Introduction
This article will provide instructions on how to unlock an HCP Vault Namespace when the unlock key has been lost or forgotten.
Prerequisites
- Vault cluster deployed on the HashiCorp Cloud Platform (HCP).
- Sufficient permissions to manage namespaces (API lock endpoint).
- Requires Identity Verification with the Organization Owner.
Use Case
A Vault administrator can lock the API for particular namespaces. In this state, Vault blocks all but a selected few API endpoints from responding to clients operating in a locked namespace (or a descendant of a locked namespace). In general, an unlock key is required to unlock the API. This is the same as the unlock key provided when the namespace was locked. The unlock key requirement can be overridden by using a root token with the unlock request.
However, the root-token is not available to Vault users on HCP and requires engagement with the internal engineering team to unlock the namespace for you.
Procedure
In the event the unlock key is not available, please open a Support ticket to have the namespace unlocked on your behalf. Include the following details in the ticket:
- HCP Organization ID
- HCP Vault Cluster Name/ID
- The name of the namespace(s) to be unlocked.
Additional Information
For more information on Namespace lock and unlock functionality, please refer to our documentation. Additional Namespace API lock constraints for Vault cluster deployed on HCP can be found here.