Introduction:
In some cases, operators need to remove the trial license before moving forward with the enterprise setup. Using the traditional delete methods such as vault delete sys/license
or API curl DELETE will result in an output with * unsupported operation
.
The full gist of this KB is to start vault in recovery
mode, then generate and use the recovery mode token to delete the license file from sys/raw/core
, then restart the vault normally.
Assumption:
- Vault binary is Vault ENT binaries version prior to 1.8.0
- Vault trial license was written into vault binary
- Vault is running healthy
Expected Outcome: Vault in recovery mode able to remove vault trial license.
Procedure:
- First of all, start vault in
recovery
mode with config.hcl
vault server -recovery -config=config.hcl
==> Vault server configuration:
Seal Type: shamir
Cluster Address: <https://127.0.0.1:8201>
Go Version: go1.15.13
Log Level: info
Recovery Mode: true
Storage: raft
Version: Vault v1.7.3+ent
Version Sha: 38b0180a77893a6551e0c9d4485f1fb8725734bc
- Open a new terminal, export VAULT_ADDR
export VAULT_ADDR="<http://127.0.0.1:8200>"
- Next, generate a temporary one-time password
OTP
.
vault operator generate-root -generate-otp -recovery-token
uTuFle5gRSqKPxnPkhXAqcKlyF
- Next, start the generation of the recovery token with the
OTP
.
vault operator generate-root -init \\
-otp=uTuFle5gRSqKPxnPkhXAqcKlyF -recovery-token
Output:
Nonce 6ea30625-98a4-c36e-8d70-d08c3e96aed8
Started true
Progress 0/3
Complete false
OTP Length 26
- Next, create an
encoded token
, enter vault unseal key, repeat this process based on your vault unseal configuration, for this example, operator need to unseal 3 times with unseal keys
vault operator generate-root -recovery-token
Operation nonce: 6ea30625-98a4-c36e-8d70-d08c3e96aed8
Unseal Key (will be hidden):
- After unseal, output with
Encoded Token
:
vault operator generate-root -recovery-token
Operation nonce: 6ea30625-98a4-c36e-8d70-d08c3e96aed8
Unseal Key (will be hidden):
Nonce 6ea30625-98a4-c36e-8d70-d08c3e96aed8
Started true
Progress 3/3
Complete true
Encoded Token B3o4AT8xRAsZNgcENQhePVgjbhc3Gh5bSDQ
- At last, create a
recovery token
by decoding theencoded token
and addingotp
vault operator generate-root \\
-decode=B3o4AT8xRAsZNgcENQhePVgjbhc3Gh5bSDQ \\
-otp=uTuFle5gRSqKPxnPkhXAqcKlyF \\
-recovery-token
Output recovery token
;
r.MGSTqlKevOep0m3K6VFyU71r
- Use
recovery token
to delete vault license fromsys/raw/core/license
VAULT_TOKEN=r.MGSTqlKevOep0m3K6VFyU71r vault delete sys/raw/core/license
Output
Success! Data deleted (if it existed) at: sys/raw/core/license
- Exit from recovery mode, login vault, and verify license status
vault read sys/license/status
Output, the trial license is successfully removed!
No value found at sys/license/status