Cluster Topology
We have three EC2 instances running Vault v1.10.3+ent:| Node | IP Address | Role |
|---|---|---|
| vault-3 | 10.1.101.25 | Initial leader |
| vault-1 | 10.1.101.199 | Follower candidate |
| vault-2 | 10.1.101.108 | Follower candidate |
storage "raft"(Vault Raft storage backend)seal "awskms"(AWS KMS auto-unseal)
1. Verify Vault Status on All Nodes
On each node, confirm Vault is running but neither initialized nor unsealed:Recovery Seal Type awskms
Initialized false
Sealed true
Version 1.10.3+ent
Storage Type raft
HA Enabled true
2. Initialize the Leader (vault-3)
SSH into vault-3 and run:Initialized true but Sealed true. AWS KMS will auto-unseal followers when they join.
Store your recovery keys and root token in a secure vault or vaultless backup. Losing them can lock you out of your cluster.
Ensure the IAM role attached to each EC2 instance has permissions to decrypt with your AWS KMS key, or auto-unseal will fail.
3. List Raft Peers on vault-3
Authenticate with the root token and list peers:leader.
4. Join vault-1 to the Cluster
On vault-1:true. Then on vault-1:
Initialized trueSealed falsePerformance Standby Node true
5. Add vault-2 to the Raft Cluster
On vault-2:6. Test Leader Failover
- Stop Vault on the current leader (vault-3):
- On vault-1 or vault-2, confirm a new leader election:
- Restart vault-3:
7. Manual Step-Down
Force the current leader to step down manually (on vault-1, for example):Summary
- Initialized vault-3 and formed a single-node cluster.
- Joined vault-1 and vault-2 with
vault operator raft join. - Verified AWS KMS auto-unseal on followers.
- Simulated automatic leader election by stopping the leader.
- Demonstrated manual failover using
vault operator step-down.