Configuring Automated Snapshots with AWS EC2 & Integrated Storage

Avatar
Akash Gupta
  • Updated

This is a brief article detailing the steps needed to set up Vault Auto-Snapshots to an AWS S3 Bucket when Raft / Integrated Storage is used.

Steps:

  •  Create an AWS S3 bucket to store Vault snapshots.

    mceclip0.png
  • Create a KMS key to encrypt the Bucket contents.

    mceclip1.png
  • Create an IAM Role for the Vault instance to allow appropriate access and privileges to KMS and S3. A policy like that exemplified below will be needed for the IAM role.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:DeleteObject"
          ],
          "Resource": "arn:aws:s3:::mybucket1993till/*.snap"
        },
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": [
            "s3:ListBucketVersions",
            "s3:ListBucket"
          ],
          "Resource": "arn:aws:s3:::mybucket1993till"
        },
        {
          "Sid": "VisualEditor2",
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::mybucket1993till",
            "arn:aws:s3:::mybucket1993till/*"
          ]
        },
        {
          "Sid": "VisualEditor3",
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:GenerateDataKey"
          ],
          "Resource": "*"
        }
      ]
    }
  • Deploy Vault on EC2 instances, initialize & unseal it; ensure that there's an active Vault leader.
  • Attach the IAM role to the EC2 instance.
  • Run the CLI configuration below addressed directly to the leader or on the EC2 instance itself:
    AREGION=...  # // set AWS REGION - eg: 'us-east-2'
    AKMS_ID=...  # // set AWS KMS ID - eg: 'mrk-b26872139b14462c8fb7927df4ea1209'
    ABUCKET=...  # // set AWS Bucket - eg: 'mybucket1993till'
    APREFIX=...  # // set AWS path_prefix eg: 'vault/backups'

    # // Set the values of interval and retain as per your needs.
    vault write sys/storage/raft/snapshot-auto/config/hourly interval=1h retain=96 storage_type=aws-s3 aws_s3_enable_kms=true path_prefix=${APREFIX} aws_s3_bucket=${ABUCKET} aws_s3_region=${AREGION} aws_s3_kms_key=${AKMS_ID}
    Note: the parameter path_prefix is the AWS S3 Bucket directory to which snapshots should be saved/written. If not specified then snapshots will be saved to the root of the AWS Bucket itself. Set this value if a folder hierarchy is desired inside of the AWS Bucket.
  • Run the below command to see the stored/written auto-snapshot config on Vault:
     
    vault read sys/storage/raft/snapshot-auto/config/hourly
  • The following log entry can be found post you write the snapshot-auto config to Vault.
    [TRACE] core.snapshotmgr.hourly: starting snapshot runner: name=hourly
  • The following snippet shows the snapshots stored in S3:

    mceclip0.png

Reference Articles:

Articles in this section

See more

Related articles