Consul acl policy for snapshots

We are running Vault open source with a Consul backend. I am setting up an automated backup and restore function leveraging Consul snapshots.

I’m trying to determine the minimum privileges a consul token requires to be able to run “consul snapshot” commands. The documentation refers to a “management” token, does this mean that any token used to manage snapshots needs the same rights as the built in “global-management” policy?

This seems like overkill, if that’s not the case is there documentation on the minimum rights needed to manage snapshots?

Hi @synaptis,

You should only need acl = write permissions on the token used for snapshotting. Its a bit easy to overlook, but this is referenced toward the end of the paragraph describing the acl resource rules.

3 Likes

Thanks, snapshots seem to be working via a token with just “acl = write” permissions.

I had seen the reference in the documentation you’ve linked to but as I mentioned I’d also seen reference to a management token being required. Cheers for helping clear up what is required.