vault-charm

[feature] Request for Auto-Unseal Feature Implementation

Bug #2025759 reported by Francesco De Simone on 2023-07-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	vault-charm	Triaged	Wishlist	Unassigned

Bug Description

I need to unseal the vault using an external vault.
I'm trying to auto-unsealed with another Vault using the method described here https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-transit
However, I'm encountering an issue where it's not possible to modify the default configuration of the vault at the location "/var/snap/vault/common/vault.hcl" in order to enable autounseal

My steps:

On the external vault:
vault secrets enable transit
vault write -f transit/keys/autounseal
tee autounseal.hcl <<EOF
path "transit/encrypt/autounseal" {
capabilities = [ "update" ]
}

path "transit/decrypt/autounseal" {
capabilities = [ "update" ]
}
EOF
vault policy write autounseal autounseal.hcl
vault token create -orphan -policy="autounseal" -wrap-ttl=120 -period=24h

On the charm vault:

VAULT_TOKEN=<wrapping_token> vault unwrap

then I should add in /var/snap/vault/common/vault.hcl

seal "transit" {
  address = "http://<external-vault-ip>:8200"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  tls_skip_verify = "true"
}

At the moment I can't find another way to use an external vault to unseal the key in the internal vault.

Billy Olsen (billy-olsen) on 2023-07-04

Changed in vault-charm:
status:	New → Triaged
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.