Is only root token is capable of restoring vault snapshots?

Hello, I am new to vault so not have much experience. I am trying to figure out the policy needed to restore a vault snapshot. But it seems nothing is working for me other than the root token. Can someone please help me out with the policy needed to restore vault snapshots ? Much appreciated.

Note: I am running opensource vault with Integrated raft storage in Kubernetes.

No, you don’t need a root token for this. You just need one with suitable permissions for the API you will be calling. The API docs are here: /sys/storage/raft - HTTP API | Vault by HashiCorp from which you can see the path is sys/storage/raft/snapshot or sys/storage/raft/snapshot-force.

It’s a write operation (that isn’t creating a named object), so the capability involved is "update". So:

path "sys/storage/raft/snapshot" {
  capabilities = ["update"]

should be sufficient to allow it.


I tried the below policy on those snapshot paths

path "sys/storage/raft/snapshot"        {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
path "sys/storage/raft/snapshot-force"        {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

Yet, I received 403 error.

Error installing the snapshot: Error making API request.

URL: POST https://vault.some.domain/v1/sys/storage/raft/snapshot-force
Code: 403. Errors:

* permission denied

However, I could backup vault with just read capabilities over there. So, logically update/create should work out while restoring the snapshot. But it did not work out even after giving sudo.

Can you please suggest/help ?

I literally copied your policy:

into a test Vault, and tried to restore a snapshot whilst using that policy, and it worked.


Yes you are right. The issue was how I was generating tokens. The tokens was wrong hence was getting error. But yes the policy you had suggested worked for me.

Thank you for you help.