Hello, I am new to vault so not have much experience. I am trying to figure out the policy needed to restore a vault snapshot. But it seems nothing is working for me other than the root token. Can someone please help me out with the policy needed to restore vault snapshots ? Much appreciated.
Note: I am running opensource vault with Integrated raft storage in Kubernetes.
No, you don’t need a root token for this. You just need one with suitable permissions for the API you will be calling. The API docs are here: /sys/storage/raft - HTTP API | Vault by HashiCorp from which you can see the path is sys/storage/raft/snapshot or sys/storage/raft/snapshot-force.
It’s a write operation (that isn’t creating a named object), so the capability involved is "update". So:
Error installing the snapshot: Error making API request.
URL: POST https://vault.some.domain/v1/sys/storage/raft/snapshot-force
Code: 403. Errors:
* permission denied
However, I could backup vault with just read capabilities over there. So, logically update/create should work out while restoring the snapshot. But it did not work out even after giving sudo.
Yes you are right. The issue was how I was generating tokens. The tokens was wrong hence was getting error. But yes the policy you had suggested worked for me.