A valid license is required with the use of any enterprise version of Vault that's 1.8.x or higher and unlike prior versions Vault will not launch or allow for any evaluation period without a license.
A Vault license can be configured using one of two methods:
- Environment Variable: VAULT_LICENSE or VAULT_LICENSE_PATH.
- Vault HCL parameter: license_path
The method that best suits your implementation should make note of the differences between the two approach and other applicable considerations.
For example - when opting for the environment variable approach the following may be seen as an advantage:
- Security: no license file exists with no trail of the license. The environment variable containing the value can be unset or updated dynamically especially in the case of Kubernetes configmaps.
- Precedence: license provided by way of environment variables will always be what's used and they'll supersede anything that may have been erroneously set again in the HCL config file as well.
Some disadvantage could include:
- License information is not persisted and it may be lost on any restart or redeployment of your Vault service.
- The license environment variable must exist and refer to a valid license before Vault is launched and the license can not be dynamically updated or changed with future updates where a restart to the service is likely to be needed with any changes to the license.
Alternatively providing the license using a file may be seen with the following advantage:
- Persistence: The license information persists as it is stored in a file, hence there are less chances of its.
- Accessibility: The license information may be more easily accessible and transferable on redeployments.
- Updates: when changes have been made to the file containing the license or where the license_path parameter is changed to point to another file then it can be dynamically updated by either:
- invoking a HTTP PUT request to the API: sys/config/reload/license
- or issuing a reload using SIGHUP - eg:
kill -SIGHUP $(pidof vault)
Generally speaking - the use of a file defined license_path might be more convenient and easier to maintain with reduced chances for any disruptions that may be brought about as a result of a Vault license needing to be updated.
Resources
- Learn: Install a HashiCorp Enterprise License
- Docs: license/autoloading
- Docs: VAULT_LICENSE & VAULT_LICENSE_PATH
- Docs: Vault HCL license_path