Configuring Raft Auto‑Join for Vault on Alibaba Cloud (Aliyun)

The information contained in this article has been verified as up‑to‑date on the date of the original publication of the article. HashiCorp endeavors to keep this information up‑to‑date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.

Introduction

This article explains how to configure Raft auto‑join for Vault Enterprise running on Alibaba Cloud (Aliyun). Auto‑join enables Vault nodes to automatically discover and join peers during startup using instance metadata and tags. The configuration is similar to using provider=aws on EC2 or provider=azure with VM Scale Sets.

Scope

This article covers the use of the Aliyun provider in the HashiCorp go‑discover library to allow Vault nodes running on Alibaba Cloud ECS to automatically discover each other using region and tag filters.

Prerequisites

• Vault Enterprise using Integrated Storage (Raft)
• Alibaba Cloud ECS instances hosting Vault
• RAM user or RAM role with the following permission: ecs:DescribeInstances
• Matching ECS instance tags for Vault peer discovery
• TLS assets for Raft cluster communication (if using HTTPS)

Auto‑Join Overview

Vault uses the Aliyun go‑discover provider for ECS‑based node discovery.
Auto‑join parameters are passed as a list of key=value tuples within the auto_join configuration string.

Supported Aliyun parameters (from go‑discover)

provider:          "aliyun"
region:            The Aliyun region.
tag_key:           The tag key to filter on
tag_value:         The tag value to filter on
access_key_id:     The Aliyun access key to use
access_key_secret: The Aliyun access key secret to use

Required RAM permission: ecs:DescribeInstances

It is recommended you make a dedicated key used only for auto‑joining.

Example Raft Auto‑Join Configuration (Aliyun)

retry_join {
auto_join = "provider=aliyun region=cn-hangzhou tag_key=vault tag_value=cluster1 access_key_id=${ALICLOUD_ACCESS_KEY} access_key_secret=${ALICLOUD_SECRET_KEY} addr_type=private_v4"
auto_join_scheme = "https"
leader_ca_cert_file = "/opt/vault/tls/ca.pem"
leader_tls_servername = "vault.example.internal"
}

Parameter Summary

Important Note on Credentials

The fields access_key_id and access_key_secret are used only for ECS API calls required for instance discovery.

They are not used for:

• Alibaba Cloud KMS
• Auto‑unseal
• Vault master key operations
• Token creation

The only required RAM permission is:

ecs:DescribeInstances

HashiCorp recommends creating a dedicated RAM user/role limited to this permission.

Configuring ECS Tags

To allow nodes to discover peers, ensure ECS instances share consistent tags.

Example:

• Key: vault
• Value: cluster1

Vault will use these tags to discover peer nodes during startup.

Verification

After starting Vault, check Raft cluster membership:

vault operator raft list-peers

You should see each node as a voter or non‑voter.

You may also inspect system logs:

journalctl -u vault -xe

Look for messages indicating Aliyun provider initialization and ECS discovery events.

Additional Information

go‑discover Aliyun provider source:
https://github.com/hashicorp/go-discover/blob/8b3ddf4/provider/aliyun/aliyun_discover.go#L21-L34

go‑discover Azure provider (comparison reference):
https://github.com/hashicorp/go-discover/blob/8b3ddf4/provider/azure/azure_discover.go#L24-L62

Vault Raft Auto‑Join documentation:
https://developer.hashicorp.com/vault/docs/configuration/storage/raft#auto_join

go‑discover project:
https://github.com/hashicorp/go-discover

Vault AliCloud KMS seal documentation:
https://developer.hashicorp.com/vault/docs/configuration/seal/alicloudkms