| 28 May 2022 |
|  Mic92 joined the room. | 11:33:20 |
|  Mic92 left the room. | 11:33:26 |
| 29 May 2022 |
|  nospaces joined the room. | 18:25:14 |
| 30 May 2022 |
|  @florian:web3.foundation changed their display name from Florian | OoO -> 29.5. to Florian | W3F. | 09:04:49 |
| 31 May 2022 |
| Mic92 | Wow, reading this I get gnupg vibes: https://support.hashicorp.com/hc/en-us/articles/4407386653843-Vault-KV-V2-Secrets-Engine-Permission-Denied- | 16:35:35 |
| Mic92 | This is not well-designed. | 16:35:41 |
| Mic92 | I guess I should have read this here: https://www.vaultproject.io/docs/secrets/kv/kv-v2#acl-rules | 16:38:26 |
| 1 Jun 2022 |
|  @tinybronca:sibnsk.net joined the room. | 09:07:10 |
| Mic92 | grahamc (he/him): are ec2 role tags supported (i.e. created with vault_aws_auth_backend_role_tag) supported by nixos-vault-service | 13:38:44 |
| Mic92 | ? | 13:38:45 |
 @grahamc:nixos.org | should be, any auth method that vault agent supports | 13:39:06 |
| Mic92 | what do you usually use? | 13:39:53 |
| Mic92 | I have multi-region deployment so those normal iam methods wouldn't work | 13:40:25 |
| Mic92 | Turns out I was also using vault_aws_auth_backend_role_tag wrong in terraform but it is also impossible to use because it creates dependency cycles between the ec2 instances I am trying to create. | 14:04:43 |
| Mic92 | It also seems that nixos-vault-service cannot be used with aws ec2 auth. Once there are two services that require a secret. The second instance cannot authenticate because of nonce missmatches | 15:07:52 |
| @grahamc:nixos.org | that is surprising, we use it for aws ec, auth | 16:59:24 |
| Mic92 | Check out this: https://github.com/DeterminateSystems/nixos-vault-service/issues/58 | 17:19:40 |
| @grahamc:nixos.org | hum... | 17:22:11 |
| Mic92 | It was definitly client nonce errors. I had to delete the old onces manually from vault | 17:22:43 |
| Mic92 | And I also saw the error messages | 17:22:56 |
| @grahamc:nixos.org | oh we don't use config.type = "ec2"; because it isn't recommended anymore by hashicorp | 17:23:03 |
| @grahamc:nixos.org | we use the type iam | 17:23:07 |
| @grahamc:nixos.org | we will document the incompatibility | 17:23:34 |
| Mic92 | Yeah, but iam is simply not usable if you have multiple regions | 17:23:45 |
| @grahamc:nixos.org | no? | 17:23:51 |
| @grahamc:nixos.org | how so? | 17:23:53 |
| Mic92 | because a role is tight to a single region | 17:23:57 |
| @grahamc:nixos.org | I don't think IAM roles are tied to a region | 17:24:20 |
| Mic92 | not iam roles | 17:25:07 |
| @grahamc:nixos.org | but at any rate, it should work across regions without too much work | 17:25:16 |
