Nick's Blog

Vault Error unsealing: Error making API request.

Hashicorp recently published helm chart for vaults. I’m trying it out today. Unfortunately currently there is no way you can install it from the remote repo. You have to download the repo and checkout the specific version and run the helm install against the local directory.

You can find the instruction from their github repo. In fact the installation is actually pretty easy and straight forward. The following is a short version.

# Clone the repo
$ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm

# checkout a tagged version
$ git checkout v0.1.0

# Install the chart
$ helm install --name=vault .

# Check status
$ kubectl exec vault-0 vault status

# Initialize
$ kubectl exec vault-0 vault operator init -n 1 -t 1

However, I did come across an issue when I try to unseal the vault. I was getting the following error when I try to unseal.

vault operator unseal cy5Nc1doY3hmZ2dtT1hUTENBLAYzaU1jcXA=
Error unsealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/unseal
Code: 500. Errors:

* crypto/aes: invalid key size 26

After troubleshoot quite a while I realised there are two token. one is using for unseal, the other is root token. And I was using root token all the time. then you probably wondering the root token is not base64 format tho. That is correct. Because I manually encode into a base64 format.

The previous error I was getting was:

kubectl exec -it vault-0 -- vault operator unseal s.MsWhcxfggBLATLCE9v3iMcqp
Error unsealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/unseal
Code: 400. Errors:

* 'key' must be a valid hex or base64 string

So when you init the vault operator. there are two different things. one is unseal key the other is initial root token. Make sure you use the right one to unseal.