Hi Community,

i’m currently testing postgresql extension PG_TDE with HashiCorp Vault.
I managed to declare a key provider with vault using an access token.

select pg_tde_add_key_provider_vault_v2(‘vault’, ‘token’, ‘https://vault-hostname’, ‘secret/WPG/BUILD/secrets/masterkey’, ‘’);

pg_tde_add_key_provider_vault_v2

                            1

(1 row)

But setting a master key returns an error :

SELECT pg_tde_set_master_key(‘my-master-key’,‘vault’);

WARNING: HTTP(S) request to keyring provider “vault” returned invalid response 403
ERROR: failed to retrieve master key from keyring provider :“vault”
DETAIL: Error code: 5

In the Vault logs, it says that PG_TDE is trying to read a key that doesn’t exist instead of writing a new key. Here an extract of the logs :
“operation”:“read”,“path”:“secret/WPG/BUILD/secrets/masterkey/data/my-master-key_1”

Has anyone encountered this problem or knows where to find any documentation about this ?

Thanks

Best regards.

Hello

Thank you for trying out pg_tde!

Based on the details you provided, the vault setup command:

select pg_tde_add_key_provider_vault_v2(‘vault’, ‘token’, ‘[https://vault-hostname](https://vault-hostname/)’, ‘secret/WPG/BUILD/secrets/masterkey’, ‘’);

seems incorrect to me.

The 4th parameter should be the mount point of the KV secret engine you want to use, which is by default usually just secret, unless you configured something differently.

You can verify this by executing vault secrets list, the mount point should be something that appears in the first column of that list.

Hello,

thanks for your answer.
No the problem is not with the 4th parameter.
The problem was the rights on the vault storage.
After adding rights to use a vault v1 storage, it worked fine.
So I found confusing the function name : add_key_prodier_vault_v2 : does it mean API v2 or vault storage format v2 ??