For some testing purposes I've installed Vault with Consul as a backend on a single AWS EC2 Instance. I initialise and unseal it successfully. Everything works good, and I can make my tests.
But every time when I stop the EC2 Instance and start it again, the Vault is not initialised (the command vault status shows "Initialised" - "false"). As a result I need to init the Vault again and lose all my secrets.
Is there a way to keep Vault being initialised after stoping the EC2 instance and starting it again?
The vault configuration files:
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
ui = true
[Unit]
Description="Hashicorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
ConditionFileNotEmpty=/etc/vault.d/config.hcl
[Service]
ExecStart=/usr/bin/vault server -config=/etc/vault.d/config.hcl
ExecReload=/bin/kill --signal HUP $MAINIP
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
The consul configuration files:
datacenter = "dc1"
data_dir = "/tmp/consul"
encrypt = ""
datacenter = "dc1"
data_dir = "/tmp/consul"
encrypt = ""
[Unit]
Description=Consul
Documentation=https://www.consul.io/
[Service]
ExecStart=/usr/bin/consul agent -ui -config-dir=/etc/consul.d/
ExecReload=/bin/kill -HUP $MAINIP
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Would appreciate any ideas.
Vault is leveraging Consul to store its data, but you have Consul storing that data inside /tmp which is a volatile directory and is emptied on reboot.
datacenter = "dc1"
data_dir = "/tmp/consul"
encrypt = ""
Try changing data_dir to something like /var/consul