Environment
- YugabyteDB Anywhere - All
Issue
What should you do if you see an Encryption At Rest config expiry alert in the YugabyteDB Anywhere UI?
Cause
The Encryption At Rest config expiry alert in YBA means the Secret Token for KMS configuration has expired. Refer to the screenshot below.
This token allows YugabyteDB Anywhere (YBA) to authenticate with the KMS vault for tasks related to Encryption at Rest in YugabyteDB Universes.
What causes Secret Token Expiry?
The expiry date of the Secret Token is determined by the max_lease_ttl parameter set in the vault configuration file during Vault Setup. See the documentation for more details.
Here is an example of the configuration file:
$ cat /etc/vault.d/vault.hcl
storage "raft" {
path = "/opt/vault/data/"
node_id = "node1"
}
listener "tcp" {
address = "10.231.0.20:8200"
tls_disable = "true"
}
api_addr = "http://10.231.0.20:8200"
cluster_addr = "https://10.231.0.20:8201"
ui = true
disable_mlock = true
default_lease_ttl = "24h"
max_lease_ttl = "8760h" #This is the parameter to decide when the Secret Token will expire
Tip: You can renew the Secret Token multiple times until the max_lease_ttl is reached. After that, the token must be created, which is indicated by the YBA alert.
Resolution
Overview
To fix this alert, create the Secret Token from your Vault Server.
Steps
1. SSH into your Vault Server and create a new token as needed. A sample command is shown below. Refer the documentation for more information.
vault token create -no-default-policy -policy=yb-transit-policy
Key Value
--- -----
token hvs.CAESILCxCasCta1Z-eOCR36ou4apx6CkA5CReyAaXVzYxxGcGh4KHGh2cy5EcG1QUEZYQmlhNkRsUVpYWmFVc2VhWm8 # This is the Token need to be copied
token_accessor avkhRsqwqWnGdP6srMvPndxX
token_duration 24h
token_renewable true
token_policies ["yb-transit-policy"]
identity_policies []
policies ["yb-transit-policy"]
2. Copy the Token (e.g., "hvs.***********Wm8") from the command output.
3. Goto YBA UI> Configs > Security > Encryption At Rest > Open the relevant KMS configuration and select Action > Edit Configuration.
4. Paste the copied token into the Secret Token section and save the changes. See the screenshot for guidance.
Comments
0 comments
Article is closed for comments.