Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to rekey existing cluster #29221

Open
xeivieni opened this issue Dec 18, 2024 · 1 comment
Open

Unable to rekey existing cluster #29221

xeivieni opened this issue Dec 18, 2024 · 1 comment
Labels
core/seal waiting-for-response

Comments

@xeivieni
Copy link

Describe the bug
Stuck in the rekey process for recovery keys on auto unseal AWS cluster.
operator rekey init command returns a nonce but when trying to use this nonce to run the rekey it says no rekey is in progress. when trying to init a new rekey it says there is already a rekey in progress....

To Reproduce
Steps to reproduce the behavior:

/ $ vault operator rekey -init -target=recovery -key-shares=17 -key-threshold=3
WARNING! If you lose the keys after they are returned, there is no recovery.
Consider canceling this operation and re-initializing with the -pgp-keys flag
to protect the returned recovery keys along with -backup to allow recovery of
the encrypted keys in case of emergency. You can delete the stored keys later
using the -delete flag.

Key                      Value
---                      -----
Nonce                    ba8c0b52-6f88-d206-d9de-ad1a2330f8c0
Started                  true
Rekey Progress           0/2
New Shares               17
New Threshold            3
Verification Required    false
/ $ vault operator rekey -nonce="ba8c0b52-6f88-d206-d9de-ad1a2330f8c0" -
No rekey is in progress. Start a rekey process by running "vault operator
rekey -init".
/ $ vault operator rekey -init -target=recovery -key-shares=17 -key-threshold=3
Error initializing rekey: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
Code: 400. Errors:

* rekey already in progress

Expected behavior
A clear and concise description of what you expected to happen.

Rekey operations should work when giving the nonce obtained at init step.

Environment:

  • Vault Server Version (retrieve with vault status): 1.18.1
  • Vault CLI Version (retrieve with vault version): 1.18.1
  • Server Operating System/Architecture: EKS

Vault server configuration file(s):

ui = true

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  telemetry {
    unauthenticated_metrics_access = true
  }
}

storage "raft" {
  path = "/vault/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region = "eu-west-1"
  kms_key_id = "alias/vault_unseal"

  # fixes for 1.14+
  role_arn = "arn:aws:iam::xxxx:role/xxxx"
  web_identity_token_file = "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
}

telemetry {
  disable_hostname = true
  prometheus_retention_time = "12h"
}

disable_mlock = true

Additional context
Restarting all the cluster nodes allows to restart the init process but no luck after the init.
Tried to run the command both locally and directly on the active server, no changes. Even tried using the root token
@stevendpclark
Copy link
Contributor

stevendpclark commented Jan 23, 2025
edited
Loading

Hi @xeivieni,

I believe you are seeing the "No rekey in progress..." message on the second command due to it missing the -target=recovery argument. So the error you are getting back is because there is no "barrier" rekey operation in progress, which is the default target.

$ vault operator rekey -target=recovery -nonce="..."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/seal waiting-for-response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevendpclark @xeivieni