mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-10 08:37:00 +02:00
Code Issues Projects Releases Wiki Activity
04e75372fb
vault/website/content/docs/configuration/storage/dynamodb.mdx
Michael Diggin 5b4b606c0d
[Storage/DynamoDB] Let vault modify dynamodb tables (#29371) 
* [Storage/DynamoDB] Let vault modify dynamodb tables

* add changelog

---------

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2025-01-21 14:27:54 -05:00

203 lines
7.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: docs
page_title: DynamoDB configuration
description: >-
Configure Vault backend storage to use DynamoDB tables.
---
# DynamoDB configuration for Vault backend storage
The DynamoDB storage backend is used to persist Vault's data in
[DynamoDB][dynamodb] table.
- **High Availability** the DynamoDB storage backend supports high
availability. Because DynamoDB uses the time on the Vault node to implement
the session lifetimes on its locks, significant clock skew across Vault nodes
could cause contention issues on the lock.
- **Community Supported** the DynamoDB storage backend is supported by the
community. While it has undergone review by HashiCorp employees, they may not
be as knowledgeable about the technology. If you encounter problems with this
storage backend, you could be referred to the original author for support.
```hcl
storage "dynamodb" {
ha_enabled = "true"
region = "us-west-2"
table = "vault-data"
}
```
For more information about the read/write capacity of DynamoDB tables, please
see the [official AWS DynamoDB documentation][dynamodb-rw-capacity].
## DynamoDB parameters
- `billing_mode` `(string: "PROVISIONED")` - Specifies which billing mode should be
be used for the table. Choices are "PROVISIONED" or "PAY_PER_REQUEST". You can
also configure billing mode with the `AWS_DYNAMODB_BILLING_MODE` environment variable .
- `dynamodb_allow_updates` `(string: "")` - Specifices if the billing mode or the
read/write capacity of the table should be updated if the provided values differ
from the existing table. You can also configure updates with the
`AWS_DYNAMODB_ALLOW_UPDATES` environment variable.
- `endpoint` `(string: "")` Specifies an alternative, AWS compatible, DynamoDB
endpoint. This can also be provided via the environment variable
`AWS_DYNAMODB_ENDPOINT`.
- `ha_enabled` `(string: "false")` Specifies whether this backend should be used
to run Vault in high availability mode. Valid values are "true" or "false". This
can also be provided via the environment variable `DYNAMODB_HA_ENABLED`.
- `max_parallel` `(string: "128")` Specifies the maximum number of concurrent
requests.
- `region` `(string "us-east-1")` Specifies the AWS region. This can also be
provided via the environment variable `AWS_DEFAULT_REGION`.
- `read_capacity` `(int: 5)` Specifies the maximum number of reads consumed
per second on the table, for use if Vault creates the DynamoDB table. This has
no effect if the `table` already exists and `dynamodb_allow_updates` is unset.
You can also set the read capacity with the `AWS_DYNAMODB_READ_CAPACITY` environment variable.
- `table` `(string: "vault-dynamodb-backend")` Specifies the name of the
DynamoDB table in which to store Vault data. If the specified table does not
yet exist, it will be created during initialization. This can also be
provided via the environment variable `AWS_DYNAMODB_TABLE`. See the
information on the table schema below.
- `write_capacity` `(int: 5)` Specifies the maximum number of writes performed
per second on the table, for use if Vault creates the DynamoDB table. This value
has no effect if the `table` already exists and `dynamodb_allow_updates` is unset.
You can also set the write capacity with the `AWS_DYNAMODB_WRITE_CAPACITY` environment variable.
The following settings are used for authenticating to AWS. If you are
running your Vault server on an EC2 instance, you can also make use of the EC2
instance profile service to provide the credentials Vault will use to make
DynamoDB API calls. Leaving the `access_key` and `secret_key` fields empty will
cause Vault to attempt to retrieve credentials from the AWS metadata service.
- `access_key` `(string: <required>)` Specifies the AWS access key. This can
also be provided via the environment variable `AWS_ACCESS_KEY_ID`.
- `secret_key` `(string: <required>)` Specifies the AWS secret key. This can
also be provided via the environment variable `AWS_SECRET_ACCESS_KEY`.
- `session_token` `(string: "")` Specifies the AWS session token. This can
also be provided via the environment variable `AWS_SESSION_TOKEN`.
## Required AWS permissions
The governing policy for the IAM user or EC2 instance profile that Vault uses
to access DynamoDB must contain the following permissions for Vault to perform
the required operations on the DynamoDB table:
```javascript
"Statement": [
{
"Action": [
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListTagsOfResource",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity",
"dynamodb:ListTables",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable"
],
"Effect": "Allow",
"Resource": [ "arn:aws:dynamodb:us-east-1:... dynamodb table ARN" ]
},
```
## Table schema
If you are going to create the DynamoDB table prior to the execution and
initialization of Vault, you will need to create a table with these attributes:
- Primary partition key: "Path", a string
- Primary sort key: "Key", a string
You might create the table via Terraform, with a configuration similar to this:
```
resource "aws_dynamodb_table" "dynamodb-table" {
name = "${var.dynamoTable}"
read_capacity = 1
write_capacity = 1
hash_key = "Path"
range_key = "Key"
attribute {
name = "Path"
type = "S"
}
attribute {
name = "Key"
type = "S"
}
tags = {
Name = "vault-dynamodb-table"
Environment = "prod"
}
}
```
By default, Vault will not modify the table if a table with the configured name already exists
and the Vault configuration values of `read_capacity` and `write_capacity` have
no effect. If the `dynamodb_allow_updates` field is set, then Vault will try to update
the table if the provided `billing_mode`, `read_capacity` or `write_capacity` differ
from the existing table's values.
If the table does not already exist, Vault will try to create it, with billing mode,
read and write capacities set to the values of `billing_mode`, `read_capacity` and
`write_capacity` respectively.
## AWS instance metadata timeout
@include 'aws-imds-timeout.mdx'
## DynamoDB examples of Vault configuration
### Custom table and Read-Write capacity
This example shows using a custom table name and read/write capacity.
```hcl
storage "dynamodb" {
table = "my-vault-data"
read_capacity = 10
write_capacity = 15
}
```
### Enabling high availability
This example shows enabling high availability for the DynamoDB storage backend.
```hcl
api_addr = "https://vault-leader.my-company.internal"
storage "dynamodb" {
ha_enabled = "true"
...
}
```
[dynamodb]: https://aws.amazon.com/dynamodb/
[dynamodb-rw-capacity]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.html#ProvisionedThroughput
Reference in New Issue View Git Blame Copy Permalink