Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault auto-unsealed can't work with AWS iam role mode #410

Open
anemptyair opened this issue Nov 6, 2020 · 10 comments
Open

Vault auto-unsealed can't work with AWS iam role mode #410

anemptyair opened this issue Nov 6, 2020 · 10 comments
Labels
bug Something isn't working

Comments

@anemptyair
Copy link

anemptyair commented Nov 6, 2020

Describe the bug
I set below configration for auto-unseal. And give full kms pemission to eks node role.
seal "awskms" {
region = "us-west-2"
kms_key_id = "8ecb59ea-1fe7-47f4-ab5e-XXXXXXXX"
}
But get the error from vault logs:
Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Expected behavior
Vault can be running.

Environment

  • Kubernetes version:
    • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS with k8s:1.16
    • Other configuration options or runtime services (istio, etc.): vault-helm version: 1.5.2

Chart values:
seal "awskms" {
region = "us-west-2"
kms_key_id = "8ecb59ea-1fe7-47f4-ab5e-XXXXXXXX"
}

@anemptyair anemptyair added the bug Something isn't working label Nov 6, 2020
@Chili-Man
Copy link

Are you using an AWS Ec2 instance profile or an IAM role for service account (IRSA) ?

@anemptyair
Copy link
Author

Are you using an AWS Ec2 instance profile or an IAM role for service account (IRSA) ?

Yes it is

@amalagaura
Copy link

Duplicates #368

@NagenderPulluri
Copy link

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

still facing this issue, any resolution ?

@vbararnikumar
Copy link

@nagender1005 I am also facing the same issue. Please share with me the solution if you found it.

@tmiroslav
Copy link

Same issue with me. What does this message about not valid providers refers to?

@vbararnikumar
Copy link

Same issue with me. What does this message about not valid providers refers to?

I have resolved this issue by adding region value in the vault.hcl file for seal "awskms" and upgraded vault to the latest version.

@bdellegrazie
Copy link

Try also this:
#368 (comment)

@gjpayacc
Copy link

gjpayacc commented Jan 7, 2024

The solution that I found was to provide the access_key and secret_key directly to the config
you can also pass in role to assume , I think

seal "awskms"{
      access_key = ""
      secret_key = ""
      region = "ap-south-1"
      kms_key_id = "KMSKEY"
}

Hope this works for you.

@valentinpelus
Copy link

Hello, a little late but are you using IRSA ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

9 participants