Save a snapshot using the APIs always return 403

I am trying to create a snapshot of raft either via CLI or with the APIs. I am running Vault official docker image. At the moment I am only able to download and restore the snapshot from the UI.

If I run the command found on the official docs:

vault operator raft snapshot save backup.snap

I get:

Error taking the snapshot: Error making API request.

Code: 403. Errors:

* permission denied

If I call the same API that Vault is using in its UI:

wget http://localhost:8200/v1/sys/storage/raft/snapshot

I get ERROR 403: Forbidden. In this case is kind of expected since I am doing a non authenticated API call, and I am wondering how to authenticate.

I need this to be able to backup programmatically using an sh script and a cron. How can I do this?

BONUS Question: are these snapshots safe to archive in a hard drive or in a Nexus repository for example? Everything should be encrypted and a user needs the Unseal keys to see the secrets, right?

Thank you all

Hello @GiamBoscaro,

Are you running Vault community edition or enterprise? I generally work with HCP Vault so when I see a 403 I generally think it’s missing the namespace parameter.

If it is community edition, what is your Vautl configuration? I noticed your example is using HTTP instead of HTTPS? Are you running a single/development mode type container?

Bonus answer: In my opinion you should treat your backups/snapshots as you would any other critical data. Ensure the backups are secured and stored safely.

For the CLI, you do need to pass it your vault token in the VAULT_TOKEN environment variable.

VAULT_TOKEN=mytokenyoucancopyfromtheUI vault operator raft snapshot save backup.snap should actually do what you want :slight_smile:

I am using the CE, self hosted within a docker container

Yep, that was it obviously. Missing some kind of authentication. Do you know if I can pass an authentication header to call the snapshot API?

Put the token in the environment variable?

I meant when using curl or wget outside the docker container. I did find how to authenticate:

curl \
-H "X-Vault-Token: <token>" \

This should be working.