Vault: Rekey operation new shares and threshold always show 1, and new key not output
Describe the bug
When I try to use rekey operator and give the flag -key-shares=5 -key-threshold=3, the screen show New Shares and New Threshold always show 1, and after I give it unseal key, the screen didn't show up the new key
To Reproduce
Steps to reproduce the behavior:
- vault operator rekey -init -key-shares=5 -key-threshold=3
my screenshot: https://d.pr/free/i/UvSdDe
- vault operator rekey -nonce=
and give it 3 unseal key
nothing shows up on the screen.
my screenshot: https://d.pr/free/i/Y1PDbC
Expected behavior
The key-shares and key-threshold will be the same as I input, and the screen will show new key, just like documents: https://www.vaultproject.io/guides/operations/rekeying-and-rotating
Environment:
- Vault Server Version (retrieve with
vault status):
1.1.1, https://d.pr/free/i/KdmVef - Vault CLI Version (retrieve with
vault version):
1.1.1 - Server Operating System/Architecture:
single container on k8s, image is 'vault:v1.1.1'
Vault server configuration file(s):
{
"listener": {
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable": 1
}
},
"seal": {
"awskms": {
"kms_key_id": "XXXXXXXXXXXXX",
"region": "ap-southeast-1"
}
},
"storage": {
"s3": {
"bucket": "my-bucket",
"region": "ap-southeast-1"
}
},
"ui": true
}
Thanks for the help.
terrych0u
All 6 comments
Hi @terrych0u,
I can see from your configuration that you use auto-unseal which, when enabled, internally transforms your key-shares to recovery keys. When you add the "-target=recovery" (https://www.vaultproject.io/docs/commands/operator/rekey.html#target) parameter to your rekey operation then it should work.
However, I agree that our documentation does not reflect that very well and is also partially outdated. I will try to fix that. Thanks for reporting this issue!
Cheers,
Michel
michelvocks
on 30 Apr 2019
Hi @michelvocks
The flag -target=recovery did solve key-shares and key-threshold number issue, however, the new unseal key still doesn't show up on the screen: https://d.pr/free/i/DXLUMS
Is there something I'm missing?
Thanks for the help.
terrych0u
on 2 May 2019
Hi @terrych0u,
you also have to specify the -target=recovery parameter for the vault operator rekey -nonce... commands. I guess you still had a rekey operation active since the nonce is different compared to the one you have provided.
Cheers,
Michel
michelvocks
on 2 May 2019
Hi @michelvocks
Thanks, it works. much appreciate.
terrych0u
on 2 May 2019
@albertoal @michelvocks I ran into this as well by following: https://learn.hashicorp.com/vault/operations/ops-rekeying-and-rotating
adding -target-recovery fixed it.
So I think the link above should be updated with the info as well (at least it should be mentioned)
tomasbackman
on 19 Dec 2019
Hey @tomasbackman thanks for the note and good catch. Looks like the above learning guide was missed when I submitted a PR to enrich the docs. Looks like learning guides are also an open source resource hosted in GitHub (looks like that page is here) so I encourage you to open a PR since you have this fresh on your mind. Otherwise I'm happy to take a look but feel free to take a stab a it if you have the time!
Cheers
Alberto
albertoal
on 23 Dec 2019
Related issues
gtmtech
路
3Comments
trodemaster
路
3Comments
tustvold
路
3Comments
gtmtech
路
3Comments
anthonyGuo
路
3Comments
Most helpful comment
Hi @terrych0u,
you also have to specify the
-target=recoveryparameter for thevault operator rekey -nonce...commands. I guess you still had a rekey operation active since the nonce is different compared to the one you have provided.Cheers,
Michel