vault:1.14.0and helm chart version is0.25.0set { name = "server.extraEnvironmentVars.VAULT_SEAL_TYPE" value = "ocikms" } set { name = "server.extraEnvironmentVars.VAULT_OCIKMS_SEAL_KEY_ID" value = "xxx" } set { name = "server.extraEnvironmentVars.VAULT_OCIKMS_CRYPTO_ENDPOINT" value = "https://xxx" } set { name = "server.extraEnvironmentVars.VAULT_OCIKMS_MANAGEMENT_ENDPOINT" value = "https://xxx" }
Please consider opening a new issue in the hashicorp/vault-helm repo. Thanks!