Vault Init with gpg - Item size has exceeded the maximum allowed size

[Jordan Conway]

I'm trying to init a new vault cluster with 9 pgp keys, and a key threshold of 3

I've got base64 encoded pgp keys as per https://www.vaultproject.io/docs/concepts/pgp-gpg-keybase.html

I'm using vault 0.9.5 from the official docker image with a dynamodb backend

vault operator init -key-shares=9 -key-threshold=3 -pgp-keys="1.asc,2.asc,3.asc,4.asc,5.asc,6.asc,7.asc,8.asc,9.asc"       

Error initializing: Error making API request.

URL: PUT https://myvault.domain:8200/v1/sys/init

Code: 400. Errors:

* barrier configuration saving failed: failed to write seal configuration: ValidationException: Item size has exceeded the maximum allowed size

status code: 400, request id: XYZ

I see this in the logs

2018/03/07 15:54:59.947300 [INFO ] core: security barrier initialized: shares=9 threshold=3

2018/03/07 15:55:00.075432 [ERROR] core: failed to write seal configuration: error=ValidationException: Item size has exceeded the maximum allowed size

status code: 400, request id: XYZ

2018/03/07 15:55:00.075546 [ERROR] core: failed to save barrier configuration: error=failed to write seal configuration: ValidationException: Item size has exceeded the maximum allowed size

status code: 400, request id: XYZ

2018/03/07 15:55:07.568377 [INFO ] core: seal configuration missing, not initialized

2018/03/07 15:55:07.568815 [ERROR] error checking health: error=core: barrier reports initialized but no seal configuration found

the total size of the 9 base64 encoded keys is roughly 536k - I suspect there's something somewhere I need to tweak, but I'm not sure where to look, any suggestions?

Thank you,

Jordan Conway

[Matthew Irish]

Hi Jordan!

My guess is you're running up against a DynamoDB limit  - from their docs keys are limited to to 400KB: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html#limits-data-types . I don't know the details of what vault writes on init, but it'd be easy enough to reduce the number of keys until the payload is under 400KB and see if it works.

cheers,

Matthew

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4f70bcdf-ad5e-4b1c-a85f-16fdf7ef4df9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jordan Conway]

Yep, that seems to be it. Thanks. 

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4f70bcdf-ad5e-4b1c-a85f-16fdf7ef4df9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/IrdU5Z89j_M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAM6U7_P5GpN9ZG9G3x_-jQ8%3Dw9HrsVQGhYVRQ%3Di%2Bb1M0u15CqQ%40mail.gmail.com.