I need to start the Hashicorp vault as a service in the EC2 instance, access it from another ec2 instance, it needs to unseal the key every starts. How can I automate to unseal the keys at every start of the Ec2 instance?
I referred this doc to start the service but I couldn't access it without insecure (-k) mode.
curl --header "X-Vault-Token: s.mhKWQGSf3ttFIEW5aTzs3CIY" http://127.0.0.1:8200/v1/kv/secret/mypath -k
How can I achieve this?
The easiest and safest way to manage unsealing in an EC2 context is to leverage AWS KMS (the Key Management Service) and to use one KMS-managed key to automatically unseal Vault.
You can learn more about this in these 2 pages:
The second link really describe all the seal "awskms" configuration you need to set in your Vault config.hcl file. As soon as your EC2 instance role has an IAM profile that lets it read that KMS key, it becomes automatic and easy.
