Problem
When attempting to set up OCI KMS Seal as documented, vault will fail to start.
The following are examples of errors that may be encountered:
Error parsing Seal configuration: 'key_id' not found for OCI KMS seal configurationError parsing Seal configuration: error initializing OCI KMS client:
failed creating NewKmsCryptoClientWithConfigurationProvider:
can not create client, bad configuration:
did not find a proper configuration for tenancy
Cause
These errors can be caused by either of the following:
1. Known issue parsing out the OCI seal key_id from the vault config file.
2. Missing OCI API configuration file or insufficient permissions.
Solutions:
1. If 'key_id' not found for OCI KMS seal configuration is encountered, this may be a result of an existing issue.
To work around this issue, set the VAULT_OCIKMS_SEAL_KEY_ID environment variable.
2. If setting up seal with the API auth_type_api_key is set to true, you may receive an error initializing OCI KMS client error if the OCI API configuration is not properly created on the OCI instance. Review the OCI documentation on how to set up an API key.
Note: Please ensure that vault user has permissions to the ~/.oci directory where the api signing key and configuration file is located.
Example api config file.
cat /home/vault/.oci/config
[DEFAULT]
user=ocid1.user.oc1..XXXXXXXXX
fingerprint=a1:82:53:e1:fd:bd:e7:55:1b:7b:e8:XX:XX:XX:XX:XX
tenancy=ocid1.tenancy.oc1..XXXXXXXX
region=us-ashburn-1
key_file=/home/vault/.oci/oci_api_private_key.pem
An alternative is to set auth_type_api_key to false and use Dynamic Groups.