Vault operator init cross version limitation

Avatar
Florin Tiucra-Popa
  • Updated

Introduction

Starting with Vault release 1.12.x and later, the API executed by the Vault CLI will no longer accept initialization using older versions of the Vault CLI binary. This only applies in situations where the version of the Vault binary executing the vault operator init (typically a client machine) is older than the version of the Vault binary running on the server.

 

Prerequisites

  • An uninitialized Vault server running version 1.12.x or later.
  • vault operator init being executed from a Vault binary older than 1.12.x. (Ex. 1.10.4 or 1.11.3).

Cause

  • When executing vault operator init with the pre-1.12.x Vault binary, it composes an API call no longer compatible with the /sys/init endpoint requirements. This results in an error stating: 
    • "parameters recovery_shares,recovery_threshold not applicable
       to seal type shamir"
  • The CURL output of the API call when executing vault operator init -key-shares=1 -key-threshold=1 -output-curl-string shows the recovery_shares and recovery_threshold parameters as part of the payload:
$ curl -kv -X PUT -H "X-Vault-Request: true" \
-H "X-Vault-Token: $(vault print token)" \
-d '{"secret_shares":1,"secret_threshold":1,"stored_shares":0, \
"pgp_keys":null,"recovery_shares":5, "recovery_threshold":3, \
"recovery_pgp_keys":null,"root_token_pgp_key":""}' \
http://127.0.0.1:8200/v1/sys/init
  • The /sys/init endpoint in Vault 1.12.x and later no longer accept the recovery_shares and recovery_threshold parameters for the Shamir seal type as seen below:
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \
-d '{"secret_shares":1,"secret_threshold":1,"stored_shares":0, \
"pgp_keys":null,"recovery_shares":5,"recovery_threshold":3, \
"recovery_pgp_keys":null,"root_token_pgp_key":""}' \
http://127.0.0.1:8200/v1/sys/init | jq

{
"errors": [
"parameters recovery_shares,recovery_threshold not applicable to seal type shamir"
]
}

Overview of possible solutions

Solutions:

  • Install and execute a version of the Vault binary that matches the version of the Vault binary on the server that's being initialized. Version validation can be done with:
$ vault -version
Vault v1.12.0+ent (2b95ea0ba6fe708949201df0f84bc30b5b1bf74a), built 2022-10-10T19:00:46Z
  • Remove the additional parameters from the API call for /sys/init 
$ curl -kv -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \
-d '{"secret_shares":1,"secret_threshold":1,"stored_shares":0,"pgp_keys":null, \
"recovery_pgp_keys":null, \
"root_token_pgp_key":""}' \
http://127.0.0.1:8200/v1/sys/init

Outcome

The Vault server initialization process should complete successfully when executing vault operator init

In case this still fails check and make sure that the Vault binary version matches as outlined in the Solutions section.

Additional Information

Articles in this section

See more

Related articles