Purpose :
This is a short guide on the setup of Vault auto-snapshots within GCP buckets when using Raft / Integrated Storage. A development Service Account (SA) is used to complete this tutorial.
Steps :
- Create a GCP bucket to store Vault snapshots
- Get the service account (SA) to be used to authenticate Vault with GCP
Note: Using SA pose security threat as keys has to be locally stored. It is recommended to use Workload Identity Federation
3. Once the keys are downloaded. Configure automated snapshots on Vault using google_service_account_key
vault write sys/storage/raft/snapshot-auto/config/hourly interval="1h" retain=1 path_prefix="snapshots/" storage_type=google-gcs google_gcs_bucket="vault-snapshot-torpedo" google_service_account_key="@/Users/siddarthsurana/Downloads/hc-e92bcd7c1ae143cb8b5da5ec2aa-f711818d9053.json"
4. You should see snapshot being successfully triggered
2022-03-25T19:22:13.956+0530 [INFO] storage.raft: starting snapshot up to: index=183