Error unsealing when running vault on an ECS container

Nuno Fernandes

unread,

Mar 21, 2019, 12:13:49 PM3/21/19

to Vault

Hello,

I'm trying to do the automatic unseal using AWS KMS of a vault server running inside an ECS container.

Using Vault version 1.1.0 (SHA 36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd) . When I try to run it without ECS task role, I get the expected:

```
Error parsing Seal configuration: error fetching AWS KMS sealkey information: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/svc-spot-ecs-instance-role/i-3243242342 is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:eu-west-1:XXX:key/123456789
```

That is to be expected as the instance role doesn't have any permissions on that KMS key. When running inside the ECS task (that has the permission for KMS) with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable defined, I the the error:

"Error parsing Seal configuration: error fetching AWS KMS sealkey information: NoCredentialProviders: no valid providers in chain. Deprecated"

Thanks for any pointers on debugging this,

Nuno Fernandes

Sean Johnson

unread,

Mar 21, 2019, 1:28:20 PM3/21/19

to vault...@googlegroups.com

You might want to try with Vault 1.0.3. I had issues with auto unseal working with 1.1.0. My case is in a Kubernetes context, but it’s possible it’s the same general problem.

https://github.com/hashicorp/vault/issues/6436

~Sean

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/82482b4e-d5ce-4494-acb3-2ced868b669d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

signature.asc

Nuno Fernandes

unread,

Mar 21, 2019, 1:46:38 PM3/21/19

to Vault

Hello,

Thanks for the feedback. Just tried with Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43') and got the same problem :(

Still trying to debug..

Best regards,

Nuno Fernandes

Becca Petrin

unread,

Mar 25, 2019, 1:00:38 PM3/25/19

to Vault

Hi Nuno,

I've tested auto-unsealing with AWS KMS and had it work successfully, though not in an ECS container.

I did it by using a configuration like:

seal "awskms" {

region = "us-east-1"

access_key = "something"

secret_key = "something"

kms_key_id = "something"

}

In my configuration, the access key and secret I provided did have permission to use the kms key ID. And I was directly supplying the access key and secret in the config for ease of testing, I probably would rely upon environment variables instead in a production environment.

An ECS container does automatically populate the AWS key, secret, and region, so you could probably use a configuration that only contains the kms key ID. Once you've granted access to that key for the container's role, you should be up and running.

If that doesn't work, can you post the exact configuration you're using, and the exact environment variables you're setting? Without any sensitive values included, of course.