Support OCI OKE Workload Identity for KMS auto-unseal (seal "ocikms") #31863
Description
Summary
Vault's seal "ocikms" stanza does not support OKE Workload Identity for OCI KMS auto-unseal. The only supported authentication methods are instance principal and API key. This is a gap compared to Azure and GCP, where Vault already supports workload identity for their respective KMS seals.
Root cause
The limitation is in the upstream go-kms-wrapping library, which Vault depends on for OCI KMS operations. The ocikms wrapper only calls auth.InstancePrincipalConfigurationProvider() (OCI Go SDK v60), which authenticates as the node via IMDS — not the pod. The OCI Go SDK's auth.OkeWorkloadIdentityConfigurationProvider() (available since v65) is never called.
Upstream fix
A PR to add workload identity support to go-kms-wrapping has been submitted and is awaiting review:
- Issue: Add OCI OKE Workload Identity support to ocikms wrapper go-kms-wrapping#302
- PR: ocikms: add OKE Workload Identity auth support go-kms-wrapping#303
The PR adds a new auth_type = "workload_identity" config option, bumps the OCI Go SDK from v60 to v65, and is fully backward compatible.
Request
Once go-kms-wrapping merges and releases the fix, please bump Vault's go-kms-wrapping dependency so that the new auth_type option becomes available in the seal "ocikms" stanza. The desired Vault config would look like:
seal "ocikms" {
auth_type = "workload_identity"
crypto_endpoint = "https://<vault-id>-crypto.kms.<region>.oraclecloud.com"
key_id = "ocid1.key.oc1..."
}Why this matters
On OKE Enhanced clusters, workload identity is the recommended way to grant pods fine-grained IAM access. Instance principal dynamic groups grant KMS permissions to all processes on the node, which violates least-privilege. Workload identity scopes the KMS policy to the specific Vault pod's Kubernetes service account.
Current workaround
Use instance principal with an OCI Dynamic Group matching the OKE worker nodes, granting use permission on the KMS key. This works but is overly broad.