The feature-key file is a cryptographically-signed list of enabled server features. Aerospike Database Enterprise Edition (EE) and Aerospike Database Standard Edition (SE) require a feature-key file to start up. Aerospike Database Community Edition (CE) does not use a feature-key file.
As of server 6.1, a default feature-key file is included with Aerospike EE. This feature-key file provides a single-node evaluation for developers, so customers should swap in their production feature-key file before deploying to production.
If the server cannot find the feature-key file, it exits early in its startup sequence with the following log message:
Apr 09 2021 06:35:12 GMT: CRITICAL (config): (features_ee.c:142) failed to get feature key /etc/aerospike/features.conf
Loading the feature-key file
The server can load the feature-key file from the following sources:
- The filesystem
- An environment variable
- Hashicorp Vault
- Aerospike Secret Manager
From the filesystem
The default path to the feature-key file is
If you want to use a different file location, you can add the
configuration parameter to the
The path can also be a directory, where all the files it contains are feature-key files. The server checks each one for validity and expiration, and merges valid ones into its feature set. This feature is useful for limited-time trials of new features.
The feature-key directory behavior was added in server 5.5.
If multiple feature-key files include
the highest non-zero value is used to restrict the cluster size.
From an environment variable
You can set the feature-key file in an environment variable as a base64-encoded secret.
export MY_FEATURE_FILE=$(base64 ~/evaluation-features.conf)
Now configure the
to load the secret from the environment variable. The prefix
env-b64: is a literal string.
From Hashicorp Vault
The server can fetch the feature-key file from HashiCorp Vault servers, such as
HCP Vault. The prefix
vault: is a literal string.
See Fetching secrets from Vault for more information.
From Aerospike Secret Agent
In server 6.4 and later, the server can use Aerospike Secret Agent to fetch from a secrets management service, such as AWS Secrets Manager.
The configuration parameter must follow the format
secrets:[resource:]secret_name. The prefix
secrets: is a literal string.
For more information, see Integrating with secrets management services.
Updating the contents or location of the feature-key file
If the path to the feature key file is unchanged, you can replace the
old file with a new one and there's no need to update the
feature-key-file configuration parameter.
If the path changes, you must update the
feature-key-file configuration parameter
with the new path.
The server reads the feature key file at startup. If you want the new file to take effect immediately, perform a rolling restart of your cluster. Otherwise, you should perform a rolling restart of your cluster nodes at the next available opportunity to avoid surprises if a node restarts unexpectedly.