Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Vault
Vault Home

automate

Automate Vault cluster snapshots

Enterprise

Appropriate Vault Enterprise  license required

You can configure Vault Enterprise to regularly save automated snapshots to local or cloud storage.

Before you start

  • You must a working knowledge of how Vault saves data.
  • You must have a valid Vault cluster configuration using integratd storage.
  • You must know, and be able to contact your unseal/recovery key holders.
  • You must have permission to access encrypted data in backed storage.
  • You should have a secure location, away from your Vault cluster infrastructure, to save the snapshot file.

Step 1: Determine your snapshot settings

Vault can write snapshots to local storage and cloud storage. For longterm maintenance, we recommend saving your autosnapshot settings to a JSON file.

Local storage example

The following JSON file, local-snapshot.json, defines an automated snapshot configuration that uses local storage with custom file and path prefixs. The configuration also sets a 120 minute snapshot frequency, a retention window of 7 snapshots before deleting, and limits the amount of local storage consumed by the snapshot files so Vault stops writing snapshot data if the combined file size exceed 250 MB (262144000 bytes).

{
  "storage_type": "local",
  "file_prefix": "localsnappy",
  "interval": "120m",
  "retain": "7",
  "local_max_space": "262144000",
  "path_prefix": "/opt/vault/"
}

Cloud storage example

The following JSON file, aws-snapshot.json, defines an automated snapshot configuration that uses AWS S3 cloud storage, customizes AWS configuration options (bucket name, the region, and required credentials), and protects the snapshots with server side encryption.

{
  "storage_type": "aws-s3",
  "file_prefix": "paris",
  "interval": "8h",
  "retain": 30,
  "local_max_space": 2621440000,
  "path_prefix": "primary",
  "aws_s3_bucket": "vault-snapshots",
  "aws_s3_region": "eu-west-3",
  "aws_access_key_id": "ASI...COFFEE",
  "aws_secret_access_key": "wJalr...COFFEEKEY",
  "aws_session_token": "IQoJb3JpZ2luX2IQ...COFFEE",
  "aws_s3_server_side_encryption": "true"
}

Step 2: Apply the snapshot configuration

Note

For disaster recovery and performance replication environments, you must configure automated snapshots separately for the primary and secondary clusters.

Run vault write with the /sys/storage/raft/snapshot-auto path and your snapshot configuration to enable automated snapshots:

$ vault write                                                   \
    sys/storage/raft/snapshot-auto/config/<configuration_name>  \
    @<configuration_file>

For example, to configure automated snapshots with local storage in an unreplicated envionrment:

$ vault write                                         \
    sys/storage/raft/snapshot-auto/config/local-snaps \
    @local-snapshot.json

Or, to configure automated snapshots with AWS storage for a primary cluster located in Paris called paris-primary:

$ vault write                                           \
    sys/storage/raft/snapshot-auto/config/paris-primary \
    @aws-snapshot.json
Edit this page on GitHub