We use a transit node and auto-unseal for our Vault infrastructure.
We have code that initializes vault as such:
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
This has been working since implementation in the 1.11.x branch of Vault.
We recently upgraded to Vault Enterprise 1.12.1 and it seems like these options are no longer being parsed correctly. Even though we are still passing in recovery_shares as the init option, the values are no longer being parsed by the API and it thinks we are trying to use secret_shares for a transit seal????
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">
irb(main):032:0> Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
Traceback (most recent call last):
8: from /usr/bin/irb:23:in `<main>'
7: from /usr/bin/irb:23:in `load'
6: from /usr/share/gems/gems/irb-1.2.3/exe/irb:11:in `<top (required)>'
5: from (irb):32
4: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/api/sys/init.rb:70:in `init'
3: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:206:in `put'
2: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:300:in `request'
1: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:411:in `error'
Vault::HTTPClientError (The Vault server at `https://si-vault-mainline-01.infra.bwi:8200' responded with a 400.)
Any additional information the server supplied is shown below:
* parameters secret_shares,secret_threshold not applicable to seal type transit
Please refer to the documentation for help.
We downgraded back to Vault Enterprise 1.11.4 and the library works again as expected:
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">
I know you see the root token above, but this is a sandbox so it does not matter
We use a transit node and auto-unseal for our Vault infrastructure.
We have code that initializes vault as such:
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})This has been working since implementation in the 1.11.x branch of Vault.
We recently upgraded to Vault Enterprise 1.12.1 and it seems like these options are no longer being parsed correctly. Even though we are still passing in recovery_shares as the init option, the values are no longer being parsed by the API and it thinks we are trying to use secret_shares for a transit seal????
We downgraded back to Vault Enterprise 1.11.4 and the library works again as expected:
I know you see the root token above, but this is a sandbox so it does not matter