HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Constraints and limitations

No access to root namespace

The root namespace is reserved for platform operations and is not customer accessible. Refer to the Manage tenants with Vault namespaces tutorial for a walkthrough of managing namespaces with HCP Vault Dedicated.

Vault system API

Most endpoints under /v1/sys that require authentication are not available. An exception has been made for the following endpoints:

Admin token policy

The admin policy used to generate admin tokens is located in the customer admin namespace and is named hcp-root. Although this policy is editable by the customer in their namespace, it should not be edited. If needed, this policy will be updated to the general admin policy by HCP Vault Dedicated, and all customizations by the user are removed. By editing this policy, admin tokens will not act as root tokens in the namespace and you will be restricted from performing all operations. In the future, we plan to limit the modifications of this policy and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for the HCP operators and may delay recovery of your Vault cluster.

Workload identity federation for Vault

Workload identity federation (WIF) is not currently supported for Vault auth methods and secrets engines.

Note

This limitation does not affect workload identity federation for the HashiCorp Cloud Platform.

Integrated Storage only

HCP Vault Dedicated only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.

TLS certificate authentication

Not available by default. When the TLS auth method is enabled for HCP Vault Dedicated and the cluster's Vault UI is accesed via web browser, users may see a popup to select a client certificate. The pop-up can be closed and the Vault UI can still be accessed. To use the TLS authentication method in HCP Vault Dedicated, please submit a support request here to have the feature enabled.

AWS Cross Account Setup

Not available by default. HCP Vault Dedicated on AWS can support cross-account access for the AWS authentication method and AWS secrets engine, please submit a support request here to have the feature enabled.

External storage for tokenization

The Transform Secrets Engine is available on HCP Vault Dedicated Plus tier clusters, but external storage for tokenization is not supported at this time.

Diagnostic logs

Vault diagnostic (e.g. server) logs are not accessible to HCP Vault Dedicated customers today. If you require assistance from the Support Team to help you troubleshoot a specific diagnostic issue, you can open a support ticket.

External plugins

The Oracle Database Secrets Engine and HashiCorp Partner Plugins are the only external plugin currently available in HCP Vault Dedicated. HCP Vault Dedicated does not currently support user provided external Vault plugins. If you'd like to see future support of additional plugins on HCP Vault Dedicated, please share feedback here.

Rate limits

Request rate limits are enforced on certain instance sizes. The response message for rate limit enforcement will be similar to this example:

> hvac.exceptions.RateLimitExceeded: request path "transit/encrypt/example":
rate limit quota exceeded, on post https://vault-cluster....

See this article for more detail.

Sentinel and Control Groups

Sentinel policies and Control Groups, part of Vault's governance and policy features, are only available for Plus tier HCP Vault clusters. If you are using these features and need to scale your cluster to a different tier, it is recommended to delete existing Sentinel policies and remove any control group settings within existing ACL policies within your Vault instance. These features will only work in Plus tier clusters.'

If a Sentinel policy prevents admin token generation for your cluster, please file a support ticket here to have the offending policy deleted.

KMIP secrets engine

All ADP features, including the KMIP secrets engine, are only available for Plus tier HCP Vault clusters. The KMIP listener can only be configured to the default port (5696).

Namespace API lock constraints

When using the Namespace API lock functionality through the UI there are some limitations:

  • Not possible to lock/unlock the cluster when its state is different than RUNNING/LOCKED.
  • In the performance replication scenario, it's not possible to lock/unlock a secondary directly, you should instead operate on the primary which will then replicate the lock status to the secondary.
  • Additionally, it's not possible to lock/unlock the primary when the secondary is not RUNNING/LOCKED.

PKI secrets engine EST support

Vault 1.18 introduces support for the EST protocol in the PKI secrets engine. When using HCP Vault Dedicated, there are limitations to the EST protocol:

  • Uses the HCP hostname
  • Contact support to enable TLS auth