Vault
automate
Automate Vault cluster snapshots
Enterprise
Appropriate Vault Enterprise license required
You can configure Vault Enterprise to regularly save automated snapshots to local or cloud storage.
Before you start
- You must a working knowledge of how Vault saves data.
- You must have a valid Vault cluster configuration using integratd storage.
- You must know, and be able to contact your unseal/recovery key holders.
- You must have permission to access encrypted data in backed storage.
- You should have a secure location, away from your Vault cluster infrastructure, to save the snapshot file.
Step 1: Determine your snapshot settings
Vault can write snapshots to local storage and cloud storage. For longterm maintenance, we recommend saving your autosnapshot settings to a JSON file.
Local storage example
The following JSON file, local-snapshot.json
, defines an automated snapshot
configuration that uses local storage with custom file and path prefixs. The
configuration also sets a 120 minute snapshot frequency, a retention window of 7
snapshots before deleting, and limits the amount of local storage consumed by
the snapshot files so Vault stops writing snapshot data if the combined file
size exceed 250 MB (262144000 bytes).
{
"storage_type": "local",
"file_prefix": "localsnappy",
"interval": "120m",
"retain": "7",
"local_max_space": "262144000",
"path_prefix": "/opt/vault/"
}
Cloud storage example
The following JSON file, aws-snapshot.json
, defines an automated snapshot
configuration that uses AWS S3 cloud storage, customizes AWS configuration
options (bucket name, the region, and required credentials), and protects the
snapshots with server side encryption.
{
"storage_type": "aws-s3",
"file_prefix": "paris",
"interval": "8h",
"retain": 30,
"local_max_space": 2621440000,
"path_prefix": "primary",
"aws_s3_bucket": "vault-snapshots",
"aws_s3_region": "eu-west-3",
"aws_access_key_id": "ASI...COFFEE",
"aws_secret_access_key": "wJalr...COFFEEKEY",
"aws_session_token": "IQoJb3JpZ2luX2IQ...COFFEE",
"aws_s3_server_side_encryption": "true"
}
Step 2: Apply the snapshot configuration
Note
For disaster recovery and performance replication environments, you must configure automated snapshots separately for the primary and secondary clusters.
Run vault write
with the
/sys/storage/raft/snapshot-auto
path and your snapshot configuration to enable automated snapshots:
$ vault write \
sys/storage/raft/snapshot-auto/config/<configuration_name> \
@<configuration_file>
For example, to configure automated snapshots with local storage in an unreplicated envionrment:
$ vault write \
sys/storage/raft/snapshot-auto/config/local-snaps \
@local-snapshot.json
Or, to configure automated snapshots with AWS storage for a primary cluster
located in Paris called paris-primary
:
$ vault write \
sys/storage/raft/snapshot-auto/config/paris-primary \
@aws-snapshot.json