VAULT-36949: Automated snapshot cloud permissions (#1145)

* list cloud permissions required for automated snapshots

* Apply suggestions from code review

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* fix typos

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

Author: miagilepner

content/vault/v1.16.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -71,7 +71,12 @@ environment variables or files on disk in predefined locations.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -87,7 +92,11 @@ environment variables or files on disk in predefined locations.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+   KMS encryption, the associated AWS account must have the following
+   permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -98,23 +107,27 @@ environment variables or files on disk in predefined locations.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
+  on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes.
   The raw value looks like this:
-
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+    ```
+  
+  The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -128,7 +141,12 @@ environment variables or files on disk in predefined locations.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_account_key` `(string)` - Azure account key.
 

content/vault/v1.19.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -81,7 +81,12 @@ parameters in the context of AWS EKS & S3 configuration.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -97,7 +102,10 @@ parameters in the context of AWS EKS & S3 configuration.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+  KMS encryption, the associated account must have the following permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -108,23 +116,28 @@ parameters in the context of AWS EKS & S3 configuration.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
-  The raw value looks like this:
+on how you invoke the API, you may need to JSON-escape the account key. For
+example, to include data with newlines and double quotes the raw value would
+look like:
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+  ```
 
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  The associated Google service account must have the following permissions in Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -138,7 +151,12 @@ parameters in the context of AWS EKS & S3 configuration.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. 
 

content/vault/v1.20.x/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -81,7 +81,15 @@ parameters in the context of AWS EKS & S3 configuration.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
+
+  To load a snapshot with your configuration, the account also needs:
+  - `s3:GetObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -97,7 +105,10 @@ parameters in the context of AWS EKS & S3 configuration.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+  KMS encryption, the associated AWS account must have the following permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -108,23 +119,32 @@ parameters in the context of AWS EKS & S3 configuration.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
-  The raw value looks like this:
+on how you invoke the API, you may need to JSON-escape the account key. For
+example, to include data with newlines and double quotes the raw value would
+look like:
+  ```json
+  {
+    "type": "service_account",
+    "project_id": "project-id",
+    "private_key_id": "key-id",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+    "client_email": "service-account-email",
+    "client_id": "client-id",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://accounts.google.com/o/oauth2/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+  }
+    ```
 
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+  The associated Google service account must have following permissions in
+  Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
+
+  To load a snapshot with your configuration, the account also needs:
+  - `storage.objects.get`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -138,7 +158,12 @@ parameters in the context of AWS EKS & S3 configuration.
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`. If `environment` is set, Azure authentication details are retrieved from the environment variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`. 
 

content/vault/v1.21.x (rc)/content/api-docs/system/storage/raftautosnapshots.mdx

@@ -95,7 +95,16 @@ parameters in the context of AWS EKS & S3 configuration.
 
 - `aws_s3_region` `(string: <required>)` - AWS region bucket is in.
 
-- `aws_access_key_id` `(string)` - AWS access key ID.
+- `aws_access_key_id` `(string)` - AWS access key ID. The associated AWS account
+  must have the following permissions in S3 so that Vault can store and manage
+  the snapshots:
+  - `s3:ListBucket`
+  - `s3:PutObject`
+  - `s3:DeleteObject`
+
+  If you want to use the configuration to enable snapshot autoloading or to
+  manually load a snapshot, the account also needs:
+  - `s3:GetObject`
 
 - `aws_secret_access_key` `(string)` - AWS secret access key.
 
@@ -111,7 +120,10 @@ parameters in the context of AWS EKS & S3 configuration.
 - `aws_s3_force_path_style` `(boolean)` - Use the endpoint/bucket URL style
   instead of bucket.endpoint. May be needed when setting `aws_s3_endpoint`.
 
-- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents.
+- `aws_s3_enable_kms` `(boolean)` - Use KMS to encrypt bucket contents. To use
+  KMS encryption, the associated AWS account must have the following permissions:
+  - `kms:Decrypt`
+  - `kms:GenerateDataKey`
 
 - `aws_s3_server_side_encryption` `(boolean)` - Use AES256 to encrypt bucket contents. Cannot use with `aws_s3_enable_kms` parameter.
 
@@ -122,23 +134,32 @@ parameters in the context of AWS EKS & S3 configuration.
 - `google_gcs_bucket` `(string: <required>)` GCS bucket to write snapshots to.
 
 - `google_service_account_key` `(string)` - Google service account key in JSON format. Depending
-  on how the API is invoked, this may be need to be JSON-escaped, e.g. for newlines and double quotes.
+  on how the API is invoked, this may need to be JSON-escaped, e.g. for newlines and double quotes.
   The raw value looks like this:
-
-```json
-{
-  "type": "service_account",
-  "project_id": "project-id",
-  "private_key_id": "key-id",
-  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
-  "client_email": "service-account-email",
-  "client_id": "client-id",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-}
-```
+    ```json
+    {
+      "type": "service_account",
+      "project_id": "project-id",
+      "private_key_id": "key-id",
+      "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQ ... /WZs=\n-----END RSA PRIVATE KEY-----\n",
+      "client_email": "service-account-email",
+      "client_id": "client-id",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+    }
+    ```
+
+  The associated Google service account must have following permissions in
+  Google Cloud Storage so that Vault can store and manage the snapshots:
+  - `storage.objects.create`
+  - `storage.objects.list`
+  - `storage.objects.delete`
+
+  If you want to use the configuration to enable snapshot autoloading or to
+  manually load a snapshot, the account also needs:
+  - `storage.objects.get`
 
 - `google_endpoint` `(string)` - GCS endpoint. This is typically only set when
   using a non-Google GCS implementation like fake-gcs-server.
@@ -148,11 +169,16 @@ parameters in the context of AWS EKS & S3 configuration.
   `google_endpoint`.
 
 #### storage_type=azure-blob
-
+ 
 - `azure_container_name` `(string: <required>)` - Azure container name to write
   snapshots to.
 
-- `azure_account_name` `(string)` - Azure account name.
+- `azure_account_name` `(string)` - Azure account name. The associated Azure
+  account must have the following permissions in Azure Blob Storage so that
+  Vault can store and manage the snapshots:
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
+  - `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete`
 
 - `azure_auth_mode` `(string)` - One of `shared`, `managed`, or `environment`.
   If `environment` is set, Azure authentication details are retrieved from the