From abe5718237a26940066ebdc67ea1adb7094351b1 Mon Sep 17 00:00:00 2001 From: Mia Epner Date: Tue, 21 Oct 2025 11:36:37 +0200 Subject: [PATCH 1/3] list cloud permissions required for automated snapshots --- .../system/storage/raftautosnapshots.mdx | 50 ++++++++++------ .../system/storage/raftautosnapshots.mdx | 52 ++++++++++------- .../system/storage/raftautosnapshots.mdx | 57 ++++++++++++------- .../system/storage/raftautosnapshots.mdx | 57 ++++++++++++------- 4 files changed, 141 insertions(+), 75 deletions(-) diff --git a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx index 9973d0eb7..df690b723 100644 --- a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -71,7 +71,11 @@ environment variables or files on disk in predefined locations. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has + the following permissions in S3, so that Vault can store and manage the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -87,7 +91,9 @@ environment variables or files on disk in predefined locations. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -100,21 +106,25 @@ environment variables or files on disk in predefined locations. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: - -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` + + Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -128,7 +138,11 @@ environment variables or files on disk in predefined locations. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. Make sure that this account has + the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_account_key` `(string)` - Azure account key. diff --git a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx index 969603930..ff911c2b5 100644 --- a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,7 +81,11 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has + the following permissions in S3, so that Vault can store and manage the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -97,7 +101,9 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -108,23 +114,27 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. - The raw value looks like this: +on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. +The raw value looks like this: + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -138,7 +148,11 @@ parameters in the context of AWS EKS & S3 configuration. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. Make sure that this account has + the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. diff --git a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx index 90ff85f68..39b5e2c51 100644 --- a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,7 +81,13 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has the following permissions in S3, so that Vault can store and manage the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` + + If you want to load a snapshot from this configuration, the account also needs: + - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -97,7 +103,9 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -108,23 +116,30 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. - The raw value looks like this: +on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. +The raw value looks like this: + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` + + If you want to load a snapshot from this configuration, the service account also needs: + - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -138,7 +153,11 @@ parameters in the context of AWS EKS & S3 configuration. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. Make sure that this account has + the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. diff --git a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx index fb26eaf40..69c8870ca 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx @@ -95,7 +95,13 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. +- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has the following permissions in S3, so that Vault can store and manage the snapshots: + - `s3:ListBucket` + - `s3:PutObject` + - `s3:DeleteObject` + + If you enable snapshot autoloading or want to manually load a snapshot from this configuration, the account also needs: + - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -111,7 +117,9 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: + - `kms:Decrypt` + - `kms:GenerateDataKey` - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter. @@ -124,21 +132,28 @@ parameters in the context of AWS EKS & S3 configuration. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: - -```json -{ - "type": "service_account", - "project_id": "project-id", - "private_key_id": "key-id", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", - "client_email": "service-account-email", - "client_id": "client-id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" -} -``` + ```json + { + "type": "service_account", + "project_id": "project-id", + "private_key_id": "key-id", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n", + "client_email": "service-account-email", + "client_id": "client-id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email" + } + ``` + + Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + - `storage.objects.create` + - `storage.objects.list` + - `storage.objects.delete` + + If you enable snapshot autoloading or want to manually load a snapshot from this configuration, the service account also needs: + - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. @@ -148,11 +163,15 @@ parameters in the context of AWS EKS & S3 configuration. `google_endpoint`. #### storage_type=azure-blob - + - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. +- `azure_account_name` `(string)` - Azure account name. Make sure that this account has + the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` + - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the From 5d4744f5bb7b98e735c461332ed9f3142e7897f0 Mon Sep 17 00:00:00 2001 From: miagilepner Date: Wed, 22 Oct 2025 10:33:42 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../system/storage/raftautosnapshots.mdx | 16 ++++++++----- .../system/storage/raftautosnapshots.mdx | 20 +++++++++------- .../system/storage/raftautosnapshots.mdx | 24 ++++++++++++------- .../system/storage/raftautosnapshots.mdx | 21 ++++++++++------ 4 files changed, 51 insertions(+), 30 deletions(-) diff --git a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx index df690b723..041a9eaa2 100644 --- a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -71,8 +71,9 @@ environment variables or files on disk in predefined locations. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has - the following permissions in S3, so that Vault can store and manage the snapshots: +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: - `s3:ListBucket` - `s3:PutObject` - `s3:DeleteObject` @@ -91,7 +92,9 @@ environment variables or files on disk in predefined locations. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following + permissions: - `kms:Decrypt` - `kms:GenerateDataKey` @@ -121,7 +124,7 @@ environment variables or files on disk in predefined locations. } ``` - Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots: - `storage.objects.create` - `storage.objects.list` - `storage.objects.delete` @@ -138,8 +141,9 @@ environment variables or files on disk in predefined locations. