With an AWS KMS key defined, migrating an existing Vault installation from using Shamir keys to AWS KMS auto-unseal requires only a few steps to complete.
Rather than manually unsealing Vault in the homelab every time updates are applied, it'd be preferable to have it auto-unseal using an AWS Key Management Server. This is how to setup the AWS part.
Before vRA / vRO can automate Vault and create high-entropy passwords for new workloads, Vault must be prepared. This post explains the steps taken.
Generate and secure unique complex passwords in HashiCorp Vault for new workloads provisioned by VMware vRealize Automation