Open BradErz opened 1 year ago
Is your feature request related to a problem? Please describe. The alicloudkms provider doesn't work anymore, as it was deprecated in March 2022. They have replaced it with something called Dedicated KMS. You can read more in their announcement here: https://www.alibabacloud.com/help/en/kms/product-overview/kms-is-upgraded-to-dedicated-kms?spm=a2c63.p38356.0.0.75141110jpaYbd
alicloudkms
This means new users of Vault/alicloud can't use the auto unseal functionality provided by Vault as described here: https://developer.hashicorp.com/vault/docs/configuration/seal/alicloudkms
Describe the solution you'd like An implementation using Dedicated KMS so that we can use the auto unseal functionality on Alibaba cloud.
Describe alternatives you've considered The only other solution I can think of is applying a similar logic found here: https://github.com/sethvargo/vault-init/blob/master/main.go
And making it work against alicloud.
Additional context From the initial investigation, most of the KMS logic seems isolated inside: https://github.com/hashicorp/go-kms-wrapping
I assume the best way forward would be a new wrapper called aliclouddkms or aliclouddedicatedkms.
aliclouddkms
aliclouddedicatedkms
Would you be willing to accept a contribution for this issue?
Do you have any updates for this issue @BradErz ?
My company want to implement alicloud KMS unseal and being blocked by this issue. If any development/contribution is needed, please count me in.
Is your feature request related to a problem? Please describe. The
alicloudkms
provider doesn't work anymore, as it was deprecated in March 2022. They have replaced it with something called Dedicated KMS. You can read more in their announcement here: https://www.alibabacloud.com/help/en/kms/product-overview/kms-is-upgraded-to-dedicated-kms?spm=a2c63.p38356.0.0.75141110jpaYbdThis means new users of Vault/alicloud can't use the auto unseal functionality provided by Vault as described here: https://developer.hashicorp.com/vault/docs/configuration/seal/alicloudkms
Describe the solution you'd like An implementation using Dedicated KMS so that we can use the auto unseal functionality on Alibaba cloud.
Describe alternatives you've considered The only other solution I can think of is applying a similar logic found here: https://github.com/sethvargo/vault-init/blob/master/main.go
And making it work against alicloud.
Additional context From the initial investigation, most of the KMS logic seems isolated inside: https://github.com/hashicorp/go-kms-wrapping
I assume the best way forward would be a new wrapper called
aliclouddkms
oraliclouddedicatedkms
.Would you be willing to accept a contribution for this issue?