HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.20.x. View latest version.

/sys/storage/raft/snapshot-auto

Enterprise

Appropriate Vault Enterprise  license required

Restricted endpoint

Clients must call the API path from the root namespace.

The /sys/storage/raft/snapshot-auto endpoints are used to manage automated snapshots with Vault's Raft storage backend.

Create/update an automated snapshots config

This endpoint requires sudo capability.

This endpoint creates or updates a named configuration. Each configuration has an interval controlling how often snapshots are taken, a destination where the snapshots are written, as well as a retention policy governing when older snapshots get deleted.

Note that for cloud storage types, you can either provide credentials explicitly using the parameters below, or for GCP and AWS you can omit them and rely on the other mechanisms the cloud provider's SDK allows for authenticating, e.g. environment variables or files on disk in predefined locations.

MethodPath
POST/sys/storage/raft/snapshot-auto/config/:name

Parameters

  • name (string: <required>) – Name of the configuration to modify.

  • interval (integer or string: <required>) - Time between snapshots. This can be either an integer number of seconds, or a Go duration format string (e.g. 24h)

  • retain (integer: 1) - How many snapshots are to be kept; when writing a snapshot, if there are more snapshots already stored than this number, the oldest ones will be deleted.

  • path_prefix (string: <required>) - For storage_type=local, the directory to write the snapshots in. For cloud storage types, the bucket prefix to use. Types azure-blob and google-gcs require a trailing / (slash). Types local and aws-s3 the trailing / is optional.

  • file_prefix (string: "vault-snapshot") - Within the directory or bucket prefix given by path_prefix, the file or object name of snapshot files will start with this string.

  • storage_type (string: <required>) - One of "local", "azure-blob", "aws-s3", or "google-gcs". The remaining parameters described below are all specific to the selected storage_type and prefixed accordingly.

storage_type=local

  • local_max_space (integer: <required>) - For storage_type=local, the maximum space, in bytes, to use for all snapshots with the given file_prefix in the path_prefix directory. Snapshot attempts will fail if there is not enough space left in this allowance.

storage_type=aws-s3

Note

Vault cannot use AWS IAM roles with EKS service accounts for authentication to save automated integrated storage snapshots to Amazon S3 buckets. You must set the aws_access_key_id and aws_secret_access_key parameters in the context of AWS EKS & S3 configuration.

storage_type=google-gcs

  • google_gcs_bucket (string: <required>) GCS bucket to write snapshots to.

  • google_service_account_key (string) - Google service account key in JSON format. Depending on how you invoke the API, you may need to JSON-escape the account key. For example, to include data with newlines and double quotes the raw value would look like:

    {
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
  ```

The associated Google service account must have following permissions in
Google Cloud Storage so that Vault can store and manage the snapshots:
- `storage.objects.create`
- `storage.objects.list`
- `storage.objects.delete`

To load a snapshot with your configuration, the account also needs:
- `storage.objects.get`

  • google_endpoint (string) - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.

  • google_disable_tls (boolean) - Disable TLS for the GCS endpoint. This should only be used for testing purposes, typically in conjunction with google_endpoint.

storage_type=azure-blob

Sample payload

{
  "interval": "24h",
  "retain": 7,
  "path_prefix": "/opt/vault/snapshots/",
  "storage_type": "local",
  "local_max_space": 10000000
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/config/config1

List automated snapshots configuration

This endpoint requires sudo capability.

This endpoint lists named configurations.

MethodPath
LIST/sys/storage/raft/snapshot-auto/config

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/config

Sample response

{
  "data": {
    "keys": ["config1"]
  }
}

Read automated snapshots config

This endpoint requires sudo capability.

This endpoint reads a named configuration.

MethodPath
GET/sys/storage/raft/snapshot-auto/config/:name

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/config/config1

Sample response

{
  "data": {
    "file_prefix": "vault-snapshot",
    "interval": 86400,
    "local_max_space": 10000000,
    "path_prefix": "/opt/vault/snapshots/",
    "retain": 7,
    "storage_type": "local"
  }
}

Delete automated snapshots config

This endpoint requires sudo capability.

This endpoint deletes a named configuration.

MethodPath
DELETE/sys/storage/raft/snapshot-auto/config/:name

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/config/config1

Read automated snapshots status

This endpoint returns the status of a named configuration.

MethodPath
GET/sys/storage/raft/snapshot-auto/status/:name

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/status/config1

Sample response

{
  "data": {
    "last_snapshot_end": "2020-10-28T11:17:21-04:00",
    "last_snapshot_error": "",
    "last_snapshot_start": "2020-10-28T11:17:21-04:00",
    "last_snapshot_url": "file:///opt/vault/snapshots/vault-snapshot-1603898241699731000.snap",
    "snapshot_start": "2020-108T11:17:21-04:00",
    "snapshot_url": "file:///opt/vault/snapshots/vault-snapshot-1603898241699731000.snap"
  }
}

Load a snapshot from an automated snapshot configuration

Load a new snapshot into the Vault cluster without overwriting the cluster with the snapshot's data. After loading a snapshot, you can recover, read, and list individual pieces of data from the loaded snapshot.

To manage the state of your loaded snapshot, use the /sys/storage/raft/snapshot-load endpoints.

Restrictions for loading snapshots

  • The snapshot must be from the same cluster and have the same unseal keys as the current cluster.
  • You can only load one snapshot into a cluster at a time.
  • Vault automatically unloads snapshots 72 hours after they are loaded.
  • If your cluster's active node changes, the loaded snapshot's status updates to error and it cannot be used for any recover operations. You must unload and reload the snapshot to use it again.
  • You cannot load a snapshot if your cluster has mlock enabled in its Vault configuration.

Note

You cannot load a snapshot from an automated snapshot configuration with storage_type=local. Instead, upload the snapshot file using the /sys/storage/raft/snapshot-load endpoint.

MethodPath
POST/sys/storage/raft/snapshot-auto/snapshot-load/:name

Parameters

  • name (string: <required>) – Name of the configuration that created the snapshot.

  • url (string: <required>) - The snapshot URL to load as returned by the status endpoint.

Sample payload

{
  "url": "https://example.com/raft.snap"
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/snapshot-load/config1

Sample response

{
  "data": {
    "auto_config_name": "config1",
    "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
    "expires_at": "2025-05-25T15:07:58.187769+01:00",
    "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
    "url": "https://example.com/raft.snap",
    "status": "ready"
  }
}
Edit this page on GitHub