Skip to content

Can't use AWS auto-join in me-central-1 region since v1.20.0 #31372

New issue
New issue
Open
Open
Can't use AWS auto-join in me-central-1 region since v1.20.0#31372
Labels
bugUsed to indicate a potential bugstorage/raft
@jimrosenfeld

Description

@jimrosenfeld
jimrosenfeld
opened on Jul 24, 2025

Describe the bug
Vault clusters configured to use AWS auto-join fail in me-central-1 because they are unable to connect to the AWS API. See hashicorp/go-discover#293 for the underlying issue - essentially, go-discover now uses the AWS dualstack API, and there is no dualstack EC2 API in me-central-1.

To Reproduce
Steps to reproduce the behavior:

  1. Configure a vault cluster to use AWS auto-join in me-central-1 region.
  2. On start, error observed:
2025-07-22T19:58:04.559Z [ERROR] core: error in retry_join stanza, will not use it for raft join: error="failed to parse addresses from auto-join metadata: discover-aws: DescribeInstancesInput failed: operation error EC2: DescribeInstances, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://ec2.me-central-1.api.aws/\": dial tcp: lookup ec2.me-central-1.api.aws on 10.215.32.2:53: no such host" leader_api_addr="" auto_join=true

ec2.me-central-1.api.aws cannot be resolved.


; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.13.11 <<>> ec2.me-central-1.api.aws
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33110
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ec2.me-central-1.api.aws.      IN      A

;; AUTHORITY SECTION:
me-central-1.api.aws.   900     IN      SOA     ns-1036.awsdns-01.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 3 msec
;; SERVER: 10.215.32.2#53(10.215.32.2)
;; WHEN: Thu Jul 24 22:03:53 UTC 2025
;; MSG SIZE  rcvd: 138

Expected behavior
Vault cluster should be able to use AWS API for auto-join discovery.

Environment:

  • Vault Server Version (retrieve with vault status): 1.20.0
  • Vault CLI Version (retrieve with vault version): 1.20.0
  • Server Operating System/Architecture: Amazon Linux 2 x86_64

Vault server configuration file(s):

storage "raft" {
...
  retry_join {
    auto_join = "provider=aws addr_type=private_v4 region=me-central-1 tag_key=[key] tag_value=[value]"
...
  }
...

Additional context
None.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUsed to indicate a potential bugstorage/raft

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions