S3 Vault Snapshots IAM policy

setup_snapshots.sh

#!/bin/bash

export S3_ACCESS_KEY="REDACTED"
export S3_SECRET_KEY="READCTED"
export S3_BUCKET="vault-snapshots"
export S3_ENDPOINT="https://s3.eu-west-1.wasabisys.com"
export S3_REGION="eu-west-1"

vault write sys/storage/raft/snapshot-auto/config/daily \
  interval="24h" \
  retain=30 \
  storage_type="aws-s3" \
  aws_s3_bucket=$S3_BUCKET  \
  aws_s3_region=$S3_REGION \
  aws_access_key_id=$S3_ACCESS_KEY \
  aws_secret_access_key=$S3_SECRET_KEY \
  aws_s3_endpoint=$S3_ENDPOINT
  
  

vault-snapshots-iam-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": [
        "arn:aws:s3:::$S3_BUCKET",
        "arn:aws:s3:::$S3_BUCKET/*"
      ]
    }
  ]
}

Tested with Wasabi S3