Skip to main content
In this guide, you’ll configure HashiCorp Vault to use AWS KMS for automatic unsealing. By leveraging Cloud Auto Unseal, you eliminate the operational overhead of manual unseal keys and enhance your security posture.

Prerequisites

  • An EC2 instance running Vault
  • A Customer Managed Key (CMK) in AWS KMS (e.g., Vault Unseal Key)

1. Check Current Vault Status

SSH into your Vault server and run: 
vault status
Example output: 
Key                 Value
---                 -----
Seal Type           shamir
Initialized         false
Sealed              true
Total Shares        0
Threshold           0
Unseal Progress     0/0
Unseal Nonce        n/a
Version             1.7.1
Storage Type        raft
HA Enabled          true
Vault is not yet initialized and uses the default Shamir seal.
By default, Vault uses Shamir’s Secret Sharing for unsealing. We’ll replace this with AWS KMS.

2. Review the Vault Configuration

Open /etc/vault.d/vault.hcl: 
cat /etc/vault.d/vault.hcl

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "node-a-us-east-1"
  retry_join {
    auto_join = "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
  }
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = 1
}

api_addr     = "http://10.0.1.37:8200"
cluster_addr = "http://10.0.1.37:8201"
cluster_name = "vault-prod-us-east-1"
ui           = true
log_level    = "INFO"
There’s no seal stanza yet—this is where we’ll plug in our AWS KMS configuration.

3. Add the AWS KMS Seal Stanza

  1. In the AWS Console, go to KMS → Customer managed keys and copy your CMK ARN (for example: arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY).
Treat your KMS key ARN and Vault configuration file as sensitive information. Do not expose them in public repositories.
  1. Edit the Vault HCL:
sudo vi /etc/vault.d/vault.hcl
  1. Insert the awskms seal stanza anywhere in the file:
seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY"
}
  1. Your complete configuration should now be:
storage "raft" {
  path    = "/opt/vault/data"
  node_id = "node-a-us-east-1"
  retry_join = [
    "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
  ]
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLEKEY"
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = 1
}

api_addr     = "http://10.0.1.37:8200"
cluster_addr = "http://10.0.1.37:8201"
cluster_name = "vault-prod-us-east-1"
ui           = true
log_level    = "INFO"

4. Restart Vault and Verify Seal Type

Restart the Vault service: 
sudo systemctl restart vault
Check the new status: 
vault status
KeyValue
Seal Typeawskms
Initializedfalse
Sealedtrue
Total Recovery Shares0
Threshold0
Version1.7.1
Storage Typeraft
HA Enabledtrue
Vault is now configured to auto-unseal with AWS KMS, but still needs initialization.

5. Initialize the Vault Cluster

Initialize Vault: 
vault operator init
Example output: 
Recovery Key 1:  qDfLTvJNhT3Dgj8UWaep9o2qgQZcVq/+w6QXQ4Tq+
...
Recovery Key 5:  2/FshgVlCzLhqhG+C0M0azU3ry82c2KhmKSUpelv

Initial Root Token: s.7gu7dshRlK1KNoq8B9dFme

Success! Vault is initialized with 5 recovery shares and a threshold of 3.
Re-run vault status: 
vault status

Key                     Value
---                     -----
Seal Type               awskms
Recovery Seal Type      shamir
Initialized             true
Sealed                  false
Total Recovery Shares   5
Threshold               3
Version                 1.7.1
Storage Type            raft
Cluster Name            vault-prod-us-east-1
Cluster ID              6245bbfd-8db5-b507-f689-ba48628ad2a5
HA Enabled              true
HA Cluster              http://10.0.1.37:8201
HA Mode                 active
Vault is now unsealed automatically via AWS KMS.

6. Use Vault as Usual

Authenticate with the root token: 
vault login s.7gu7dshRlK1KNoq8B9dFme
Enable and list secrets engines: 
vault secrets enable azure
vault secrets list

Path          Type        Accessor
----          ----        --------
azure/        azure       azure_6d868445
cubbyhole/    cubbyhole   cubbyhole_2e79ae0c
identity/     identity    identity_65b04cae
sys/          system      system_9d391d96
Everything works without manual unseal steps.

7. Confirm Auto-Unseal After Restart

Restart Vault again: 
sudo systemctl restart vault
vault status
Vault remains unsealed thanks to AWS KMS auto-unseal, eliminating manual recovery.
Congratulations! You’ve successfully set up Cloud Auto Unseal with AWS KMS. This configuration streamlines your Vault operations and boosts security by removing manual unseal key handling.

Watch Video