How to make a policy for creating raft storage snapshots?

Ibmurai · September 16, 2020, 11:29am

As far as I can tell this should work:

path "sys/storage/raft/snapshot" {
  capabilities = ["read"]
}

I have also tried with create, but still no go.

Help?

jeroenjacobs79 · September 16, 2020, 2:52pm

A few questions:

Can you provide the exact error Vault returns?
How do you create the snapshot? vault cli/curl/some other way?

Also, just to be sure: can you do a vault token lookup and verify the policy correctly assigned to you?

Ibmurai · September 17, 2020, 6:59am

Hi, here’s my flow:

vault policy write snapshot-read - <<EOF
path "sys/storage/raft/snapshot" {
  capabilities = ["read"]
}
EOF

vault write auth/approle/role/backup \
  token_num_uses=1 \
  token_ttl=10m \
  token_max_ttl=10m \
  token_policies=snapshot-read

vault read auth/approle/role/backup/role-id # to get the role id

vault write -f auth/approle/role/backup/secret-id # to get the secret id

vault write auth/approle/login role_id="0d8a1fbf-00eb-7f6c-a7f1-4d8676637dea" \
  secret_id="f93dea9e-1c1d-d968-85e1-a7dbe51874af"

vault login s.yuuMelYJ6Fj9zQ8QfPmKZPAn

vault operator raft snapshot save lol.snap

The save command returns the following error:

Error taking the snapshot: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/storage/raft/snapshot
Code: 403. Errors:

* 1 error occurred:
  * permission denied

I did not feel the need to sanitize as this is all from a dev instance

With regards to the token lookup I cannot do that because the above policy is the only policy assigned, I think?:

# vault token lookup
Error looking up token: Error making API request.

URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:

* permission denied

EDIT: Having experimented a bit with token_num_uses I found that setting it to 0 makes things work as expected, but 1 and 2 is not enough or causes some other issue… I’ll look further into it by trial and error to see if it somehow needs more uses…

EDIT 2: 2 seems to be the magic number here. I guees the login itself is one use.

Ibmurai · September 17, 2020, 7:54am

tldr;

The policy works as intended.
The AppRole token_num_uses configuration was my problem.
If you want to create a token with a single use, on top of actually authorising with the token, token_num_uses should be set to 2.

voiprodrigo · September 17, 2020, 10:45am

Hi @Ibmurai,

I hope you don’t mind if I ask you something about your approach.

I was actually working on the same thing. I want to have a cron job taking snapshots every hour or so. But I’m just creating a simple token after setting the policy , something like:

vault token create -policy snapshot-read -orphan -no-default-policy

(I’ll probably extend TTL). Then I would just configure the cron job to export that token and then call the snapshot command.

But your approach is much more involved. I’m not yet acquainted with approle auth. So I’d like to ask you why are you using approle login, just so I can better understand the advantages and if I should also be doing it that way.

Thanks!!