Manual raft snapshot creation fails

michael4 · February 6, 2025, 10:28am

Hi everyone,
I have a Vault cluster with 5 nodes, and they are configured to auto-unseal from another Vault node (http://vault-node-1:8200) which is configures with transit secrets engine.

Auto Unseal works as expected when I restart Vault service on any of the 5 cluster nodes.
But when I want to create a raft snapshot manually it fails with this error in CLI

Error taking the snapshot: incomplete snapshot, unable to read SHA256SUMS.sealed file

When I look at logs it shows me this:

vault[2806038]: 2025-02-06T12:10:59.334+0200 [WARN]  core.autoseal: seal wrapper health check failed: seal_name=transit
vault[2806038]:   err=
vault[2806038]:   | failed to encrypt test value, seal wrapper may be unreachable: Error making API request.
vault[2806038]:   |
vault[2806038]:   | URL: PUT http://vault-node-1:8200/v1/transit/encrypt/unseal-key
vault[2806038]:   | Code: 403. Errors:
vault[2806038]:   |
vault[2806038]:   | * 2 errors occurred:
vault[2806038]:   | \t* permission denied
vault[2806038]:   | \t* invalid token
vault[2806038]:   |

I am doing this from the Leader node while logged in with root token.
Not sure why it complains on permission denied and invalid token ?
It should use the token from the configuration from seal transit stanza right ?

seal "transit" {
  address     = "http://vault-node-1:8200"
  token       = "hvs.XXXXXXXX"
  key_name    = "unseal-key"
  mount_path  = "transit"
  tls_skip_verify = "true"
}

When I check that token on vault-node-1 it’s still valid

Key                  Value
---                  -----
accessor             Od4jqaOpYPSZGFfgtibo6VyR
creation_time        1738360801
creation_ttl         768h
display_name         token
entity_id            n/a
expire_time          2025-03-05T00:00:01.346753128+02:00
explicit_max_ttl     0s
id                   hvs.XXXXXXXX
issue_time           2025-02-01T00:00:01.732063539+02:00
last_renewal         2025-02-04T17:26:10.346753258+02:00
last_renewal_time    1738682770
meta                 <nil>
num_uses             0
orphan               false
path                 auth/token/create
policies             [default unseal]
renewable            true
ttl                  635h58m15s
type                 service

Am I missing something ? Perhaps I need to add something in policy that looks like this ?

path "transit/encrypt/unseal-key" {
  capabilities = [ "update" ]
}

path "transit/decrypt/unseal-key" {
  capabilities = ["update"]
}

Thanks !

michael4 · February 6, 2025, 3:41pm

Ok after lot of checks I just restarted vault services on all nodes and it solved the issue

Topic		Replies	Views
Error taking snapshot Vault	23	6916	February 10, 2025
Raft storage snapshot no longer works if transit token is changed Vault	5	1344	December 8, 2021
How to unseal vault server after raft snapshot restore? Vault	7	1512	June 5, 2022
Impossible to get raft challenge from other nodes Vault raft , vault	0	226	November 23, 2023
Core.autoseal: failed to encrypt seal health test value, seal backend may be unreachable Vault	4	263	June 26, 2024

Manual raft snapshot creation fails

Related topics