Hi bryan i was installed vault on the cluster in the new name space and service account i'm unable to perform auto unseal using AWSKMS i think i'm missing some points over here i don't have configuration file to change here just i'm creating new file and applying the changes but it is not reflecting
Right, each node needs to be migrated separately. You shouldn't have to do a "vault operator step-down" since the first node should automatically become the cluster leader.
KMS keys in AWS don't expire....unless you schedule it for deletion. But...don't do that, haha. It's the equivalent of encrypting data with a PGP key and then losing the private key - you can't decrypt the data. For Vault, this means you will NOT be able to unseal Vault if the service gets restarted, and you should export/migrate data to a new cluster immediately.
Thanks we are in exact situation. we just moved from onprem to EKS, we thought of using autounseal. Q: Do we have any kubernetes vault operator that does migration ?
A new video explaining how to migrate from aws kms to shamir again would be appreciated :)
Amazing explanation. Thanks a lot for sharing.
Glad it was helpful!
Amazing... You help save a significant amount of time. :D
Glad to hear that!
Hi bryan i was installed vault on the cluster in the new name space and service account i'm unable to perform auto unseal using AWSKMS i think i'm missing some points over here i don't have configuration file to change here just i'm creating new file and applying the changes but it is not reflecting
if you have a raft cluster, you need to do this "unseal -migrate" on followers, but do a "vault operator step-down" on the leader.
Right, each node needs to be migrated separately. You shouldn't have to do a "vault operator step-down" since the first node should automatically become the cluster leader.
Great tutorial!
What happened when kms key expired? Do you have to update vault config periodically?
KMS keys in AWS don't expire....unless you schedule it for deletion. But...don't do that, haha. It's the equivalent of encrypting data with a PGP key and then losing the private key - you can't decrypt the data.
For Vault, this means you will NOT be able to unseal Vault if the service gets restarted, and you should export/migrate data to a new cluster immediately.
Thanks we are in exact situation. we just moved from onprem to EKS, we thought of using autounseal.
Q: Do we have any kubernetes vault operator that does migration ?
I don't think the Vault Operator will help with migration in this case.