Research Help improve navigation and content organization by answering a short survey. Start Survey
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Constraints and Known Issues

No access to root namespace

Vault system API

Most endpoints under /v1/sys that require authentication are not available. An exception has been made for the following endpoints:

Admin token policy

The admin policy used to generate admin tokens is located in the customer admin namespace and is named hcp-root. Although this policy is editable by the customer in their namespace, it should not be edited. If needed, this policy will be updated to the general admin policy by HCP Vault, and all customizations by the user are removed. By editing this policy, admin tokens will not act as root tokens in the namespace and you will be restricted from performing all operations. In the future, we plan to limit the modifications of this policy and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for the HCP operators and may delay recovery of your Vault cluster.

Integrated Storage only

HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.

TLS certificate authentication

There is currently a small UI-related regression when the TLS Certificate Authentication method is enabled on HCP Vault. The regression stems from the fact that Go TLS client does not support post handshake authentication, which causes the web browser to present a pop-up to select the client certs on the user machine while connecting to the Vault UI. You can circumvent this by closing the pop-up screen. If your use case of HCP Vault is headless (UI interactions are limited),you may file a support ticket here and we can optionally enable this feature.

AWS IAM authentication

In order to use AWS IAM Authentication, it is important to configure roles with resolve_aws_unique_ids=false so that it can work without needing to grant the HCP Vault AWS account any permissions.

Diagnostic logs

Vault diagnostic (e.g. server) logs are not accessible to HCP Vault customers today. If you require assistance from the Support Team to help you troubleshoot a specific diagnostic issue, you can open a support ticket.

External Plugins

The Oracle Database Secrets Engine is the only external plugin currently available in HCP Vault. HCP Vault does not currently support user provided external Vault plugins. If you'd like to see future support of additional plugins on HCP Vault, please share feedback here.

Sentinel and Control Groups

Sentinel policies and Control Groups are the only governance and policy features that have been validated. If you are using these features and need to scale your cluster to a different tier, it is recommended to delete existing Sentinel policies and remove any control group settings within existing ACL policies within your Vault instance. These features will only work in Plus tier clusters.

Namespace API lock constraints

When using the Namespace API lock functionality through the UI there are some limitations:

  • Not possible to lock/unlock the cluster when its state is different than RUNNING/LOCKED.
  • In the performance replication scenario, it's not possible to lock/unlock a secondary directly, you should instead operate on the primary which will then replicate the lock status to the secondary.
  • Additionally, it's not possible to lock/unlock the primary when the secondary is not RUNNING/LOCKED.