»No Access to Root Namespace
»Vault system API
Most endpoints under
/v1/sys that require authentication are not available. An
exception has been made for the following endpoints:
To access these endpoints, you must provide the
parameter using CLI. Or, provide the
X-Vault-Namespace header to your HTTP
»Admin Token Policy
The admin policy used to generate admin tokens is located in the customer admin namespace
and is named
hcp-root. Although this policy is editable by the customer in their namespace, it should not
be edited. By editing this policy, you will make it so admin tokens do not act as
root tokens in the namespace
and would not be allowed to perform all operations. In the future we plan to limit the modifications of this policy
and/or regenerate this policy before generating an admin token. Currently, the recovery of this policy is manual for
the HCP operators and may delay recovery of your Vault cluster.
»Integrated Storage Only
HCP Vault only supports raft integrated storage, and cannot be reconfigured to use Consul as a storage backend.
»TLS Certificate Authentication
There is currently a complication in using the TLS Certificate Authentication method with HCP Vault due to the nature of the Let's Encrypt certs used in the system. We are working to remediate this at present.
»AWS IAM Authentication
In order to use AWS IAM Authentication, it is important to configure roles with
resolve_aws_unique_ids=false so that it can work without needing to grant the HCP Vault AWS account any permissions.
»Google OIDC Auth Method
Some configurations of the Google OIDC auth method require that a file be placed on the server and be readable by the Vault process. The gusite_service_account paramter is not currently supported in HCP Vault.