Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is possible to scale out Hashicorp Vault using DynamoDB storage backend?

Tags:

amazon-dynamodb

hashicorp-vault

I am using Vault on AWS with the DynamoDB backend. The backend supports HA.

storage "dynamodb" {
  ha_enabled = "true"
  region     = "us-west-2"
  table      = "vault-data"
}

Reading the HA concept documentation: https://www.vaultproject.io/docs/concepts/ha.html

To be highly available, one of the Vault server nodes grabs a lock within the data store. The successful server node then becomes the active node; all other nodes become standby nodes. At this point, if the standby nodes receive a request, they will either forward the request or redirect the client depending on the current configuration and state of the cluster -- see the sections below for details. Due to this architecture, HA does not enable increased scalability.

I am not interested in having a fleet of EC2 instances behind a ELB, where only 1 instance behaves like a master and talks to DynamoDB.

I would like to run N Ec2 instances running Vault, that read and write independently from DynamoDB.

Because DynamoDB supports read/write from multiple EC2 instances, I would expect to be able to unseal Vault from multiple instances simultaneously and perform read and write operations. This should work even with ha_enabled = "false", without doing the leader election.

Why this architecture is not suggested in the documentation ? Why it should not work ? Is there any cryptographic limitation that I am missing ?

thank you

like image 217
Saverio Proto Avatar asked Nov 06 '22 20:11

Saverio Proto

1 Answers

It is a feature of Vault Enterprise. With it, you can set up a primary cluster and as many "secondary" clusters, better known as performance replicas. Each cluster has its own storage and unseal mechanism. So you could have one cluster on Dynamo DB and the other on Raft. If both are on Dynamo DB, then you'll need a Dynamo DB table for each.

But keep in mind that performance replicas will always forward write operations to the primary cluster. A write operation is something that affect the global state of Vault. In that sense a POST to /transit is not considered a write operation.

Another possibility is to have your kv store mounted locally (with the -local flag). Then it will behave like a primary even when mounted on a performance replica, at the price of not being able to replicate to the other cluster.

A final note: DR clusters are an exact copy of any cluster. Each cluster, whether a primary or a replica, can have its DR cluster.

like image 176
ixe013 Avatar answered Nov 30 '22 05:11

ixe013
Sign in to Comment

Related questions

AWS node.js lambda request dynamodb but no response (no err, no return data)
How Can I Store the array of objects in DynamoDB
DynamoDB Trigger Lambda Function PROBLEM: Function call failed
Integrate DynamoDb in Sails js
Slower execution of AWS Lambda batch-writes to DynamoDB with multiple threads
DynamoDB - How to calculate the read throughput for queries
DynamoDB queryPage operation with FilterExpression returning empty result as well as lastEvaluatedKey
amazon dynamodb fiter expression return error
Make a listener to know when a new item is being added to DynamoDB
How can I measure the propagation latency of DynamoDB Streams?
How to process DynamoDB Stream in a Spark streaming application
documentclient put is not working, tried everything
PHP AWS DynamoDB: Limit the Number of Total Query Results Using an Iterator
Are dynamodb update expressions strongly consistent?
Do DynamoDB Queries of composite Sort Key's made of two ISO 8061 dates return correct results (with BETWEEN)?
How to get the latest record inserted in dynamodb

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!