Most endpoints under
/v1/sys that require authentication are not available. An
exception has been made for the following endpoints:
The admin policy used to generate admin tokens is located in the customer admin namespace
and is named
hcp-root. Although this policy is editable by the customer in their namespace, it should not
be edited. If needed, this policy will be updated to the general admin policy by HCP Vault, and all customizations by the user are removed.
By editing this policy, admin tokens will not act as
root tokens in the namespace
and you will be restricted from performing all operations. In the future, we plan to limit the modifications of this policy
and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for
the HCP operators and may delay recovery of your Vault cluster.
HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.
There is currently a small UI-related regression when the TLS Certificate Authentication method is enabled on HCP Vault. The regression stems from the fact that Go TLS client does not support post handshake authentication, which causes the web browser to present a pop-up to select the client certs on the user machine while connecting to the Vault UI. You can circumvent this by closing the pop-up screen. If your use case of HCP Vault is headless (UI interactions are limited),you may file a support ticket here and we can optionally enable this feature.
In order to use AWS IAM Authentication, it is important to configure roles with
resolve_aws_unique_ids=false so that it can work without needing to grant the HCP Vault AWS account any permissions.
Vault diagnostic (e.g. server) logs are not accessible to HCP Vault customers today. If you require assistance from the Support Team to help you troubleshoot a specific diagnostic issue, you can open a support ticket.
HCP Vault does not currently support the use of external Vault plugins for Auth Methods and Secret Engines. Please share feedback with us if not having plugin support prevents you from adopting HCP Vault.