How to list peers on the secondary DR cluster – HashiCorp Help Center

Summary

This article shows how to obtain the list of peers on the DR secondary cluster.

Architecture

Minimum of two Vault Enterprise clusters:

One primary Vault cluster
One secondary Vault cluster with disaster recovery replication enabled as explained here.
Tested on:
- Vault Enterprise versions 1.7, 1.8, 1.9

Issue

DR secondaries act as warms standbys so making changes on the DR would lead to inconsistencies. Therefore most actions on DR secondaries are disabled.

Listing the peers on a DR secondary cluster will result in the error "path disabled in replication DR secondary mode."

$ vault operator raft list-peers
Error reading the raft cluster configuration: Error making API request.

URL: GET https://vault-cluster.dev:8200/v1/sys/storage/raft/configuration
Code: 400. Errors:

* path disabled in replication DR secondary mode

Solution

Use a DR operation token on DR secondary cluster to perform tasks.

Start the DR operation token generation process.

$ vault operator generate-root -dr-token -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.

Nonce         e68edd85-74f5-3b0b-2466-850cd6dd52cb
Started       true
Progress      0/3
Complete      false
OTP           aZePuBbOxRjjXDLQGaTBT0EW2K
OTP Length    26

Run the following command for each unseal/recovery key

vault operator generate-root -dr-token \
 -nonce=e68edd85-74f5-3b0b-2466-850cd6dd52cb \
X7qnGTzV6cuD+WtaWjcR67chJLiI0i0iZglZ4fun7EGC

Nonce       e68edd85-74f5-3b0b-2466-850cd6dd52cb
Started     true
Progress    1/3
Complete    false

vault operator generate-root -dr-token \
-nonce=e68edd85-74f5-3b0b-2466-850cd6dd52cb \
f9kDBTttibwgPcCPXE/Bu1eM5uL2YJOh8kzDFAp2q/2f
Nonce       e68edd85-74f5-3b0b-2466-850cd6dd52cb
Started     true
Progress    2/3
Complete    false

vault operator generate-root -dr-token \
-nonce=e68edd85-74f5-3b0b-2466-850cd6dd52cb \
isxQajloXimbBqMu7yr6S5tnJ0u+CmLnPCKNLocLqUAq
Nonce            e68edd85-74f5-3b0b-2466-850cd6dd52cb
Started          true
Progress         3/3
Complete         true
Encoded Token    EnRUMRx1UTghJ18/Kwd6NAwHFTU7cx0GfAo

The encoded token is provided in the output after all unseal/recovery keys are provided.

Decode the encoded token

vault operator generate-root -dr-token \
-otp="aZePuBbOxRjjXDLQGaTBT0EW2K" \
-decode=EnRUMRx1UTghJ18/Kwd6NAwHFTU7cx0GfAo

s.1ai73wYu5UsC6eKfAwoCXQNA

List the peers on the secondary DR cluster using the DR operation token

vault operator raft list-peers -dr-token="s.1ai73wYu5UsC6eKfAwoCXQNA"

Node     Address               State       Voter
----     -------               -----       -----
node1    172.31.1.130:8201     leader      true
node2    172.31.16.128:8201    follower    true
node3    172.31.32.30:8201     follower    true

Additional Information

Vault Tutorial: Disaster Recovery Replication
Vault Tutorial: Generate Operational Token