Vault is not initialized, throws out the error core: security barrier not initialized
here's my config file
{
"listener": [
{
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable": 1
}
}
],
"api_addr": "http://ipaddress:8200",
"storage": {
"gcs": {
"bucket": "test-vault",
{
"ha_enabled": "true"
}
},
"seal": {
"gcpckms": {
"credentials": "credentials.json",
"project": "testing-vault",
"region": "global",
"key_ring": "vault",
"crypto_key": "vault-demo"
}
},
"disable_mlock": "true",
"ui": "true",
"bindings": [
{
"role": "roles/storage.objectAdmin",
"members": [
"serviceAccount:[email protected]"
]
}
]
I'm trying to start the server with the above config file
vault server -config=/etc/vault/config.json
==> Vault server configuration:
GCP KMS Crypto Key: vault-demo
GCP KMS Key Ring: vault
GCP KMS Project: testing-vault
GCP KMS Region: global
Seal Type: gcpckms
Api Address: http://ipaddr:8200
Cgo: disabled
Cluster Address: https://ipaddr:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: (not set)
Mlock: supported: true, enabled: false
Storage: gcs (HA available)
Version: Vault v1.0.2
Version Sha: 37a1dc9c477c1c68c022d2084550f25bf20cac33
==> Vault server started! Log data will stream in below:
2019-01-23T18:32:58.428Z [INFO] core: stored unseal keys supported, attempting fetch
2019-01-23T18:32:58.499Z [WARN] core: stored unseal key(s) supported but none found
2019-01-23T18:35:24.756Z [INFO] core: autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2019-01-23T18:36:50.387Z [WARN] core: stored keys supported on init, forcing shares/threshold to 1
2019-01-23T18:36:50.512Z [INFO] core: security barrier not initialized
2019-01-23T18:36:50.658Z [ERROR] core: failed to initialize barrier: error="failed to persist keyring: 1 error occurred:
* error closing connection: googleapi: Error 403: Insufficient Permission, insufficientPermissions
Following are the errors when initializing
- vault operator init
Error initializing: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:
- failed to initialize barrier: failed to persist keyring: 1 error occurred:
- error closing connection: googleapi: Error 403: Insufficient Permission, insufficientPermissions
- Tried with API Calls
a) curl PUT http://127.0.0.1:8200/v1/sys/init
curl: (6) Could not resolve host: PUT
{"initialized":false}
b) curl POST http://127.0.0.1:8200/v1/sys/init
curl: (6) Could not resolve host: POST
{"initialized":false}
pandugathrinath
All 4 comments
Sounds like you don't have proper permissions to write to GCS, take a look at https://www.vaultproject.io/docs/configuration/storage/google-cloud-storage.html#gcs-setup and make sure you've setup your service account correctly.
briankassouf
on 23 Jan 2019
service account has these permissions : Cloud KMS Admin and Storage Object Admin. would that suffice or do I need to add any other permissions ?
pandugathrinath
on 23 Jan 2019
did you figure it out? I'm having the same issue
erik-shadow
on 15 Feb 2019
You've most likely solved this by now but I came across this issue, having had the same error and so others might find my solution helpful.
If you're l like me, you glossed over the part about the service-account needing to have the scope:
https://www.googleapis.com/auth/devstorage.read_write
For those not that familiar with GCP's service-account scopes, by default, the compute instance service account will have Read Only permissions for the storage API. Changing this to Read/Write solved this issue for me.
You can update these scopes via the cloud console:
- visit the Compute Engine VM Instance page
- stop the relevant compute instance
- click on the instance
- click edit
- scroll to Cloud API access scopes for the named service-account
- uncheck default and check to set the scopes manually setting storage to Read|Write
The same can be done via the command line using either of the commands below, appending the storage-rw option to the --scopes flag:
Annoyingly the instance will also need to be stopped to edit the scopes.
vinnyvimto
on 22 Jul 2019
Related issues
wpg4665
路
39Comments
hashbrowncipher
路
65Comments
justintime
路
55Comments
TopherGopher
路
36Comments
ekristen
路
60Comments
Most helpful comment
You've most likely solved this by now but I came across this issue, having had the same error and so others might find my solution helpful.
If you're l like me, you glossed over the part about the service-account needing to have the scope:
For those not that familiar with GCP's service-account scopes, by default, the compute instance service account will have Read Only permissions for the storage API. Changing this to Read/Write solved this issue for me.
You can update these scopes via the cloud console:
The same can be done via the command line using either of the commands below, appending the storage-rw option to the
--scopesflag:Annoyingly the instance will also need to be stopped to edit the scopes.