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. Make sure that this account has - the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` diff --git a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx index ff911c2b5..efb6f4c77 100644 --- a/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,8 +81,9 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has - the following permissions in S3, so that Vault can store and manage the snapshots: +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: - `s3:ListBucket` - `s3:PutObject` - `s3:DeleteObject` @@ -101,7 +102,8 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated account must have the following permissions: - `kms:Decrypt` - `kms:GenerateDataKey` @@ -114,8 +116,9 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending -on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. -The raw value looks like this: +on how you invoke the API, you may need to JSON-escape the account key. For +example, to include data with newlines and double quotes the raw value would +look like: ```json { "type": "service_account", @@ -131,7 +134,7 @@ The raw value looks like this: } ``` - Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots: - `storage.objects.create` - `storage.objects.list` - `storage.objects.delete` @@ -148,8 +151,9 @@ The raw value looks like this: - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. Make sure that this account has - the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` diff --git a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx index 39b5e2c51..acdd2d0ce 100644 --- a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,12 +81,14 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has the following permissions in S3, so that Vault can store and manage the snapshots: +- `aws_access_key_id` `(string)` - AWS access key ID. The assocaited AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: - `s3:ListBucket` - `s3:PutObject` - `s3:DeleteObject` - If you want to load a snapshot from this configuration, the account also needs: + To load a snapshot with your configuration, the account also needs: - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -103,7 +105,8 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following permissions: - `kms:Decrypt` - `kms:GenerateDataKey` @@ -116,8 +119,9 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending -on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. -The raw value looks like this: +on how you invoke the API, you may need to JSON-escape the account key. For +example, to include data with newlines and double quotes the raw value would +look like: ```json { "type": "service_account", @@ -133,12 +137,13 @@ The raw value looks like this: } ``` - Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + The associated Google service account must have following permissions in + Google Cloud Storage so that Vault can store and manage the snapshots: - `storage.objects.create` - `storage.objects.list` - `storage.objects.delete` - If you want to load a snapshot from this configuration, the service account also needs: + To load a snapshot with your configuration, the account also needs: - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when @@ -153,8 +158,9 @@ The raw value looks like this: - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. Make sure that this account has - the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` diff --git a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx index 69c8870ca..dedf28b15 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx @@ -95,12 +95,15 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. Make sure that this account has the following permissions in S3, so that Vault can store and manage the snapshots: +- `aws_access_key_id` `(string)` - AWS access key ID. The assocaited AWS account + must have the following permissions in S3 so that Vault can store and manage + the snapshots: - `s3:ListBucket` - `s3:PutObject` - `s3:DeleteObject` - If you enable snapshot autoloading or want to manually load a snapshot from this configuration, the account also needs: + If you want to use the configration to enable snapshot autoloading or to + manually load a snapshot, the account also needs: - `s3:GetObject` - `aws_secret_access_key` `(string)` - AWS secret access key. @@ -117,7 +120,8 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`. -- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. If this is true, make sure that your AWS account also has the permissions: +- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use + KMS encryption, the associated AWS account must have the following permissions: - `kms:Decrypt` - `kms:GenerateDataKey` @@ -147,12 +151,14 @@ parameters in the context of AWS EKS & S3 configuration. } ``` - Make sure that the Google service account used has the following permissions in Google Cloud Storage, so that Vault can store and manage the snapshots: + The associated Google service account must have following permissions in + Google Cloud Storage so that Vault can store and manage the snapshots: - `storage.objects.create` - `storage.objects.list` - `storage.objects.delete` - If you enable snapshot autoloading or want to manually load a snapshot from this configuration, the service account also needs: + If you want to use the configration to enable snapshot autoloading or to + manually load a snapshot, the account also needs: - `storage.objects.get` - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when @@ -167,8 +173,9 @@ parameters in the context of AWS EKS & S3 configuration. - `azure_container_name` `(string: )` - Azure container name to write snapshots to. -- `azure_account_name` `(string)` - Azure account name. Make sure that this account has - the following permissions in Azure Blob Storage, so that Vault can store and manage the snapshots: +- `azure_account_name` `(string)` - Azure account name. The associated Azure + account must have the following permissions in Azure Blob Storage so that + Vault can store and manage the snapshots: - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` From 90a7c1c15ea0a4af66c8e226376db8def778c683 Mon Sep 17 00:00:00 2001 From: Mia Epner Date: Wed, 22 Oct 2025 10:38:56 +0200 Subject: [PATCH 3/3] fix typos --- .../content/api-docs/system/storage/raftautosnapshots.mdx | 2 +- .../content/api-docs/system/storage/raftautosnapshots.mdx | 2 +- .../content/api-docs/system/storage/raftautosnapshots.mdx | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx index 041a9eaa2..8c6062cf6 100644 --- a/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -107,7 +107,7 @@ environment variables or files on disk in predefined locations. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. + on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: ```json { diff --git a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx index acdd2d0ce..a0539647e 100644 --- a/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx @@ -81,7 +81,7 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. The assocaited AWS account +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account must have the following permissions in S3 so that Vault can store and manage the snapshots: - `s3:ListBucket` diff --git a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx index dedf28b15..28760bbcd 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx @@ -95,14 +95,14 @@ parameters in the context of AWS EKS & S3 configuration. - `aws_s3_region` `(string: )` - AWS region bucket is in. -- `aws_access_key_id` `(string)` - AWS access key ID. The assocaited AWS account +- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account must have the following permissions in S3 so that Vault can store and manage the snapshots: - `s3:ListBucket` - `s3:PutObject` - `s3:DeleteObject` - If you want to use the configration to enable snapshot autoloading or to + If you want to use the configuration to enable snapshot autoloading or to manually load a snapshot, the account also needs: - `s3:GetObject` @@ -134,7 +134,7 @@ parameters in the context of AWS EKS & S3 configuration. - `google_gcs_bucket` `(string: )` GCS bucket to write snapshots to. - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending - on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes. + on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes. The raw value looks like this: ```json { @@ -157,7 +157,7 @@ parameters in the context of AWS EKS & S3 configuration. - `storage.objects.list` - `storage.objects.delete` - If you want to use the configration to enable snapshot autoloading or to + If you want to use the configuration to enable snapshot autoloading or to manually load a snapshot, the account also needs: - `storage.objects.get`