hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.34k stars 4.23k forks source link

alicloud kms deprecated in favour of dedicated kms #24269

Open BradErz opened 1 year ago

BradErz commented 1 year ago

Is your feature request related to a problem? Please describe. The alicloudkms provider doesn't work anymore, as it was deprecated in March 2022. They have replaced it with something called Dedicated KMS. You can read more in their announcement here: https://www.alibabacloud.com/help/en/kms/product-overview/kms-is-upgraded-to-dedicated-kms?spm=a2c63.p38356.0.0.75141110jpaYbd

This means new users of Vault/alicloud can't use the auto unseal functionality provided by Vault as described here: https://developer.hashicorp.com/vault/docs/configuration/seal/alicloudkms

Describe the solution you'd like An implementation using Dedicated KMS so that we can use the auto unseal functionality on Alibaba cloud.

Describe alternatives you've considered The only other solution I can think of is applying a similar logic found here: https://github.com/sethvargo/vault-init/blob/master/main.go

And making it work against alicloud.

Additional context From the initial investigation, most of the KMS logic seems isolated inside: https://github.com/hashicorp/go-kms-wrapping

I assume the best way forward would be a new wrapper called aliclouddkms or aliclouddedicatedkms.

Would you be willing to accept a contribution for this issue?

bapung commented 3 months ago

Do you have any updates for this issue @BradErz ?

My company want to implement alicloud KMS unseal and being blocked by this issue. If any development/contribution is needed, please count me in.