Open trondhindenes opened 5 years ago
if you use AWS KMS you can do it with this script:
export AWS_DEFAULT_REGION=us-west-2
export AWS_PROFILE=dev
echo "Fetching Vault unseal keys and root token from AWS..."
aws ssm get-parameters --names kubernetes-vault-root | jq -r '.Parameters[].Value' | base64 -D> /tmp/root-token
ROOT_TOKEN=$(aws kms decrypt --region $REGION --ciphertext-blob fileb:///tmp/root-token --encryption-context Tool=vault-unsealer | jq -r '.Plaintext' | base64 -D)
for i in {0..4}; do
aws ssm get-parameters --names kubernetes-vault-unseal-${i} | jq -r '.Parameters[].Value' | base64 -D > /tmp/unseal-${i}
echo -n "Unseal Key $((i+1)): $(aws kms decrypt --ciphertext-blob fileb:///tmp/unseal-${i} --encryption-context Tool=vault-unsealer | jq -r '.Plaintext' | base64 -D)
"
done
echo "Initial Root token: $ROOT_TOKEN"
rm /tmp/unseal*
rm /tmp/root-token
echo "Done!"
THanks for typing that out! Yes, my question was related to AWS KMS, sorry for not clarifying
It would be good to have a few lines in the documentation about how to retrieve the root key after init, to make it possible to login to vault.