hashicorp · miagilepner · Sep 2, 2025 · Sep 1, 2025
@@ -58,6 +58,20 @@ environment variables or files on disk in predefined locations.
   or "google-gcs". The remaining parameters described below are all specific to
   the selected `storage_type` and prefixed accordingly.
 
+- `autoload_enabled` `(bool: false)` - Have Vault automatically load the latest snapshot
+  after it is written. This will replace the previously loaded snapshot.
+  Note that this does not mean the snapshot is automatically applied to the
+  cluster, it is just loaded and available for recovery operations. Not allowed 
+  for `storage_type=local`. Can only be enabled for one configuration at a time.
+
+<Note>
+
+If you set `autoload_enabled=true` for a configuration and that configuration's 
+`interval` is less than 1 hour, Vault will only load a new snapshot at most once
+per hour.    
+
+</Note>
+
 #### storage_type=local
 
 - `local_max_space` `(integer: <required>)` - For `storage_type=local`, the maximum
@@ -284,6 +298,43 @@ $ curl \
 }
 ```
 
+### Sample response with autoloading enabled 
+
+```json
+{
+  "data": {
+    "last_snapshot_end": "2025-08-29T17:41:55+02:00",
+    "last_snapshot_error": "",
+    "last_snapshot_start": "2025-08-29T17:41:54+02:00",
+    "last_snapshot_url": "https://example.com/snapshots/vault-snapshot-1603898241699731000.snap",
+    "loaded_snapshot_expires_at": "2025-09-01T17:41:55+02:00",
+    "loaded_snapshot_id": "42596c4c-6f4b-c476-8eb0-90546cdda7f3",
+    "loaded_snapshot_status": "ready",
+    "next_snapshot_start": "2025-08-29T17:46:55+02:00", 
+    "snapshot_start": "2025-08-29T17:41:55+02:00",
+    "snapshot_url": "https://example.com/snapshots/vault-snapshot-1603898241699731000.snap"
+  }
+}
+```
+
+### Sample response with an autoloading failure
+
+```json
+{
+  "data": {
+    "last_snapshot_end": "2025-08-29T17:41:55+02:00",
+    "last_snapshot_error": "",
+    "last_snapshot_start": "2025-08-29T17:41:54+02:00",
+    "last_snapshot_url": "https://example.com/snapshots/vault-snapshot-1603898241699731000.snap",
+    "loading_error": "error loading snapshot: a snapshot is loaded already",
+    "next_snapshot_start": "2025-08-29T17:46:55+02:00", 
+    "snapshot_start": "2025-08-29T17:41:55+02:00",
+    "snapshot_url": "https://example.com/snapshots/vault-snapshot-1603898241699731000.snap"
+  }
+}
+```
+
+
 ## Load a snapshot from an automated snapshot configuration
 
 Load a new snapshot into the Vault cluster without overwriting the cluster with

@@ -43,6 +43,7 @@ $ curl \
 {
   "data": {
     "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "created_at": "2025-05-22T15:07:58.187769+01:00",
     "expires_at": "2025-05-25T15:07:58.187769+01:00",
     "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
     "status": "loading"
@@ -101,24 +102,26 @@ For a snapshot loaded as a binary file:
 {
   "data": {
     "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "created_at": "2025-05-22T15:07:58.187769+01:00",
     "expires_at": "2025-05-25T15:07:58.187769+01:00",
     "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
     "status": "ready"
   }
 }
 ```
 
-For a snapshot loaded from a an Automated Snapshot configuration:
+For a snapshot loaded from an Automated Snapshot configuration:
 
 ```json
 {
   "data": {
     "auto_config_name": "config1",
     "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "created_at": "2025-05-22T15:07:58.187769+01:00",
     "expires_at": "2025-05-25T15:07:58.187769+01:00",
     "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
-    "url": "https://example.com/raft.snap",
-    "status": "ready"
+    "status": "ready",
+    "url": "https://example.com/raft.snap"
   }
 }
 ```
@@ -131,11 +134,16 @@ Unloads a currently loaded snapshot from the cluster.
 | :------- | :--------------------------------------------- |
 | `DELETE` | `/sys/storage/raft/snapshot-load/:snapshot_id` |
 
