Open queglay opened 3 years ago
As always, the answer is, "it depends," but I think the standard approach would be to attach an IAM role to whatever servers / containers are running Vault, and in your KMS key policy, to grant that IAM role (via it's static ARN) the permissions it needs.
Ahh of course thanks for the advice @brikis98 !
I've been looking into how to provide appropriate controls on the KMS key used to auto unseal vault. It seems like a difficult topic though, and hard to know the best route. It would be great to have some kind of example on what would be best practice. Some of my questions on the way forward were: