hashicorp
diff --git a/‎changelog/30739.txt‎
Lines changed: 4 additions & 0 deletions b/‎changelog/30739.txt‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎website/content/api-docs/secret/cubbyhole.mdx‎
Lines changed: 47 additions & 2 deletions b/‎website/content/api-docs/secret/cubbyhole.mdx‎
Lines changed: 47 additions & 2 deletions
diff --git a/‎website/content/api-docs/secret/kv/kv-v1.mdx‎
Lines changed: 44 additions & 2 deletions b/‎website/content/api-docs/secret/kv/kv-v1.mdx‎
Lines changed: 44 additions & 2 deletions
diff --git a/‎website/content/api-docs/system/storage/raftautosnapshots.mdx‎
Lines changed: 66 additions & 2 deletions b/‎website/content/api-docs/system/storage/raftautosnapshots.mdx‎
Lines changed: 66 additions & 2 deletions
diff --git a/‎website/content/api-docs/system/storage/raftsnapshotload.mdx‎
Lines changed: 141 additions & 0 deletions b/‎website/content/api-docs/system/storage/raftsnapshotload.mdx‎
Lines changed: 141 additions & 0 deletions
@@ -0,0 +1,4 @@
+```release-note:feature
+**Secret Recovery from Snapshot (enterprise)**: Adds a framework to load an integrated storage 
+snapshot into Vault and read, list, and recover KV v1 and cubbyhole secrets from the snapshot.
+```
@@ -27,15 +27,26 @@ This endpoint retrieves the secret at the specified location.
 
 - `path` `(string: <required>)` – Specifies the path of the secret to read.
   This is specified as part of the URL.
+- `read_snapshot_id` `(string: <optional>)` - Query parameter specifing a loaded snapshot ID to
+read the secret.
 
-### Sample request
+### Sample requests
 
 ```shell-session
 $ curl \
     --header "X-Vault-Token: ..." \
     http://127.0.0.1:8200/v1/cubbyhole/my-secret
 ```
 
+To read the secret from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/cubbyhole/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
+```
+
+
 ### Sample response
 
 ```json
@@ -64,8 +75,9 @@ not return a value. The values themselves are not accessible via this command.
 
 - `path` `(string: <required>)` – Specifies the path of the secrets to list.
   This is specified as part of the URL.
+- `read_snapshot_id` `(string: <optional>)` - Query parameter specifying the loaded snapshot ID from which Vault should read secrets for the provided path.
 
-### Sample request
+### Sample requests
 
 ```shell-session
 $ curl \
@@ -74,6 +86,16 @@ $ curl \
     http://127.0.0.1:8200/v1/cubbyhole/my-secret
 ```
 
+To list the secrets from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/cubbyhole/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a"
+```
+
+
 ### Sample response
 
 The example below shows output for a query path of `cubbyhole/` when there are
@@ -128,6 +150,29 @@ $ curl \
     http://127.0.0.1:8200/v1/cubbyhole/my-secret
 ```
 
+## Recover secret
+
+[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/cubbyhole/:path?recover_snapshot_id=:recover_snapshot_id` |
+
+### Query parameters
+
+- `path` `(string: <required>)` – The target path of the secrets you want to recover. 
+- `recover_snapshot_id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
+
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/cubbyhole/my-secret?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
+```
+
 ## Delete secret
 
 This endpoint deletes the secret at the specified location.
 
@@ -28,15 +28,24 @@ This endpoint retrieves the secret at the specified location.
 
 - `path` `(string: <required>)` – Specifies the path of the secret to read.
   This is specified as part of the URL.
+- `recover_snapshot_id` `(string: <required>)` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
-### Sample request
+### Sample requests
 
 ```shell-session
 $ curl \
     --header "X-Vault-Token: ..." \
     https://127.0.0.1:8200/v1/secret/my-secret
 ```
 
+To read the secret from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    https://127.0.0.1:8200/v1/secret/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
+```
+
 ### Sample response
 
 ```json
@@ -74,8 +83,9 @@ this API.
 
 - `path` `(string: <required>)` – Specifies the path of the secrets to list.
   This is specified as part of the URL.
+- `recover_snapshot_id` `(string: <required>)` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
-### Sample request
+### Sample requests
 
 ```shell-session
 $ curl \
@@ -84,6 +94,16 @@ $ curl \
     https://127.0.0.1:8200/v1/secret/my-secret
 ```
 
+To list the secrets from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    https://127.0.0.1:8200/v1/secret/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a"
+```
+
+
 ### Sample response
 
 The example below shows output for a query path of `secret/` when there are
@@ -143,6 +163,28 @@ $ curl \
     https://127.0.0.1:8200/v1/secret/my-secret
 ```
 
+## Recover secret
+
+[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+
+| Method | Path                                                     |
+| :----- | :------------------------------------------------------- |
+| `POST` | `/secret/:path?recover_snapshot_id=:recover_snapshot_id` |
+
+### Query parameters
+
+- `path` `(string: <required>)` – The target path of the secrets you want to recover. 
+- `recover_snapshot_id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    https://127.0.0.1:8200/v1/secret/my-secret?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
+```
+
 ## Delete secret
 
 This endpoint deletes the secret at the specified location.
 
@@ -61,7 +61,7 @@ environment variables or files on disk in predefined locations.
 #### storage_type=local
 
 - `local_max_space` `(integer: <required>)` - For `storage_type=local`, the maximum
-  space, in bytes, to use for all snapshots with the given `file_prefix` in the `path_prefix` directory. 
+  space, in bytes, to use for all snapshots with the given `file_prefix` in the `path_prefix` directory.
   Snapshot attempts will fail if there is not enough
   space left in this allowance.
 
@@ -278,8 +278,72 @@ $ curl \
     "last_snapshot_error": "",
     "last_snapshot_start": "2020-10-28T11:17:21-04:00",
     "last_snapshot_url": "file:///opt/vault/snapshots/vault-snapshot-1603898241699731000.snap",
-    "snapshot_start": "2020-10-28T11:17:21-04:00",
+    "snapshot_start": "2020-108T11:17:21-04:00",
     "snapshot_url": "file:///opt/vault/snapshots/vault-snapshot-1603898241699731000.snap"
   }
 }
 ```
+
+## Load a snapshot from an automated snapshot configuration
+
+Load a new snapshot into the Vault cluster without overwriting the cluster with
+the snapshot's data. After loading a snapshot, you can recover, read, and list
+individual pieces of data from the loaded snapshot.
+
+To manage the state of your loaded snapshot, use the [`/sys/storage/raft/snapshot-load`](/vault/api-docs/system/storage/raftsnapshotload)
+endpoints.
+
+@include 'recover/loadedsnapshots.mdx'
+
+<Note>
+
+  You cannot load a snapshot from an automated snapshot configuration with `storage_type=local`.
+  Instead, upload the snapshot file using the
+  [`/sys/storage/raft/snapshot-load`](/vault/api-docs/system/storage/raftsnapshotload) endpoint.
+
+</Note>
+
+| Method | Path                                                  |
+| :----- | :---------------------------------------------------- |
+| `POST` | `/sys/storage/raft/snapshot-auto/snapshot-load/:name` |
+
+
+### Parameters
+
+- `name` `(string: <required>)` – Name of the configuration that created the snapshot.
+
+- `url` `(string: <required>)` - The snapshot URL to load as returned by the
+  `status` endpoint.
+
+### Sample payload
+```json
+{
+  "url": "https://example.com/raft.snap"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-auto/snapshot-load/config1
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "auto_config_name": "config1",
+    "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "expires_at": "2025-05-25T15:07:58.187769+01:00",
+    "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
+    "url": "https://example.com/raft.snap",
+    "status": "ready"
+  }
+}
+```
+
@@ -0,0 +1,141 @@
+---
+layout: api
+page_title: /sys/storage/raft/snapshot-load - HTTP API
+description: |-
+
+  Use the snapshot-load endpoints to load a snapshot into your Vault cluster
+  to recover individual pieces of data from the snapshot.
+---
+
+# `/sys/storage/raft/snapshot-load`
+
+@include 'alerts/enterprise-only.mdx'
+
+Manage the state of loaded snapshots within the Vault cluster.
+
+## Load a snapshot into Vault
+
+
+| Method | Path                                           |
+| :----- | :--------------------------------------------- |
+| `POST` | `/sys/storage/raft/snapshot-load` |
+
+Load a new snapshot into the Vault cluster without overwriting the cluster with
+the snapshot's data. After loading a snapshot, you can recover, read, and list
+individual pieces of data from the loaded snapshot.
+
+@include 'recover/loadedsnapshots.mdx'
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data-binary @raft.snap \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-load
+```
+
+
+### Sample response
+
+```json
+{
+  "data": {
+    "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "expires_at": "2025-05-25T15:07:58.187769+01:00",
+    "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
+    "status": "loading"
+  }
+}
+```
+
+## List loaded snapshots
+
+List all snapshots currently loaded in the cluster.
+
+| Method | Path                                     |
+| :----- | :--------------------------------------- |
+| `LIST` | `/sys/storage/raft/snapshot-load` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-load
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "keys": ["2403d301-94f2-46a1-a39d-02be83e2831a"]
+  }
+}
+```
+
+## Read loaded snapshot
+
+Read the status details of a given snapshot loaded in the cluster.
+
+| Method | Path                                           |
+| :----- | :--------------------------------------------- |
+| `GET`  | `/sys/storage/raft/snapshot-load/:snapshot_id` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-load/2403d301-94f2-46a1-a39d-02be83e2831a
+```
+
+### Sample responses
+
+For a snapshot loaded as a binary file:
+
+```json
+{
+  "data": {
+    "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "expires_at": "2025-05-25T15:07:58.187769+01:00",
+    "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
+    "status": "ready"
+  }
+}
+```
+
+For a snapshot loaded from a an Automated Snapshot configuration:
+
+```json
+{
+  "data": {
+    "auto_config_name": "config1",
+    "cluster_id": "2ec84695-cfe5-44f3-b351-3f08a9ccc0c8",
+    "expires_at": "2025-05-25T15:07:58.187769+01:00",
+    "snapshot_id": "2403d301-94f2-46a1-a39d-02be83e2831a",
+    "url": "https://example.com/raft.snap",
+    "status": "ready"
+  }
+}
+```
+
+## Unload loaded snapshot
+
+Unloads a currently loaded snapshot from the cluster.
+
+| Method   | Path                                           |
+| :------- | :--------------------------------------------- |
+| `DELETE` | `/sys/storage/raft/snapshot-load/:snapshot_id` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/sys/storage/raft/snapshot-load/2403d301-94f2-46a1-a39d-02be83e2831a
+```