Save a snapshot using the APIs always return 403

GiamBoscaro · November 24, 2023, 1:09pm

Hello,
I am trying to create a snapshot of raft either via CLI or with the APIs. I am running Vault official docker image. At the moment I am only able to download and restore the snapshot from the UI.

If I run the command found on the official docs:

vault operator raft snapshot save backup.snap

I get:

Error taking the snapshot: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/storage/raft/snapshot
Code: 403. Errors:

* permission denied

If I call the same API that Vault is using in its UI:

wget http://localhost:8200/v1/sys/storage/raft/snapshot

I get ERROR 403: Forbidden. In this case is kind of expected since I am doing a non authenticated API call, and I am wondering how to authenticate.

I need this to be able to backup programmatically using an sh script and a cron. How can I do this?

BONUS Question: are these snapshots safe to archive in a hard drive or in a Nexus repository for example? Everything should be encrypted and a user needs the Unseal keys to see the secrets, right?

Thank you all

jonathanfrappier · November 27, 2023, 1:31pm

Hello @GiamBoscaro,

Are you running Vault community edition or enterprise? I generally work with HCP Vault so when I see a 403 I generally think it’s missing the namespace parameter.

If it is community edition, what is your Vautl configuration? I noticed your example is using HTTP instead of HTTPS? Are you running a single/development mode type container?

Bonus answer: In my opinion you should treat your backups/snapshots as you would any other critical data. Ensure the backups are secured and stored safely.

benvanstaveren · November 27, 2023, 4:05pm

For the CLI, you do need to pass it your vault token in the VAULT_TOKEN environment variable.

VAULT_TOKEN=mytokenyoucancopyfromtheUI vault operator raft snapshot save backup.snap should actually do what you want

GiamBoscaro · November 28, 2023, 7:35am

I am using the CE, self hosted within a docker container

GiamBoscaro · November 28, 2023, 7:36am

Yep, that was it obviously. Missing some kind of authentication. Do you know if I can pass an authentication header to call the snapshot API?

benvanstaveren · November 28, 2023, 7:47am

Put the token in the environment variable?

GiamBoscaro · November 28, 2023, 7:54am

I meant when using curl or wget outside the docker container. I did find how to authenticate:

curl \
-H "X-Vault-Token: <token>" \
http://localhost:8200/v1/sys/storage/raft/snapshot

This should be working.