Skip to content

Support

Best effort support is available through GitHub Issues or by emailing aws-nitro-enclaves-vault-solution@amazon.com.

Roadmap

Unordered list of future improvement ideas.

  • [ ] [api,enclave] Replace the existing hex-encoding encrypted data storage scheme with something else (such as Amazon Ion)

Known Issues

  1. The KMS template has a CloudFormation parameter called pPrimaryKeyArn that will provision a replica KMS key in another region referencing the primary key. DynamoDB is also configured as a global table to support multi-region workloads. A multi-region configuration hasn't been tested, but should be supported using the chosen services.

  2. The CI template has a CloudFormation parameter called pUseCodeBuildFleet that will provision two reserved capacity AWS CodeBuild compute instances for the builds. This will dramatically speed up the BuildVault project as the Docker images will now be cached between runs. CodeBuild Fleets are more expensive than on-demand CodeBuild compute, so they are not enabled by default.

  3. The API template has a CloudFormation parameter called pVpcEndpointId that will provision a private api in Amazon API Gateway if VPC Interface Endpoints for API Gateway are provided.

Troubleshooting

  1. Unable to delete nitro-vault-ci-api or nitro-vault-ci-vault CloudFormation stacks due to Role arn:aws:iam::123456789012:role/nitro-vault-ci-rCloudFormationRole-XXXXXXXXX is invalid or cannot be assumed

    This can occur if the nitro-vault-ci stack is deleted first that removes the CloudFormationRole IAM role used by both of these stacks. You can create a new IAM role named the same as the missing role and temporarily grant it to the AdministratorAccess policy to clean up the remaining stacks, then delete the role.

  2. API returns "Unable to decrypt values" when calling POST /v1/vaults/:vault_id/decrypt

    First check the CloudWatch Logs for the Lambda function in the /aws/lambda/nitro-vault-ci-api Log Group to see if there are any errors coming from the Lambda function itself. The logs will say whether it received an invalid response from the vault API or not.

    Next, go to the EC2 console, and connect to the instance using AWS Systems Manager and use sudo to become root by running sudo su -.

    1. cat /var/log/user-data.log - this should show a successful execution of the user data script
    2. ps auwx | grep nginx - should show a running nginx process
    3. ps auwx | grep parent - should show a running parent process listening on localhost
    4. journal -xe -u nitro-vault-server -f - should show any logs coming from the parent process.

  3. Resource handler returned message: "A policy called nitro-vault-ci-boundary already exists. Duplicate names are not allowed.

    Delete any existing nitro-vault-ci-boundary IAM policies and re-run the nitro-vault-ci CloudFormation stack.