scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-26 23:05:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e47c7e866a47f45f1938a44fa13c728ad1af783f
vault/website/source/docs/configuration/storage/dynamodb.html.md
James Nugent 7480287181 physical/dynamodb: Clarify ha_enabled type (#3703) 
The example in the documentation correctly passes a quoted boolean (i.e.
true or false as a string) instead of a "real" HCL boolean. This commit
corrects the parameter list to document that fact.

While it would be more desirable to change the implementation to accept
an unquoted boolean, it seems that the use of `hcl.DecodeObject` for
parameters which are not common to all storage back ends would make this
a rather more involved change than this necessarily warrants.
2017-12-18 09:30:29 -05:00

110 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: "docs"
page_title: "DynamoDB - Storage Backends - Configuration"
sidebar_current: "docs-configuration-storage-dynamodb"
description: |-
The DynamoDB storage backend is used to persist Vault's data in DynamoDB
table.
---
# DynamoDB Storage Backend
The DynamoDB storage backend is used to persist Vault's data in
[DynamoDB][dynamodb] table.
- **High Availability** the DynamoDB storage backend supports high
availability. Because DynamoDB uses the time on the Vault node to implement
the session lifetimes on its locks, significant clock skew across Vault nodes
could cause contention issues on the lock.
- **Community Supported** the DynamoDB storage backend is supported by the
community. While it has undergone review by HashiCorp employees, they may not
be as knowledgeable about the technology. If you encounter problems with them,
you may be referred to the original author.
```hcl
storage "dynamodb" {
ha_enabled = "true"
region = "us-west-2"
table = "vault-data"
}
```
For more information about the read/write capacity of DynamoDB tables, please
see the [official AWS DynamoDB documentation][dynamodb-rw-capacity].
## `dynamodb` Parameters
- `endpoint` `(string: "")` Specifies an alternative, AWS compatible, DynamoDB
endpoint. This can also be provided via the environment variable
`AWS_DYNAMODB_ENDPOINT`.
- `ha_enabled` `(string: "false")` Specifies whether this backend should be used
to run Vault in high availability mode. Valid values are "true" or "false". This
can also be provided via the environment variable `DYNAMODB_HA_ENABLED`.
- `max_parallel` `(string: "128")` Specifies the maximum number of concurrent
requests.
- `region` `(string "us-east-1")` Specifies the AWS region. This can also be
provided via the environment variable `AWS_DEFAULT_REGION`.
- `read_capacity` `(int: 5)` Specifies the maximum number of reads consumed
per second on the table. This can also be provided via the environment
variable `AWS_DYNAMODB_READ_CAPACITY`.
- `table` `(string: "vault-dynamodb-backend")` Specifies the name of the
DynamoDB table in which to store Vault data. If the specified table does not
yet exist, it will be created during initialization. This can also be
provided via the environment variable `AWS_DYNAMODB_TABLE`.
- `write_capacity` `(int: 5)` Specifies the maximum number of writes performed
per second on the table. This can also be provided via the environment
variable `AWS_DYNAMODB_WRITE_CAPACITY`.
The following settings are used for authenticating to AWS. If you are
running your Vault server on an EC2 instance, you can also make use of the EC2
instance profile service to provide the credentials Vault will use to make
DynamoDB API calls. Leaving the `access_key` and `secret_key` fields empty will
cause Vault to attempt to retrieve credentials from the AWS metadata service.
- `access_key` `(string: <required>)` Specifies the AWS access key. This can
also be provided via the environment variable `AWS_ACCESS_KEY_ID`.
- `secret_key` `(string: <required>)` Specifies the AWS secret key. This can
also be provided via the environment variable `AWS_SECRET_ACCESS_KEY`.
- `session_token` `(string: "")` Specifies the AWS session token. This can
also be provided via the environment variable `AWS_SESSION_TOKEN`.
## `dynamodb` Examples
### Custom Table and Read-Write Capacity
This example shows using a custom table name and read/write capacity.
```hcl
storage "dynamodb" {
table = "my-vault-data"
read_capacity = 10
write_capacity = 15
}
```
### Enabling High Availability
This example show enabling high availability for the DynamoDB storage backend.
```hcl
api_addr = "https://vault-leader.my-company.internal"
storage "dynamodb" {
ha_enabled = "true"
...
}
```
[dynamodb]: https://aws.amazon.com/dynamodb/
[dynamodb-rw-capacity]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.html#ProvisionedThroughput
Reference in New Issue View Git Blame Copy Permalink