Vault with AWS KMS auto unseal

[Alok Shankar]

Hi,

I am using KMS to configure auto-unseal vault. I see that vault get initialized automatically when it starts up. 

In https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms I see that init is being done manually. 

How do I use vault/ where do I find token to login when the vault comes up auto initialized and unsealed in this way?

Thanks

Alok

[Calvin Leung Huang]

Hi Alok,

Even when auto-unseal is used, Vault should require manual initialization through the `vault operator init` command. This command should return you a set of recovery keys which is used for highly-privilege operations such as generate-root or manual unseal, along with an initial root token that you can use to login. Auto-unseal shouldn't have automatically initialized the cluster for you. The init command is only ever ran once, so if this is not a fresh cluster it could be that it has already been initialized. Can you verify that the cluster has not been initialized beforehand?

Regards,

Calvin

[Alok Shankar]

Thanks for the quick response. Looks like I was using a dynamoDB table as a storage backend for a previous iteration of the vault (which was unsealed) that was unsealed.