Hashicorp Vault AutoUnseal Lab Seems Broken

therealjoaquin · April 17, 2024, 4:21am

I think the ARN and AWS static secrets may no longer be working.

This is Installing Vault → Lab: Configure Auto Unseal

Steps

# configure
source ~/AWS_Credentials.txt
cat << EOF >> /etc/vault.d/vault.hcl

seal "awskms" {
  region     = "$(cat $AWS_REGION)"
  kms_key_id = "$(cat ~/kms_key)"
}
EOF
cp ~/AWS_Credentials.txt /etc/vault.d/vault.hcl

# start service
systemctl start vault

Actual Results

From journalctl -u vault.service:

Apr 17 00:08:20 KMS wrapping key information: UnrecognizedClientException: The security token included in the request is invalid.
Apr 17 00:08:20 vault-node vault[1877]: status code: 400, request id: 499d8ece-90eb-4ce4-ae4b-e8124f0003c5

cc @rob_kodekloud @btkrausen

Alistair_KodeKloud · April 17, 2024, 4:51am

It is broken.
There is already a ticket for the lab team to fix.

javier.conti · May 2, 2024, 5:22pm

I have the same issue, upvoted.