Description
Describe the bug
We are using auto unseal with Alicloud KMS.
We use RAM Role attached to the ECS that grants access to the KMS key on Alibaba
We do not want to use static accesskey/secretkey
Vault seal configuration:
seal "alicloudkms" {
region = "cn-xxx"
domain = "kms-vpc.cn-xxx.aliyuncs.com"
kms_key_id = "xxx-xxx"
}
Vault starts up correctly and can use the KMS seal initially.
However, after ~6 hours, the STS credentials expire, and Vault does not refresh them.
We start seeing this error in logs:
[WARN] core.autoseal: seal wrapper health check failed: seal_name=alicloudkms
err=failed to encrypt test value, seal wrapper may be unreachable: error encrypting data: SDK.ServerError
ErrorCode: InvalidAccessKeyId.NotFound
Message: The Access Key ID provided does not exist in our records.
The ECS metadata service still returns valid credentials with a new expiration (curl http://100.100.100.200/latest/meta-data/ram/security-credentials/role_name).
Vault does not re-read or refresh those credentials after startup.
If we restart Vault, it will unseal automatically but we got the errors after 6h again
To Reproduce
Steps to reproduce the behavior:
- Deploy Vault on ECS with a RAM Role that can access KMS.
- Configure alicloudkms seal without static credentials.
seal "alicloudkms" {
region = "cn-xxx"
domain = "kms-vpc.cn-xxx.aliyuncs.com"
kms_key_id = "xxx-xxx"
} - Start Vault – everything works.
- wait for 6h (STS expiration)
- Observe errors like InvalidAccessKeyId.NotFound in the logs.
Expected behavior
Vault should re-fetch STS credentials from the ECS metadata service when the current token expires.
Environment:
- Vault Server Version (retrieve with
vault status): v1.17 - Server Operating System/Architecture: Linux Redhat8