Unable to perform vault auto-unseal with GCPCKMS

[vperi1730]

Hi Team,

I have been trying to unseal my vault using gcpckms, however every time I am encountering the following error that is a little unsure to me. Could someone assist me with this at the earliest?

==> Vault server configuration:

      GCP KMS Crypto Key: vault-latest-unsealkey
        GCP KMS Key Ring: vault-latest-unsealkeyring
         GCP KMS Project: sccstgl-saas-operator-0
          GCP KMS Region: us-east1
             Api Address: https://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.15.13
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
           Recovery Mode: false
                 Storage: gcs (HA available)
                 Version: Vault v1.7.3
             Version Sha: 5d517c864c8f10385bf65627891bc7ef55f5e827

==> Vault server started! Log data will stream in below:

2021-09-29T12:32:03.981Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2021-09-29T12:32:04.719Z [WARN]  core: entering seal migration mode; Vault will not automatically unseal even if using an autoseal: from_barrier_type=shamir to_barrier_type=gcpckms

[vperi1730]

Do we have the capability of unsealing the vault automatically using the KMS keys or any condition in place to do it manually?

Please suggest

[amnk]

@vperi1730 I am not a maintainer of this project, but the error you are facing is because your Vault was previously configured with a different seal mechanism. In this case Vault needs a migration (1, 2).

So you either need to start with fresh Vault (and in this case autounseal works), or migrate your Vault backend to a different seal method manually first.