Note: Using Vault replication to transition the seal type is the recommended approach instead of seal migration. Alternatively, it's best to verify the target seal stanza being migrated onto in an independent Vault instance prior to committing to performing the final migration steps in any live environment.
Introduction
This article specifically addresses the issue of missing the required permissions in an IAM policy for AWS KMS, which can cause a seal migration operation to fail.
Problem
Vault cluster nodes that have already been unsealed, changes back to a sealed state while issuing the command vault operator unseal -migrate.
Example snippet from the Vault operational logs:
error setting new recovery key information: failed to encrypt keys for storage: error encrypting data: AccessDeniedException: User: arn:aws:iam:xxxxxx:user/xxxxxx is not authorized to perform kms:Encrypt on resource: arn:aws:kms:<region>:xxxxxx:key/xxxxxx because no identity-based policy allows the kms:Encrypt action
Portion of error more specific to AWS:
AccessDeniedException: User: arn.... is not authorized to perform kms:Encrypt
Cause
As stated in the error, the reason for this error is that the key policy is missing the kms:Encrypt permission on the IAM principal that Vault uses or the KMS key policy for the KMS key.
Solution
Ensure the necessary permissions are applied to the KMS key:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
With the proper permissions in place, Vault will be able to successfully encrypt the master key and the seal migration should complete.
Note: There are other possible AccessDeniedExceptionerrors. If applicable, ensure the above permissions are assigned accordingly.