mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/configuration/seal/alicloudkms.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

111 lines
4.3 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: AliCloud KMS seal configuration
description: >-
Configure Vault sealing to use AliCloud KMS.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# AliCloud KMS seal configuration
<Note title="Seal wrapping requires Vault Enterprise">
All Vault versions support **auto-unseal** for AliCloud, but **seal wrapping**
requires Vault Enterprise.
Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.
</Note>
The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism.
The AliCloud KMS seal is activated by one of the following:
- The presence of a `seal "alicloudkms"` block in Vault's configuration file.
- The presence of the environment variable `VAULT_SEAL_TYPE` set to `alicloudkms`. If
enabling via environment variable, all other required values specific to AliCloud
KMS (i.e. `VAULT_ALICLOUDKMS_SEAL_KEY_ID`) must be also supplied, as well as all
other AliCloud-related environment variables that lends to successful
authentication.
## `alicloudkms` example
This example shows configuring AliCloud KMS seal through the Vault configuration file
by providing all the required values:
```hcl
seal "alicloudkms" {
region = "us-east-1"
access_key = "0wNEpMMlzy7szvai"
secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"
kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"
}
```
## `alicloudkms` parameters
These parameters apply to the `seal` stanza in the Vault configuration file:
- `region` `(string: <required> "us-east-1")`: The AliCloud region where the encryption key
lives. May also be specified by the `ALICLOUD_REGION`
environment variable.
- `domain` `(string: "kms.us-east-1.aliyuncs.com")`: If set, overrides the endpoint
AliCloud would normally use for KMS for a particular region. May also be specified
by the `ALICLOUD_DOMAIN` environment variable.
- `access_key` `(string: <required>)`: The AliCloud access key ID to use. May also be
specified by the `ALICLOUD_ACCESS_KEY` environment variable or as part of the
AliCloud profile from the AliCloud CLI or instance profile.
- `secret_key` `(string: <required>)`: The AliCloud secret access key to use. May
also be specified by the `ALICLOUD_SECRET_KEY` environment variable or as
part of the AliCloud profile from the AliCloud CLI or instance profile.
- `kms_key_id` `(string: <required>)`: The AliCloud KMS key ID to use for encryption
and decryption. May also be specified by the `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
environment variable.
- `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`.
`access_key` and `secret_key` can be [indirect value references](/vault/docs/configuration/seal#indirect-value-references).
Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process.
## Authentication
Authentication-related values must be provided, either as environment
variables or as configuration parameters.
~> **Note:** Although the configuration file allows you to pass in
`ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY` as part of the seal's parameters, it
is _strongly_ recommended to set these values via environment variables.
```text
AliCloud authentication values:
* `ALICLOUD_REGION`
* `ALICLOUD_ACCESS_KEY`
* `ALICLOUD_SECRET_KEY`
```
Note: The client uses the official AliCloud SDK and will use environment credentials,
the specified credentials, or RAM role credentials in that order.
## `alicloudkms` environment variables
Alternatively, the AliCloud KMS seal can be activated by providing the following
environment variables:
```text
Vault Seal specific values:
* `VAULT_SEAL_TYPE`
* `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
```
Reference in New Issue View Git Blame Copy Permalink