Introduction
Vault DR Replication (Disaster Recovery Replication) creates a warm, standby Vault cluster that mirrors data (policies, tokens, secrets) from a primary cluster, allowing for failover to prevent data loss and service interruption during a catastrophic primary failure, acting as a passive copy until promoted to become the new primary. It's a core Vault Enterprise feature for multi-datacenter setups, ensuring business continuity by keeping essential credentials and secrets synchronised.
Prerequisites
Disaster Recovery Replication requires Vault Enterprise Standard license.
Challenge
At times is may be necessary to check the Vault Enterprise license loaded on a DR Secondary cluster to see what features are contained in the license, expiry date, termination date, validity, etc.
In a DR Secondary cluster many system endpoints are restricted. The same is true of the sys/license/status endpoint. If this endpoint is queried with the standard command vault read sys/license/status an error is returned indicating that the path is disabled in replication DR secondary mode.
This endpoint also does not accept a dr_operation_token.
vault read sys/license/status
Error reading sys/license/status: Error making API request.
URL: GET https://127.0.0.1:8200/v1/sys/license/status
Code: 400. Errors:
* path disabled in replication DR secondary mode
Workaround
Generate a DR Operation Token. Export the resultant DR Operation Token as an environment variable for VAULT_TOKEN:
export VAULT_TOKEN=hvs.qogDKL2S58CL9bE6xxxxxx
Query the Vault License status endpoint while the VAULT_TOKEN environment variable is set to the DR Operation Token: vault read sys/license/status
The details of the Vault Enterprise license auto loaded on the node where the command was run is displayed.
Additional Resources
Vault Documentation: Replication Support in Vault
Vault Documentation: Generate a DR Operation Token
Vault Documentation: DR Replication API
Vault Documentation: License Status API