»No Access to Root Namespace

»Vault system API

Most endpoints under /v1/sys that require authentication are not available. An exception has been made for the following endpoints:

To access these endpoints, you must provide the -namespace or -ns root parameter using CLI. Or, provide the X-Vault-Namespace header to your HTTP request.

»Admin Token Policy

The admin policy used to generate admin tokens is located in the customer admin namespace and is named hcp-root. Although this policy is editable by the customer in their namespace, it should not be edited. By editing this policy, you will make it so admin tokens do not act as root tokens in the namespace and would not be allowed to perform all operations. In the future we plan to limit the modifications of this policy and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for the HCP operators and may delay recovery of your Vault cluster.

»Integrated Storage Only

HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.

»TLS Certificate Authentication

There is currently a complication in using the TLS Certificate Authentication method with HCP Vault due to the nature of the Let's Encrypt certs used in the system. We are working to remediate this at present.

»AWS IAM Authentication

In order to use AWS IAM Authentication, it is important to configure roles with resolve_aws_unique_ids=false so that it can work without needing to grant the HCP Vault AWS account any permissions.

»Google OIDC Auth Method

Some configurations of the Google OIDC auth method require that a file be placed on the server and be readable by the Vault process. The gusite_service_account paramter is not currently supported in HCP Vault.