Vault auto-unsealed can't work with AWS iam role mode

hashicorp / vault-helm

Helm chart to install Vault and other associated components.

Mozilla Public License 2.0

1.07k stars 872 forks source link

Vault auto-unsealed can't work with AWS iam role mode #410

Open anemptyair opened 3 years ago

anemptyair commented 3 years ago

Describe the bug I set below configration for auto-unseal. And give full kms pemission to eks node role. seal "awskms" { region = "us-west-2" kms_key_id = "8ecb59ea-1fe7-47f4-ab5e-XXXXXXXX" } But get the error from vault logs: Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Expected behavior Vault can be running.

Environment

Kubernetes version:
- Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS with k8s:1.16
- Other configuration options or runtime services (istio, etc.): vault-helm version: 1.5.2

Chart values: seal "awskms" { region = "us-west-2" kms_key_id = "8ecb59ea-1fe7-47f4-ab5e-XXXXXXXX" }

Chili-Man commented 3 years ago

Are you using an AWS Ec2 instance profile or an IAM role for service account (IRSA) ?

anemptyair commented 3 years ago

Are you using an AWS Ec2 instance profile or an IAM role for service account (IRSA) ?

Yes it is

amalagaura commented 3 years ago

Duplicates #368

NagenderPulluri commented 2 years ago

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

still facing this issue, any resolution ?

vbararnikumar commented 2 years ago

@nagender1005 I am also facing the same issue. Please share with me the solution if you found it.

tmiroslav commented 2 years ago

Same issue with me. What does this message about not valid providers refers to?

vbararnikumar commented 2 years ago

Same issue with me. What does this message about not valid providers refers to?

I have resolved this issue by adding region value in the vault.hcl file for seal "awskms" and upgraded vault to the latest version.

bdellegrazie commented 1 year ago

Try also this: https://github.com/hashicorp/vault-helm/issues/368#issuecomment-748403608

gjpayacc commented 8 months ago

The solution that I found was to provide the access_key and secret_key directly to the config you can also pass in role to assume , I think

seal "awskms"{
      access_key = ""
      secret_key = ""
      region = "ap-south-1"
      kms_key_id = "KMSKEY"
}

Hope this works for you.