HashiConf Our community conference is taking place in San Francisco and online October 10-12. Register now
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

No Access to Root Namespace

Vault system API

Most endpoints under /v1/sys that require authentication are not available. An exception has been made for the following endpoints:

Admin Token Policy

The admin policy used to generate admin tokens is located in the customer admin namespace and is named hcp-root. Although this policy is editable by the customer in their namespace, it should not be edited. If needed, this policy will be updated to the general admin policy by HCP Vault, and all customizations by the user are removed. By editing this policy, admin tokens will not act as root tokens in the namespace and you will be restricted from performing all operations. In the future, we plan to limit the modifications of this policy and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for the HCP operators and may delay recovery of your Vault cluster.

Integrated Storage Only

HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.

TLS Certificate Authentication

There is currently a small UI-related regression when the TLS Certificate Authentication method is enabled on HCP Vault. The regression stems from the fact that Go TLS client does not support post handshake authentication, which causes the web browser to present a pop-up to select the client certs on the user machine while connecting to the Vault UI. You can circumvent this by closing the pop-up screen. If your use case of HCP Vault is headless (UI interactions are limited),you may file a support ticket here and we can optionally enable this feature.

AWS IAM Authentication

In order to use AWS IAM Authentication, it is important to configure roles with resolve_aws_unique_ids=false so that it can work without needing to grant the HCP Vault AWS account any permissions.

Diagnostic Logs

Vault diagnostic (e.g. server) logs are not accessible to HCP Vault customers today. If you require assistance from the Support Team to help you troubleshoot a specific diagnostic issue, you can open a support ticket.

No Support for External Plugins

HCP Vault does not currently support the use of external Vault plugins for Auth Methods and Secret Engines. Please share feedback with us if not having plugin support prevents you from adopting HCP Vault.

Sentinel

Sentinel is exclusively available on Plus tier clusters along with all other governance & policy features, but only Sentinel has been validated. When downgrading to another tier, it is important to delete all existing Sentinel policies beforehand. Sentinel endpoints are not available after downgrading.

Namespace API Lock Constraints

When using the Namespace API lock functionality through the UI there are some limitations:

  • Not possible to lock/unlock the cluster when its state is different than RUNNING/LOCKED.
  • In the performance replication scenario, it's not possible to lock/unlock a secondary directly, you should instead operate on the primary which will then replicate the lock status to the secondary.
  • Additionally, it's not possible to lock/unlock the primary when the secondary is not RUNNING/LOCKED.