Has anyone successfully gotten Vault with AWS KMS Auto Unseal working?

[ado120]

Hello all,

Currently I am testing vault with auto unseal using an AWS KMS key. I've spun up vault using the helm chart, but since adding the 'awskms' seal stanza, my pods won't create because they cannot access the keys. I'm guessing I need to somehow allow my kubernetes cluster permission to the key, but I'm not sure the best way to go about this. Any help would be greatly appreciated!

 

[Kamil Sebastian]

This one works fine: https://github.com/avantoss/vault-infra

Sent from my mobile.
Tel. / Signal. +44

On Wed, 30 Oct 2019, 23:34 ado120, <alexan...@gmail.com> wrote:

Hello all,

Currently I am testing vault with auto unseal using an AWS KMS key. I've spun up vault using the helm chart, but since adding the 'awskms' seal stanza, my pods won't create because they cannot access the keys. I'm guessing I need to somehow allow my kubernetes cluster permission to the key, but I'm not sure the best way to go about this. Any help would be greatly appreciated!

 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/73b882a1-65f8-4119-a092-4fc64ab614fb%40googlegroups.com.

[ado120]

I don't think that particularly helps too much in my use case, but I'll be sure to take a look. For context the error I'm getting is this:

"Error parsing Seal configuration: error fetching AWS KMS sealkey information: AccessDeniedException: User: arn:aws:sts::198036545957:assumed-role/* is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:*"

This might be more of a Kubernetes/AWS question though and how I can get my cluster to assume the right role.. I'll keep digging.

On Wednesday, October 30, 2019 at 4:41:44 PM UTC-7, Kamil Sebastian wrote:

This one works fine: https://github.com/avantoss/vault-infra

Sent from my mobile.
Tel. / Signal. +44

On Wed, 30 Oct 2019, 23:34 ado120, <alexan...@gmail.com> wrote:

Hello all,

Currently I am testing vault with auto unseal using an AWS KMS key. I've spun up vault using the helm chart, but since adding the 'awskms' seal stanza, my pods won't create because they cannot access the keys. I'm guessing I need to somehow allow my kubernetes cluster permission to the key, but I'm not sure the best way to go about this. Any help would be greatly appreciated!

 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Bruno Mattarollo]

It seems like your instance does not have the correct IAM permissions, as stated by the error message. You need to create a role that can be assumed that will have the permissions to use the KMS key.

Have a look at this terraform module https://github.com/hashicorp/terraform-aws-vault/blob/6a091aab16d7be0a241a6bb07d59fc2f48baf412/modules/vault-cluster/main.tf#L297-L311 that describe the permissions required.

Hope this helps

/B

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/692126bd-fa3d-4a3d-98dd-efc704d4873f%40googlegroups.com.

--

Bruno Mattarollo | CTO & co-founder | @bmatt | Skype: brunomattarollo

[Songtao Zhao]

You need to create a IAM role with the following permission:

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "kms:Decrypt",

                "kms:Encrypt",

                "kms:DescribeKey"

            ],

            "Resource": "<kms resource arn>"

Then attached the IAM role to the K8s cluster worker node.

I don't get it why did you get "assumed-role" error, as you shouldn't need "assumed-role". Unless your K8s cluster and KMS are not in the same AWS account?

If you do run K8s cluster and KMS on different AWS account, at the moment, I don't think there is a way to make K8s worker node to assume-role cross-account. 

[Vasilyev Viacheslav]

Those permissions mentioned above must be assigned to the IAM instance profile of nodes formed your Kubernetes cluster

[ado120]

Thank you so much everyone!

Adding Songtao's suggestion to the IAM instance profile of nodes formed by the Kubernetes cluster did the trick and now it is auto-unsealing! I'll have to figure out how to auto add these role permissions in my terraform but that shouldn't be too hard :)