How to solve license autoloading fail with license_path in config

Avatar
Stephen Belleau

Introduction

Vault 1.8+, Vault Enterprise introduce new mechanism for managing licenses: License Autoloading.

Previous license need to be written into Vault Storage with PUT sys/license API is deprecated and will be removed in the future release.

Due to misconfigurations, upgraded Vault 1.8 Ent might have autoloading fail issue, or autoloading_used false.

 

Background

Autoloading can be done using one of these methods,

Each methods won't be conflicted with each other, while they have their own priority level. If autoloading is used, any existing stored license will be ignored, it is recommended to remove the stored license use DELETE API.


Autoloading Priority level:

VAULT_LICENSE environment variable >VAULT_LICENSE_PATH environment variable>license_path in config.

 

The use of a file license_path could be more convenient and easier to maintain with less chances for any disruptions that may be brought about as a result of a Vault license needing to be updated. Here is an analysis about advantages and disadvantage between each license methods. 

 

Procedure

  1. verify license status vault read sys/license

    • vault returns expiration_time, features, license_id, performance_standby_count.

  2. verify license statusvault read sys/license/status

    • list autoloading_used true/false, if value is false, then license is not configured correctly.
    • vault will show a warning if autoloading_used value is false:
    "WARNING! The following warnings were returned from Vault:

not using autoloaded license, this option will be deprecated in future"

  3. Save vault license string separately in a file, for example license.hclic

  4. Open vault config file and then add license_path parameter with path to license file. For example, license_path = "./license.hclic", then save config file.

  5. Shut down then restart vault with config file, command vault server -config=vault_config.hcl

    Successfully load license:

    ==> Vault server configuration:
...
...
...
==> Vault server started! Log data will stream in below:
2021-09-21T11:54:21.571-0400 [INFO] Core: using autoloaded license: license="{"license_id":"xxxxxx-xxxx-xxxx-xxx-xxxxxxxx",...}

  6. After vault unseal and login, verify with vault read sys/license/status

    vault should return autoloading_used true

Articles in this section

See more

Related articles