No Access to Root Namespace
Vault system API
Most endpoints under /v1/sys
that require authentication are not available. An
exception has been made for the following endpoints:
Admin Token Policy
The admin policy used to generate admin tokens is located in the customer admin namespace
and is named hcp-root
. Although this policy is editable by the customer in their namespace, it should not
be edited. If needed, this policy will be updated to the general admin policy by HCP Vault, and all customizations by the user are removed.
By editing this policy, admin tokens will not act as root
tokens in the namespace
and you will be restricted from performing all operations. In the future, we plan to limit the modifications of this policy
and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for
the HCP operators and may delay recovery of your Vault cluster.
Integrated Storage Only
HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.
TLS Certificate Authentication
There is currently a small UI-related regression when the TLS Certificate Authentication method is enabled on HCP Vault. The regression stems from the fact that Go TLS client does not support post handshake authentication, which causes the web browser to present a pop-up to select the client certs on the user machine while connecting to the Vault UI. You can circumvent this by closing the pop-up screen. If your use case of HCP Vault is headless (UI interactions are limited),you may file a support ticket here and we can optionally enable this feature.
AWS IAM Authentication
In order to use AWS IAM Authentication, it is important to configure roles with resolve_aws_unique_ids=false
so that it can work without needing to grant the HCP Vault AWS account any permissions.
Diagnostic Logs
Vault diagnostic (e.g. server) logs are not accessible to HCP Vault customers today. If you require assistance from the Support Team to help you troubleshoot a specific diagnostic issue, you can open a support ticket.
No Support for External Plugins
HCP Vault does not currently support the use of external Vault plugins for Auth Methods and Secret Engines. Please share feedback with us if not having plugin support prevents you from adopting HCP Vault.
Sentinel
Sentinel is exclusively available on Plus tier clusters along with all other governance & policy features, but only Sentinel has been validated. When downgrading to another tier, it is important to delete all existing Sentinel policies beforehand. Sentinel endpoints are not available after downgrading.
Namespace API Lock Constraints
When using the Namespace API lock functionality through the UI there are some limitations:
- Not possible to lock/unlock the cluster when its state is different than RUNNING/LOCKED.
- In the performance replication scenario, it's not possible to lock/unlock a secondary directly, you should instead operate on the primary which will then replicate the lock status to the secondary.
- Additionally, it's not possible to lock/unlock the primary when the secondary is not RUNNING/LOCKED.