This is a port of Kelsey Hightower vault-init to AWS.
The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Amazon Web Services.
After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using AWS Key Management Service, to a user defined Amazon S3 bucket.
The vault-init service is designed to be run alongside a Vault server and communicate over local host.
Run vault-init in the same Pod as the Vault container. See the vault statefulset for a complete example.
The vault-init service supports the following environment variables for configuration:
CHECK_INTERVAL- The time in seconds between Vault health checks. (300)S3_BUCKET_NAME- The Amazon S3 Bucket where the vault master key and root token is stored.KMS_KEY_ID- The Amazon KMS key ID used to encrypt and decrypt the vault master key and root token.VAULT_ADDR- The vault API address.
CHECK_INTERVAL="300"
S3_BUCKET_NAME="vault-storage"
KMS_KEY_ID="arn:aws:kms:us-east-1:1234567819:key/dead-beef-dead-beef-deadbeefdead"
VAULT_ADDR="https://vault.service.consul:8200"