diff --git a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx index 9973d0eb7..8c6062cf6 100644 --- a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -71,7 +71,12 @@ environment variables or files on disk in predefined locations. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -87,7 +92,11 @@ environment variables or files on disk in predefined locations. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following + permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -98,23 +107,27 @@ environment variables or files on disk in predefined locations. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. + on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: - -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` + + The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -128,7 +141,12 @@ environment variables or files on disk in predefined locations. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_account_key` `(string)` - Azure account key. diff --git a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx index 969603930..efb6f4c77 100644 --- a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,7 +81,12 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -97,7 +102,10 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated account must have the following permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -108,23 +116,28 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. - The raw value looks like this: +on how you invoke the API, you may need to JSON-escape the account key. For +example, to include data with newlines and double quotes the raw value would +look like: + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -138,7 +151,12 @@ parameters in the context of AWS EKS & S3 configuration. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. diff --git a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx index 90ff85f68..a0539647e 100644 --- a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,7 +81,15 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` + + To load a snapshot with your configuration, the account also needs: + - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -97,7 +105,10 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -108,23 +119,32 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. - The raw value looks like this: +on how you invoke the API, you may need to JSON-escape the account key. For +example, to include data with newlines and double quotes the raw value would +look like: + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + The associated Google service account must have following permissions in + Google Cloud Storage so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` + + To load a snapshot with your configuration, the account also needs: + - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -138,7 +158,12 @@ parameters in the context of AWS EKS & S3 configuration. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. diff --git a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx index fb26eaf40..28760bbcd 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx @@ -95,7 +95,16 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` + + If you want to use the configuration to enable snapshot autoloading or to + manually load a snapshot, the account also needs: + - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -111,7 +120,10 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -122,23 +134,32 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. + on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: - -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` + + The associated Google service account must have following permissions in + Google Cloud Storage so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` + + If you want to use the configuration to enable snapshot autoloading or to + manually load a snapshot, the account also needs: + - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -148,11 +169,16 @@ parameters in the context of AWS EKS & S3 configuration. `google_endpoint`. #### storage_type=azure-blob - + - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the