How to generate root token when vault auto unseal with AWS KMS set up?

[Anand Kum]

Hi,

Currently I have a vault instance with auto unseal in AWS KMS set up. So my understanding is unseal keys are no longer required. I also don't have unseal keys.

I am trying to generate the root token as per https://learn.hashicorp.com/vault/operations/ops-generate-root

But then it asks me to enter unseal key at the step: vault operator generate-root

How can I generate root token in this case?

Thanks,

Anand

[Nick Cabatoff]

Hi Anand,

You need to provide your recovery keys in this case.  It's documented here, but the docs are a bit stale because they only speak of it in the context of HSM and Enterprise, but in fact this applies whenever using AutoUnseal:

https://www.vaultproject.io/docs/enterprise/hsm/behavior.html

(it's also mentioned here, but with less detail: https://www.vaultproject.io/docs/concepts/seal.html)

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f4d6a253-64c0-48f3-ad2e-d84e29aa6b2c%40googlegroups.com.