Vault: Error initializing Vault with DynamoDB

Created on 20 Oct 2017  路  4Comments  路  Source: hashicorp/vault

Hello everyone,

We are going to launch Vaultin AWS with DynamoDB storage backend and so far couldn't initialize Vault with it.

Vault starts properly with this simplified config:

/etc/vault.conf

storage "dynamodb" {
  region     = "us-east-1"
  table      = "vault-data-test-1"
  access_key = "<ACCESS_KEY>"
  secret_key = "<SECRET_KEY>"
  advertise_addr = "http://127.0.0.1:8200"
}
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

And upon initialization attempt

vault init -address=http://127.0.0.1:8200

getting this response:

Error initializing Vault: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:
* failed to check for initialization: ValidationException: The provided key element does not match the schema
        status code: 400, request id: 4J1N5NM59NUQ5CDNJONS7D01E3VV4KQNSO5AEMVJF66Q9ASUAAJG

Running Vault v0.8.0 on Ubuntu 16.04.3 LTS.
DynamoDB was created with default settings, named as vault-data-test-1 with PrimaryKey called PrimaryKey.

Expected Behavior:
Vault should be initialized and began using DynamoDB

It feels like it might require some special key to exist, but neither documentation nor original PR mention that.

picture MaximF

Most helpful comment

Kudos to @acelaya for his explanation!
For anyone who might experience the same issue, here is a solution: Vault would automatically create DynamoDB table upon initiation, there is no need to create it in advance manually.

picture MaximF on 20 Oct 2017
🎉5 👍5

All 4 comments

Kudos to @acelaya for his explanation!
For anyone who might experience the same issue, here is a solution: Vault would automatically create DynamoDB table upon initiation, there is no need to create it in advance manually.

MaximF picture MaximF on 20 Oct 2017
🎉5 👍5

I run into same issue before. Maybe highlighting this would be nice in documentation.

Table: Specifies the name of the DynamoDB table in which to store Vault data. If the specified table does not yet exist, it will be created during initialization.

mainiak picture mainiak on 13 Feb 2018
👍1

I don't see any explanation available. It doesn't seem like Vault has the embedded code or permssions to deploy its own dynamodb table of which a partition key is required.

mwascak picture mwascak on 26 Sep 2018

IMHO, at least for the AWS use case, Vault shouldn't assume it will run under a role that is allowed to perform "dynamodb:CreateTable".

In my scenario, Vault it's only allowed to perform operations on its designated table; but not any other administrative operation in DynamoDB itself.

rcmorano picture rcmorano on 28 Jan 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gtmtech picture gtmtech  路  3Comments
lexsys27 picture lexsys27  路  3Comments
passwordleak picture passwordleak  路  3Comments
maxsivanov picture maxsivanov  路  3Comments
narayan8291 picture narayan8291  路  3Comments