Fix missing guardrail for worker kms auth population (#2172)

* Fix missing guardrail for worker kms auth population

internal/cmd/commands/server/server.go

@@ -178,6 +178,8 @@ func (c *Command) Run(args []string) int {
 
 	base.StartMemProfiler(c.Context)
 
+	// Note: the checks directly after this must remain where they are because
+	// they rely on the state of configured KMSes.
 	if err := c.SetupKMSes(c.Context, c.UI, c.Config); err != nil {
 		c.UI.Error(err.Error())
 		return base.CommandUserError
@@ -188,6 +190,20 @@ func (c *Command) Run(args []string) int {
 			return base.CommandUserError
 		}
 	}
+	if c.Config.Worker != nil {
+		switch c.WorkerAuthKms {
+		case nil:
+			if c.Config.Worker.AuthStoragePath == "" {
+				c.UI.Error("No worker auth KMS specified and no worker auth storage path specified.")
+				return base.CommandUserError
+			}
+		default:
+			if c.Config.Worker.Name == "" {
+				c.UI.Error("Worker is using KMS auth but has no name set. It must be the unique name of this instance.")
+				return base.CommandUserError
+			}
+		}
+	}
 
 	if c.Config.DefaultMaxRequestDuration != 0 {
 		globals.DefaultMaxRequestDuration = c.Config.DefaultMaxRequestDuration
@@ -547,16 +563,6 @@ func (c *Command) ParseFlagsAndConfig(args []string) int {
 		c.UI.Error("Controller has no name set. It must be the unique name of this instance.")
 		return base.CommandUserError
 	}
-	if c.Config.Worker != nil {
-		if c.Config.Worker.Name == "" {
-			c.UI.Error("Worker has no name set. It must be the unique name of this instance.")
-			return base.CommandUserError
-		}
-		if c.Config.Worker.AuthStoragePath == "" {
-			c.UI.Error("No worker auth KMS specified and no worker auth storage path specified.")
-			return base.CommandUserError
-		}
-	}
 
 	return base.CommandSuccess
 }