HashiCorp Cloud Platform
Constraints and limitations
No access to root namespace
The HCP platform team reserves the root namespace for cluster administration and operations. The root namespace is not customer accessible.
Refer to the Manage tenants with Vault namespaces tutorial for a walkthrough of managing namespaces with HCP Vault Dedicated.
Vault system API
Most endpoints under /v1/sys that require authentication are not available. An
exception has been made for the following endpoints:
Admin token policy
The admin token used with HCP Vault Dedicated uses a policy named hcp-root,
located in the admin namespace.
Although this policy is editable, you should not edit it.
This policy will be updated to the default admin policy by HCP Vault Dedicated, and all customizations by the user are removed.
The recovery of this policy is manual for the HCP operators and may delay support of your Vault cluster.
Workload identity federation for Vault
Workload identity federation (WIF) is not supported in HCP Vault Dedicated for Vault auth methods and secrets engines.
Note
This limitation does not affect workload identity federation for the HashiCorp Cloud Platform.
Integrated Storage only
HCP Vault Dedicated uses raft integrated storage. You cannot reconfigure Vault Dedicated to use other storage backends.
TLS certificate authentication
TLS authentication is not available by default in HCP Vault Dedicated.
To use the TLS authentication method in Vault Dedicated, submit a support request to have the feature enabled.
When using the TLS auth method for HCP Vault Dedicated, and you access the cluster UI using a web browser, you may notice a popup to select a client certificate. You can close the pop-up and continue to the Vault UI.
AWS Cross Account Setup
AWS cross-account access is not available by default in HCP Vault Dedicated.
To use cross-account access in Vault Dedicated on AWS, submit a support request to have the feature enabled.
Vault Dedicated on AWS supports cross-account access for the AWS authentication method and AWS secrets engine.
External storage for tokenization
The transform secrets engine is available on HCP Vault Dedicated Plus tier clusters, but external storage for tokenization is not supported.
Diagnostic logs
Vault diagnostic (server) logs are not accessible for HCP Vault Dedicated clusters. If you require help, you can open a support ticket to have the support team assist you with troubleshooting a specific diagnostic issue.
External plugins
The Oracle Database secrets engine and HashiCorp partner plugins are the only external plugins available in Vault Dedicated.
Vault Dedicated does not support other user provided external Vault plugins. If you would like to see future support of additional plugins on Vault Dedicated, please share feedback here.
Rate limits
Each cluster tier and size supports a specific number of requests per second (RPS). These limits ensure the cluster remains performant and reliable.
| Cluster size | Development | Standard | Plus |
|---|---|---|---|
| Extra small (1 node) | 60 RPS | N/A | N/A |
| Small (3 nodes) | N/A | 400 RPS | 400 RPS |
| Medium (3 nodes) | N/A | No limit | No limit |
| Large (3 nodes) | N/A | No limit | No limit |
Performance replication clusters do not have rate limits.
Rate limit errors
If your workloads exceed the rate limit for your cluster tier and size, the request returns the response error message:
> hvac.exceptions.RateLimitExceeded: request path "transit/encrypt/example":
rate limit quota exceeded, on post https://vault-cluster....
Fix RateLimitExceeded errors
Upgrade your cluster tier or increase the size to support your workloads, and scale down as needed.
You can scale a cluster up or down using the HCP Portal or the HCP Terraform provider.
Learn more in the Manage HCP Vault Dedicated with Terraform tutorial.
Note
You cannot scale down to the development tier.
Sentinel and control groups
Sentinel policies and control groups, part of Vault's governance and policy features, are available for plus tier Vault Dedicated clusters.
If you use these features and need to scale your cluster down to a different tier, we recommend that you delete existing Sentinel policies and remove any control group settings within existing ACL policies.
If a Sentinel policy prevents admin token generation for your cluster, submit a support request to have the offending policy deleted.
KMIP secrets engine
You must use the default KMIP listener port (5696).
Namespace API lock constraints
When using the Namespace API lock functionality through the UI there are some limitations.
- You cannot lock or unlock the cluster if the state is not either Running or Locked.
- You cannot lock or unlock a performance secondary cluster directly. You must lock or unlock the primary cluster, which will then replicate the lock status to the secondary cluster.
- You cannot lock or unlock the primary cluster when the secondary cluster is not either Running or Locked.
PKI secrets engine EST support
When using HCP Vault Dedicated, there are limitations to the EST protocol with the PKI secrets engine:
- Uses the HCP hostname
- Contact support to enable TLS auth