Config Error: Only two or less 'kms' blocks are permitted

[philband]

Describe the bug
During the initial setup of boundary, I created a configuration file including a total of four KMS key stanzas, namely:

• root
• worker-auth
• recovery
• config

When trying to start boundary with the configuration below, it gives an error indicating that the number of KMS stanzas used is too high:
Error parsing config file: error parsing 'kms': only two or less "kms" blocks are permitted

Additionally, the error message is incorrect - starting with three KMS stanzas works fine, so three seems to be the actual limit being enforced.

To Reproduce
Attempt to create a boundary instance using the following config:

disable_mlock = true

controller {
  name = "kubernetes-controller"
  description = "Boundary controler"
  database {
      url = url = "{{decrypt(omitted)}}"
  }
  public_cluster_addr = "localhost"
}

worker {
  name = "kubernetes-worker"
  description = "A worker for a kubernetes demo"
  address = "localhost"
  controllers = ["localhost"]
  public_addr = "localhost"
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "api"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "cluster"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "proxy"
  tls_disable = true
}

kms "transit" {
  purpose            = "root"
  address            = "https://vault.vault.svc:8200"
  key_name           = "root"
  mount_path         = "kms/boundary/"
  tls_skip_verify    = "false"
}

kms "transit" {
  purpose            = "worker-auth"
  address            = "https://vault.vault.svc:8200"
  key_name           = "worker_auth"
  mount_path         = "kms/boundary/"
  tls_skip_verify    = "false"
}

kms "transit" {
  purpose            = "recovery"
  address            = "https://vault.vault.svc:8200"
  key_name           = "recovery"
  mount_path         = "kms/boundary/"
  tls_skip_verify    = "false"
}

kms "transit" {
  purpose            = "config"
  address            = "https://vault.vault.svc:8200"
  key_name           = "config"
  mount_path         = "kms/boundary/"
  tls_skip_verify    = "false"
}

Expected behavior
From the current documentation, I expect this configuration to work. (https://www.boundaryproject.io/docs/concepts/security/data-encryption)

Additional context
The error is generated here: https://github.com/hashicorp/shared-secure-libs/blob/2ef2ed1b159862ac2f71c59b56024339cc6175ab/configutil/kms.go#L61

[malnick]

@philband Thank you for submitting this and apologies for the tardy response! Can you test this on 0.4 and see if the problem still persists?

Thank you!

[jefferai]

The problem will be on 0.4 but will be fixed in the next release.

[jefferai]

I've verified that this fix works with your provided config!