2017-11-14 11:13:11 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: AWS KMS - Seals - Configuration
|
|
|
|
sidebar_title: AWS KMS
|
2017-11-14 11:13:11 +00:00
|
|
|
description: |-
|
|
|
|
The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping
|
|
|
|
mechanism.
|
|
|
|
---
|
|
|
|
|
|
|
|
# `awskms` Seal
|
|
|
|
|
|
|
|
The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism.
|
2018-10-25 23:44:53 +00:00
|
|
|
The AWS KMS seal is activated by one of the following:
|
2017-11-14 11:13:11 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- The presence of a `seal "awskms"` block in Vault's configuration file
|
|
|
|
- The presence of the environment variable `VAULT_SEAL_TYPE` set to `awskms`. If
|
2017-11-14 11:13:11 +00:00
|
|
|
enabling via environment variable, all other required values specific to AWS
|
|
|
|
KMS (i.e. `VAULT_AWSKMS_SEAL_KEY_ID`) must be also supplied, as well as all
|
|
|
|
other AWS-related environment variables that lends to successful
|
|
|
|
authentication (i.e. `AWS_ACCESS_KEY_ID`, etc.).
|
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
## `awskms` Example
|
2017-11-14 11:13:11 +00:00
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
This example shows configuring AWS KMS seal through the Vault configuration file
|
|
|
|
by providing all the required values:
|
2017-11-14 11:13:11 +00:00
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
```hcl
|
|
|
|
seal "awskms" {
|
2018-01-31 18:41:31 +00:00
|
|
|
region = "us-east-1"
|
2017-11-14 18:12:35 +00:00
|
|
|
access_key = "AKIAIOSFODNN7EXAMPLE"
|
|
|
|
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
|
|
|
|
kms_key_id = "19ec80b0-dfdd-4d97-8164-c6examplekey"
|
2018-10-26 13:18:04 +00:00
|
|
|
endpoint = "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com"
|
2017-11-14 18:12:35 +00:00
|
|
|
}
|
2017-11-14 11:13:11 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## `awskms` Parameters
|
|
|
|
|
|
|
|
These parameters apply to the `seal` stanza in the Vault configuration file:
|
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
- `region` `(string: "us-east-1")`: The AWS region where the encryption key
|
2019-10-14 17:31:03 +00:00
|
|
|
lives. If not provided, may be populated from the `AWS_REGION` or
|
2019-02-28 17:31:06 +00:00
|
|
|
`AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,
|
2020-01-18 00:18:09 +00:00
|
|
|
or from instance metadata.
|
2017-11-14 18:12:35 +00:00
|
|
|
|
|
|
|
- `access_key` `(string: <required>)`: The AWS access key ID to use. May also be
|
2017-11-14 11:13:11 +00:00
|
|
|
specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the
|
|
|
|
AWS profile from the AWS CLI or instance profile.
|
2017-11-14 18:12:35 +00:00
|
|
|
|
2019-05-07 15:27:06 +00:00
|
|
|
- `session_token` `(string: "")`: Specifies the AWS session token. This can
|
|
|
|
also be provided via the environment variable `AWS_SESSION_TOKEN`.
|
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
- `secret_key` `(string: <required>)`: The AWS secret access key to use. May
|
2017-11-14 11:13:11 +00:00
|
|
|
also be specified by the `AWS_SECRET_ACCESS_KEY` environment variable or as
|
|
|
|
part of the AWS profile from the AWS CLI or instance profile.
|
2017-11-14 18:12:35 +00:00
|
|
|
|
|
|
|
- `kms_key_id` `(string: <required>)`: The AWS KMS key ID to use for encryption
|
2017-11-14 11:13:11 +00:00
|
|
|
and decryption. May also be specified by the `VAULT_AWSKMS_SEAL_KEY_ID`
|
|
|
|
environment variable.
|
|
|
|
|
2018-10-26 13:18:04 +00:00
|
|
|
- `endpoint` `(string: "")`: The KMS API endpoint to be used to make AWS KMS
|
|
|
|
requests. May also be specified by the `AWS_KMS_ENDPOINT` environment
|
|
|
|
variable. This is useful, for example, when connecting to KMS over a [VPC
|
|
|
|
Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html).
|
|
|
|
If not set, Vault will use the default API endpoint for your region.
|
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
## Authentication
|
|
|
|
|
|
|
|
Authentication-related values must be provided, either as environment
|
|
|
|
variables or as configuration parameters.
|
|
|
|
|
2017-11-14 11:13:11 +00:00
|
|
|
~> **Note:** Although the configuration file allows you to pass in
|
2020-02-28 19:48:53 +00:00
|
|
|
`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` as part of the seal's parameters, it
|
2020-01-18 00:18:09 +00:00
|
|
|
is _strongly_ recommended to set these values via environment variables.
|
2017-11-14 18:12:35 +00:00
|
|
|
|
|
|
|
AWS authentication values:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- `AWS_REGION` or `AWS_DEFAULT_REGION`
|
|
|
|
- `AWS_ACCESS_KEY_ID`
|
|
|
|
- `AWS_SECRET_ACCESS_KEY`
|
2017-11-14 18:12:35 +00:00
|
|
|
|
|
|
|
Note: The client uses the official AWS SDK and will use the specified
|
|
|
|
credentials, environment credentials, shared file credentials, or IAM role/ECS
|
|
|
|
task credentials in that order, if the above AWS specific values are not
|
|
|
|
provided.
|
2017-11-14 11:13:11 +00:00
|
|
|
|
2018-10-26 13:18:04 +00:00
|
|
|
Vault needs the following permissions on the KMS key:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- `kms:Encrypt`
|
|
|
|
- `kms:Decrypt`
|
|
|
|
- `kms:DescribeKey`
|
2018-10-26 13:18:04 +00:00
|
|
|
|
|
|
|
These can be granted via IAM permissions on the principal that Vault uses, on
|
|
|
|
the KMS key policy for the KMS key, or via KMS Grants on the key.
|
|
|
|
|
2017-11-14 11:13:11 +00:00
|
|
|
## `awskms` Environment Variables
|
|
|
|
|
|
|
|
Alternatively, the AWS KMS seal can be activated by providing the following
|
2019-10-14 17:31:03 +00:00
|
|
|
environment variables.
|
2017-11-14 11:13:11 +00:00
|
|
|
|
|
|
|
Vault Seal specific values:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- `VAULT_SEAL_TYPE`
|
|
|
|
- `VAULT_AWSKMS_SEAL_KEY_ID`
|
2018-04-25 13:59:06 +00:00
|
|
|
|
|
|
|
## Key Rotation
|
|
|
|
|
2019-10-14 17:31:03 +00:00
|
|
|
This seal supports rotating the master keys defined in AWS KMS
|
|
|
|
[doc](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). Both automatic
|
|
|
|
rotation and manual rotation is supported for KMS since the key information is stored with the
|
2020-01-18 00:18:09 +00:00
|
|
|
encrypted data. Old keys must not be disabled or deleted and are used to decrypt older data.
|
2018-04-25 13:59:06 +00:00
|
|
|
Any new or updated data will be encrypted with the current key defined in the seal configuration
|
2018-10-26 13:18:04 +00:00
|
|
|
or set to current under a key alias.
|
2019-10-14 17:31:03 +00:00
|
|
|
|
|
|
|
## Learn
|
|
|
|
|
|
|
|
Refer to the [Auto-unseal using AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms)
|
|
|
|
guide for a step-by-step tutorial.
|