---
title: "HashiCorp Vault With Wasabi"
slug: "hashicorp-vault-with-wasabi"
updated: 2026-05-29T23:49:07Z
published: 2026-05-29T23:49:07Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# HashiCorp Vault With Wasabi

[HashiCorp Vault](https://www.hashicorp.com/en/products/vault) provides access and secrets management for sensitive data for on-prem, cloud, and hybrid environments. The Hashicorp Vault AWS Secrets Engine can be used with Wasabi to generate on-demand, ephemeral secrets for accessing your Wasabi data.

Vault backup snapshots may also be stored in Wasabi.

This document outlines the procedure for setting up Vault for use with Wasabi.

### Prerequisites

- Active [Wasabi Cloud Storage Account](https://wasabi.com/sign-up).
- Access to the [Wasabi Console](https://console.wasabisys.com) as the account root user.
- Hashicorp Vault configured. This solution was tested with Vault version 1.21.1 running on macOS version 26.2.
- Access to the Vault GUI console and CLI.

## How to Use the Vault AWS Secrets Engine with Wasabi

This portion of the article details how to generate temporary secrets for use with Wasabi. See the [How to Store Vault Backup Snapshots in Wasabi](/v1/docs/draft-hashicorp-vault-with-wasabi#how-to-store-vault-backup-snapshots-in-wasabi) section below for details about snapshot storage.

### Initial Wasabi Console Configuration

1. Login to the [Wasabi Console](https://console.wasabisys.com) as the account root user.
2. Configure a policy for a “vault” user (that will be created below) using the following policy. See [Creating and Deleting a Policy](https://docs.wasabi.com/docs/creating-a-policy) for instructions on how to create a policy. We named the policy “VaultPolicy” in our example. Change YOUR_ACCOUNT_ID to your own account ID which can be found under Settings in the Wasabi Console.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:CreateAccessKey",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:DetachUserPolicy",
        "iam:GetUser",
        "iam:ListAccessKeys",
        "iam:ListAttachedUserPolicies",
        "iam:ListGroupsForUser",
        "iam:ListUserPolicies",
        "iam:PutUserPolicy",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup"
      ],
      "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:user/vault-*"
    }
  ]
}
```
3. After the policy is created, copy and save the policy’s ARN by clicking on the copy button and pasting it into a file. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_20_16 AM.png)
4. Create a “vault” user and attach the previously created policy to it. See [Creating a User](https://docs.wasabi.com/docs/creating-a-user-account-and-access-key#creating-a-user) for details.
  - Allow programatic-only access, not console access.
  - Do not require Multi-Factor Authentication (MFA).
  - It is not necessary to assign the user to a group.
  - Save the access and secret keys in a secure location.

### Initial Vault Configuration

1. Login to your Hashicorp Vault console. On a standalone local or developer system, this will be located at [http://127.0.0.1:8200](http://127.0.0.1:8200.) or [https://127.0.0.1:8200](https://127.0.0.1:8200) depending on whether you are using TLS on your local machine.
2. Click **Secrets Engines**, then click **+ Enable new engine**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_18_52 AM.png)
3. Click **AWS**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_25_03 AM.png)
4. Give the secrets engine a name under Path (“wasabi” in our example). Click **Method Options**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_29_03 AM.png)
5. Enable and set both the **Default Lease TTL** and **Max Lease TTL**per your organization policies. In our example we set them to 12 hours and 1 day, respectively. Click **Hide Method Options**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_28_31 AM.png)
6. Click **Enable engine**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_29_03 AM-2.png)
7. Click **Configuration**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_58_33 AM.png)
8. Click **Configure AWS**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_10_58_48 AM.png)
9. Enter the Access key and Secret key for the previously created “vault” user. Click **Root config options** to expand it. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_00_46 AM.png)
10. Enter the following information, then click **Hide Root config options**.
  - Region: us-east-1
  - IAM endpoint: iam.wasabisys.com
  - STS endpoint: sts.wasabisys.com ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_02_49 AM(1).png)
11. Click **Save**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_03_10 AM(1).png)
12. Proceed to one of the following sections depending on what you wish to do.
  - [Temporarily assume a role](/v1/docs/draft-hashicorp-vault-aws-secrets-engine-with-wasabi#temporarily-assume-a-role)
  - [Create a temporary IAM user and credentials.](/v1/docs/draft-hashicorp-vault-aws-secrets-engine-with-wasabi#create-a-temporary-user)

### Temporarily Assume a Role

We are going to temporarily assume a role that has a user policy assigned to it.

1. Login to the [Wasabi Console](https://console.wasabisys.com).
2. In this example the role can list all the buckets in the account and read the contents of the “mt-logging-bucket-ol” bucket. See See [Creating and Deleting a Policy](https://docs.wasabi.com/docs/creating-a-policy) for details. Instead of creating your own policy, you may also use one of the preexisting Wasabi policies.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::mt-logging-bucket-ol",
        "arn:aws:s3:::mt-logging-bucket-ol/*"
      ]
    }
  ]
}
```
3. Click **Roles**then click **Create Role**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_12_35_42 PM.png)
4. Give the role a name and leave the default trust document. Click **Save**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot 2026-01-09 at 12.36.33 PM.png)
5. Assign the appropriate policy or policies by clicking them from the drop-down list. We are selecting the “LoggingReadOnlyAccessPolicy” created above. You may also use one or more of the preexisting Wasabi policies. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_12_37_37 PM.png)
6. You will see the assigned policies on the right. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot 2026-01-09 at 12.37.54 PM.png)
7. Click **Roles**and copy the ARN for the role you just created. Save this ARN for later. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_12_58_06 PM(1).png)
8. Login to your Vault console.
9. Click **Secrets Engines** then click the previously created Wasabi engine path. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_03_58 PM.png)
10. Click **Roles**, then **Create role +**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_18_25 AM.png)
11. Enter a name for the role, select “Assumed Role” for the Credential type, and paste the previously copied Role ARN from the Wasabi console. Click **Create role**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_08_37 PM(2).png)
12. To test the credential creation, click **Generate credentials**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_14_25 PM.png)
13. Select “Assumed Role” from the Credential type drop-down menu. Click **Generate**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_14_47 PM.png)
14. Click **Copy credentials**. Paste these into a secure file. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_15_07 PM.png)
15. To test permissions, you may use the AWS CLI. In our example, we edited the ~/.aws/credentials file to include these temporary credentials:

```plaintext
[vault-test]
aws_access_key_id = PNIRFKQNXDP44HA7J8WZ 
aws_secret_access_key = 2znghU9aoloj0qGRAJVglRLOO1QwWAPfJCzq5rCl
aws_session_token = uef321-Xz19MFs0PaO85lINrPWAUoh76ZEvrIu_9hIovQl5ncnImmnRh...
```
16. We then used the following AWS CLI commands to test permissions. Use your bucket name and the appropriate endpoint-url for your bucket.

```bash
$ aws s3 ls --profile vault-test --endpoint-url=https://s3.us-east-1.wasabisys.com 
$ aws s3 ls s3://YOUR_BUCKET_NAME --profile vault-test \
--endpoint-url=https://s3.us-east-1.wasabisys.com
$ touch test.txt
$ aws s3 cp test.txt s3://YOUR_BUCKET_NAME/test.txt --profile vault-test \
--endpoint-url=https://s3.us-east-1.wasabisys.com
```

The first two AWS CLI commands worked since we had granted the appropriate permissions. The last command failed with a 403 Access Denied because we did not grant write permissions to the bucket.

### Create a Temporary IAM User and Credentials

1. Repeat steps 1 and 2 in the [Temporarily Assume a Role](/v1/docs/draft-hashicorp-vault-aws-secrets-engine-with-wasabi#temporarily-assume-a-role) section above. Copy the Policy ARN from step 2.
2. Login to your Vault console.
3. Click **Secrets Engines** then click the previously created Wasabi engine path. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_1_03_58 PM.png)
4. Click **Roles**, then **Create role +**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_11_18_25 AM.png)
5. Enter a name for the role, select “IAM User” for the Credential type and paste the previously copied Policy ARN from the Wasabi console (the policy used in step 2 in the [Temporarily Assume a Role](/v1/docs/draft-hashicorp-vault-aws-secrets-engine-with-wasabi#temporarily-assume-a-role) section above). This is the policy that will give this IAM user permissions, such as getting a list of buckets, reading data from a bucket, etc. Click **Create role**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_4_32_11 PM.png)
6. To test the credential creation, click **Generate credentials**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_5_07_49 PM.png)
7. Select “IAM User” from the Credential type drop-down menu. Click **Generate**. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_5_08_03 PM.png)
8. Click **Copy credentials**. Paste these into a secure file. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot_2026-01-09_at_5_08_23 PM.png)
9. Repeat steps 15 and 16 of the previous [section](/v1/docs/draft-hashicorp-vault-aws-secrets-engine-with-wasabi#temporarily-assume-a-role), omitting the aws_session_token from the config file.

## How to Store Vault Backup Snapshots in Wasabi

This section will use the Hashicorp Vault CLI for configuration and backing up/restoring snapshots.

> [!NOTE]
> Note that integrated storage (Raft) is required for snapshots.

### Creating Backup Snapshots

1. Login to the [Wasabi Console](https://console.wasabisys.com) and create a Wasabi bucket for storing backup snapshots. See [Creating a Bucket](https://docs.wasabi.com/docs/working-with-buckets-and-objects#creating-a-bucket) for detailed instructions.
  - For increased security, make your snapshots immutable for a configurable period of time by enabling Versioning and Object Lock on your bucket.
  - If using Object Lock, set the bucket’s **Default Object Retention** using Compliance Mode and an appropriate Retention Time for objects in your bucket to be immutable. A good example Retention Time is 90 days. See [Setting Object Lock for a Bucket](https://docs.wasabi.com/docs/object-locking-enable#setting-object-lock-for-a-bucket) for details.

