seal key process ignores region value #24114
Description
Hi,
I use a single AWS KMS key stored in us-east-1 region for all clusters that I run in different us regions.
This way everything works good, until I recently migrated from vault 1.14.0 on 1.15.1. Now I'm getting below error:
error parsing Seal configuration: error fetching AWS KMS wrapping key information:
NotFoundException: Alias arn:aws:kms:us-west-2:<account_id>:alias/vault-us is not found.
My seal section under vault configmap file (for both healthy and affected clusters):
seal "awskms" {
region = "us-east-1"
kms_key_id = "alias/vault-us"
}
I tried to test with a totally incorrect seal configuration (using EU regions) for the healthy cluster and it still works:
seal "awskms" {
region = "eu-central-1"
kms_key_id = "alias/vault-us"
}
Vault statefulset has a AWS_REGION set to us-west-2.
Expected behavior:
- Seal process should search an alias with a specified region set in seal section of the configmap file. It should look for a kms key like:
arn:aws:kms:us-east-1:<account_id>:alias/vault-us
Current behavior:
- despite the seal configuration vault is looking for a key in the default region for this cluster:
despite
error parsing Seal configuration: error fetching AWS KMS wrapping key information:
NotFoundException: Alias arn:aws:kms:us-west-2:<account_id>:alias/vault-us is not found.
I suspect that the default region overwrite region value set in configmap.
Could you please advise if this an issue or are there any other setting that might help me?
Thank you