+### Query parameters
+
+- `force` (boolean: false) - If set to `true`, forces the unload of a snapshot
+  even if it is in use by an ongoing recovery operation or is still loading.
+
 ### Sample request
 
 ```shell-session
 $ curl \
     --header "X-Vault-Token: ..." \
     --request DELETE \
     http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-load/2403d301-94f2-46a1-a39d-02be83e2831a
-```
+```
@@ -173,3 +173,102 @@ $ curl                                       \
 </Tab>
 
 </Tabs>
+
+## Step 3 (Optional): Enable autoloading
+
+You can configure Vault to automatically load the latest snapshot after 
+it is written. This is useful if you want to quickly be able to [recover individual
+secrets](/vault/docs/sysadmin/recover-a-secret) from a snapshot without having to 
+manually load the snapshot.
+
+Only one automated snapshot configuration can have autoloading enabled at a time.
+Automated snapshot configurations with their storage type set to `local` cannot 
+have autoloading enabled.
+
+If the interval for the automated snapshot configuration is set to less than 1 hour,
+Vault will only autoload snapshots every hour. This is to prevent excessive load on the cluster.
+
+To enable autoloading, set the `autoload_enabled` parameter to `true` when creating or updating
+the automated snapshot configuration. For example, we can update the previous AWS S3 example to enable
+autoloading:
+
+```json
+{
+  "storage_type": "aws-s3",
+  "file_prefix": "paris",
+  "interval": "8h",
+  "retain": 30,
+  "autoload_enabled": true,
+  "local_max_space": 2621440000,
+  "path_prefix": "primary",
+  "aws_s3_bucket": "vault-snapshots",
+  "aws_s3_region": "eu-west-3",
+  "aws_access_key_id": "ASI...COFFEE",
+  "aws_secret_access_key": "wJalr...COFFEEKEY",
+  "aws_session_token": "IQoJb3JpZ2luX2IQ...COFFEE",
+  "aws_s3_server_side_encryption": "true"
+}
+```
+
+and update the configuration in our Vault cluster:
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+Run `vault write` with the
+[`/sys/storage/raft/snapshot-auto`](/vault/api-docs/system/storage/raftautosnapshots#create-update-an-automated-snapshots-config)
+path and your snapshot configuration to update an automated snapshot configuration:
+
+```shell-session
+$ vault write                                                   \
+    sys/storage/raft/snapshot-auto/config/<configuration_name>  \
+    @<configuration_file>
+```
+
+To update the previous AWS S3 example to enable autoloading:
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+$ vault write                                           \
+    sys/storage/raft/snapshot-auto/config/paris-primary \
+    @aws-snapshot.json
+```
+
+</CodeBlockConfig>
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+Call the
+[`/sys/storage/raft/snapshot-auto`](/vault/api-docs/system/storage/raftautosnapshots#create-update-an-automated-snapshots-config)
+endpoint with your configuration file to update an automated snapshot configuration:
+
+```shell-session
+$ curl                                          \
+    --request POST                              \
+    --header "X-Vault-Token: ${VAULT_TOKEN}"    \
+    --data @<configuration_file>                \
+    ${VAULT_ADDR}/v1/sys/storage/raft/snapshot-auto/config/<configuration_name>
+```
+
+
+To update the previous AWS S3 example to enable autoloading:
+
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+$ curl                                       \
+    --request POST                           \
+    --header "X-Vault-Token: ${VAULT_TOKEN}" \
+    --data @aws-snapshot.json                \
+    ${VAULT_ADDR}/v1/sys/storage/raft/snapshot-auto/config/paris-primary
+```
+
+</CodeBlockConfig>
+
+</Tab>
+
+</Tabs>
+
@@ -94,7 +94,29 @@ Status key | Description
 `ready`    | Loading completed successfully. You can read data from the snapshot.
 `error`    | Loading failed. Refer to the logs and error details for troubleshooting.
 
+### Use an autoloaded snapshot 
 
+If you configured automated snapshots with [autoloading enabled](/vault/docs/sysadmin/snapshots/automate#step-3-optional-enable-autoloading),
+Vault Enterprise will automatically load a snapshot when the cluster starts and keep
+updating the loaded snapshot as new automated snapshots are created.
+
+You can check for a loaded snapshot by listing the loaded snapshots:
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'sysadmin/snapshots/list-snapshots/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'sysadmin/snapshots/list-snapshots/api.mdx'
+
+</Tab>
+
+</Tabs>
 
 ## Step 2: Recover the secret
 

@@ -90,8 +90,29 @@ Status key | Description
 `error`    | Loading failed. Refer to the logs and `error` field for details.
 
 
+### Use an autoloaded snapshot
 
+If you configured automated snapshots with [autoloading enabled](/vault/docs/sysadmin/snapshots/automate#step-3-optional-enable-autoloading),
+Vault Enterprise will automatically load a snapshot when the cluster starts and keep 
+updating the loaded snapshot as new automated snapshots are created.
 
+You can check for a loaded snapshot by listing the loaded snapshots: 
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'sysadmin/snapshots/list-snapshots/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'sysadmin/snapshots/list-snapshots/api.mdx'
+
+</Tab>
+
+</Tabs>
 
 ## Step 2: Recover the secret
 

@@ -0,0 +1,30 @@
+You can check to see if there is a snapshot currently loaded by querying 
+the `/sys/storage/raft/snapshot-load` endpoint:
+
+```shell-session
+$ curl                                       \
+   --request LIST                            \
+   --header "X-Vault-Token: ${VAULT_TOKEN}"  \
+    ${VAULT_ADDR}/v1/sys/storage/raft/snapshot-load
+```
+
+For example:
+
+<CodeBlockConfig hideClipboard highlight="13">
+
+```shell-session
+$ curl                                       \
+   --request LIST                            \
+   --header "X-Vault-Token: ${VAULT_TOKEN}"  \
+    ${VAULT_ADDR}/v1/sys/storage/raft/snapshot-load
+
+{
+  "data": {
+    "keys": [
+      "9465df92-8236-4af9-8cc8-b7460d882e41"
+    ] 
+  }
+}
+```
+
+</CodeBlockConfig>
@@ -0,0 +1,20 @@
+You can check to see if there is a snapshot currently loaded by using `vault list` 
+and the `/sys/storage/raft/snapshot-load` endpoint:
+
+```shell-session
+$ vault list /sys/storage/raft/snapshot-load
+```
+
+For example:
+
+<CodeBlockConfig hideClipboard highlight="10">
+
+```shell-session
+$ vault list /sys/storage/raft/snapshot-load
+
+Keys
+---- 
+9465df92-8236-4af9-8cc8-b7460d882e41
+```
+
+</CodeBlockConfig>