> [!NOTE]
> Note that setting the Object Lock Retention Time does not mean older snapshots are automatically deleted. A bucket Lifecycle Policy must also be created (see next step).
2. Set up a bucket [Lifecycle](https://docs.wasabi.com/docs/lifecycle-1) Policy to delete older snapshots. Here is an example policy configured for a bucket with a 90-day Object Lock Retention Time. The example policy will:
  - Be applied to all objects in the bucket.
  - Cause objects to expire at the end of 91 days.
  - The objects will then be deleted 1 day after that.
  - If multipart uploads have been used to upload any snapshots, it will also delete incomplete multipart uploads. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot 2026-01-12 at 3.56.51 PM.png)
3. Create a test snapshot using the Vault CLI and copy it to your Wasabi bucket using the [AWS CLI](https://docs.wasabi.com/docs/how-do-i-use-aws-cli-with-wasabi#how-do-i-use-aws-cli-with-wasabi). Use the proper name for your AWS CLI profile and the appropriate endpoint-url for your bucket. Replace YOUR_BUCKET_NAME with the name of your bucket.

> [!NOTE]
> This example discusses the use of Wasabi’s us-east-1 region. Use the region your bucket is located in. See [Service URLs for Wasabi's Storage Regions](https://docs.wasabi.com/docs/service-urls-for-wasabis-storage-regions) for details.

```bash
$ vault operator raft snapshot save snapshot.snap
$ aws s3 cp snapshot.snap s3://YOUR_BUCKET_NAME/snapshot.snap \
--profile wasabi --endpoint-url=https://s3.us-east-1.wasabisys.com
```

1. In the Wasabi Console click Buckets, then click the name of your bucket. You will see the “snapshot.snap” backup. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot 2026-01-12 at 4.21.29 PM.png)
2. Create a script to automate the process. Here is an example. Replace “<your_snapshot_directory>”, “<your_vault_token>” and “<your_bucket>” with your values. Use the appropriate endpoint-url for the region your bucket is located in. Set the PATH variable to the value appropriate for your environment to cover `aws`, `vault`, `find`, and `date` commands, if required.

```bash
#!/bin/bash

# Set environment variables (if not already set in the cron environment)
export VAULT_ADDR="http://127.0.0.1:8200" # Replace with your Vault address
export VAULT_TOKEN="<your_vault_token>"
# set PATH for aws, vault, find, and date commands if required
export PATH="/opt/homebrew/bin:/usr/local/bin/:/usr/bin:/bin"
SNAPSHOT_DIR="<your_snapshot_directory>"
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
SNAPSHOT_FILE="$SNAPSHOT_DIR/vault_snapshot_$TIMESTAMP.snap"

# Ensure the snapshot directory exists
mkdir -p "$SNAPSHOT_DIR"

# Save the Vault snapshot
echo "Saving Vault snapshot to $SNAPSHOT_FILE..."
if [ "$(vault operator raft snapshot save "$SNAPSHOT_FILE" > /dev/null 2>&1; echo $?)" -eq 0 ]; then
    echo "Snapshot saved successfully."
else
    echo "Failed to save snapshot. Check permissions and connectivity." >&2
    exit 1
fi

# Upload to Wasabi (requires AWS CLI to be configured)
aws s3 cp "$SNAPSHOT_FILE" s3://<your_bucket>/backups/vault/ --profile wasabi --endpoint-url=https://s3.us-east-1.wasabisys.com

# Optional: Prune old local snapshots (e.g., keep the last 30 days locally)
find "$SNAPSHOT_DIR" -name 'vault_snapshot_*.snap' -type f -mtime +30 -delete
echo "Old snapshots pruned."

exit 0
```

> [!NOTE]
> Ensure the vault token used has the least amount of permissions required. An example Vault policy is shown below.

```plaintext
path "sys/storage/raft/snapshot" {
  capabilities = ["read"]
}
```

1. Run the script.

```bash
$ ./vault_backup.sh
```
2. You will now see a snapshot backup in your Wasabi bucket under the backups/vault folder. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/Screenshot 2026-01-12 at 4.32.24 PM.png)
3. Schedule the script to run periodically using a cron job.

### Restoring a Snapshot from Wasabi

In case you need to restore a snapshot from Wasabi, follow this procedure. Vault needs to be running at the time of the restore.

1. Issue the following AWS CLI command to copy a snapshot backup from your Wasabi bucket to your local machine.

```bash
$ aws s3 cp s3://YOUR_BUCKET/backups/vault/snapshot.snap \
snapshot-to-restore.snap --profile wasabi \
--endpoint-url=https://s3.us-east-1.wasabisys.com
```

Replace the following values with your unique ones:

- “snapshot.snap” with the name of the backup you wish to restore
- “YOUR_BUCKET” with the name of your bucket
- “wasabi” with the name of your AWS CLI profile for Wasabi
- The appropriate endpoint-url for your bucket

1. As the root Vault user, issue the following CLI command:

```bash
$ vault operator raft snapshot restore snapshot-to-restore.snap
```

1. Verify your Vault is operating normally and the restore was successful.