Introduction
This article addresses a known issue from Vault 1.19.1 onwards where OIDC authentication attempts fail on performance standby nodes in a Vault performance secondary cluster. The error observed in the audit logs is:
"error":"rpc error: code = Unknown desc = failed to create group: failed to persist packed storage entry: cannot write to readonly storage"
Issue Summary
When users attempt to authenticate using OIDC against performance standby nodes (particularly in a secondary cluster), the authentication process fails. The error message indicates that the node is unable to persist data due to the storage being in a read-only state.
Observed Logs
The following error is recorded in the Vault audit logs of the performance standby node of the performance secondary cluster during the failed OIDC authentication attempt:
"error":"rpc error: code = Unknown desc = failed to create group: failed to persist packed storage entry: cannot write to readonly storage"
Workaround/Solution
- Direct OIDC authentication requests to the active node in the cluster. Ensure that your load balancer or client configuration only routes authentication (and other write) requests to the active node, not to performance standby nodes.
- If using a load balancer, configure health checks and routing rules so that only the active node is considered for endpoints requiring write access (such as OIDC login endpoints).
Reference