Max Bowsher
Max Bowsher
@acortes-okode That is unrelated, and is actually Vault functioning as designed. Each role you configure in the OIDC/JWT auth method can be used for OIDC login or JWT login **but...
Although the linked PR #17269 has rightly identified a logic bug which should be fixed, it doesn't wholly fix this issue. Many people may be running Vault behind a loadbalancer,...
Since my CLA is now sorted and I have some time, and the previous person working on this has closed their PR, I'm going to work on this myself now.
Thanks, I will raise with my employer whether I can sign the CLA as an individual contributor, or the company needs to sign it. This might take a little while...
It has been a long while since I opened this issue, but since my CLA is now sorted and I have some time over Christmas, I'm now in a position...
I have created the 10 PRs to implement this change.
Please see my PR #18492 which includes this change, and more.
Personally, I feel a documentation only solution to this issue would not be going far enough, given the possibility of horrendous data loss if a Vault operator carries this misunderstanding...
@dops-at Currently, with Vault as it is today, you need to either: * Be confident that you can access the remote auto-unseal KMS from the new replacement server * Or,...
I have now realised that if the Enterprise "sealwrap" feature is enabled, just having the recovery keys being able to reconstruct the root key isn't good enough - since the...