Impossible to unseal to recover from permission error while previously unsealing

[nwmqpa]

Describe the bug
Once initialized, even in the case of a KMS encryption issue, impossible to re-init, and the token has not been delivered

To Reproduce
Steps to reproduce the behavior:

1. Have a IAM role without kms:Encrypt permission
2. Run vault operator init once
3. Run vault operator init a second time
4. See error

Expected behavior
Vault should be left in an uninitialized state if unable to encrypt with the key

Environment:

• Vault Server Version (retrieve with vault status): 1.11.0
• Vault CLI Version (retrieve with vault version): 1.11.0
• Server Operating System/Architecture: Amazon Linux 2 / x86_64

Vault server configuration file(s):

disable_performance_standby = true
ui = true
disable_mlock = true
storage "raft" {
  path    = "/opt/vault/data"
  node_id = <secret>
  retry_join {
    auto_join = "provider=aws region=eu-west-3 tag_key=observability-vault tag_value=cluster"
    auto_join_scheme = "https"
    leader_tls_servername = <secret>
    leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file = "/opt/vault/tls/vault-key.pem"
  }
}
cluster_addr = "https://172.31.164.99:8201"
api_addr = "https://172.31.164.99:8200"
listener "tcp" {
  address            = "0.0.0.0:8200"
  tls_disable        = false
  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
  tls_key_file       = "/opt/vault/tls/vault-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
seal "awskms" {
  region     = "eu-west-3"
  kms_key_id = <secret>
}

[VioletHynes]

Hi there! Thanks for the bug report. Looks pretty obviously like a bug to me.

I can't promise timelines, but I've raised this in our internal tracker as VAULT-6868 and we'll get to it when we can.

[geekofalltrades]

We are affected on v1.12.2.