openapi: Add display attributes for AWS (#19366)

builtin/credential/aws/backend.go

@@ -20,7 +20,10 @@ import (
 	cache "github.com/patrickmn/go-cache"
 )
 
-const amzHeaderPrefix = "X-Amz-"
+const (
+	amzHeaderPrefix    = "X-Amz-"
+	operationPrefixAWS = "aws"
+)
 
 var defaultAllowedSTSRequestHeaders = []string{
 	"X-Amz-Algorithm",
@@ -126,7 +129,9 @@ func Backend(_ *logical.BackendConfig) (*backend, error) {
 
 		deprecatedTerms: strings.NewReplacer(
 			"accesslist", "whitelist",
+			"access-list", "whitelist",
 			"denylist", "blacklist",
+			"deny-list", "blacklist",
 		),
 	}
 
@@ -343,13 +348,33 @@ func (b *backend) resolveArnToRealUniqueId(ctx context.Context, s logical.Storag
 	}
 }
 
-// genDeprecatedPath will return a deprecated version of a framework.Path. The will include
+// genDeprecatedPath will return a deprecated version of a framework.Path. The
-// using deprecated terms in the path pattern, and marking the path as deprecated.
+// path pattern and display attributes (if any) will contain deprecated terms,
+// and the path will be marked as deprecated.
 func (b *backend) genDeprecatedPath(path *framework.Path) *framework.Path {
 	pathDeprecated := *path
 	pathDeprecated.Pattern = b.deprecatedTerms.Replace(path.Pattern)
 	pathDeprecated.Deprecated = true
 
+	if path.DisplayAttrs != nil {
+		deprecatedDisplayAttrs := *path.DisplayAttrs
+		deprecatedDisplayAttrs.OperationPrefix = b.deprecatedTerms.Replace(path.DisplayAttrs.OperationPrefix)
+		deprecatedDisplayAttrs.OperationVerb = b.deprecatedTerms.Replace(path.DisplayAttrs.OperationVerb)
+		deprecatedDisplayAttrs.OperationSuffix = b.deprecatedTerms.Replace(path.DisplayAttrs.OperationSuffix)
+		pathDeprecated.DisplayAttrs = &deprecatedDisplayAttrs
+	}
+
+	for i, op := range path.Operations {
+		if op.Properties().DisplayAttrs != nil {
+			deprecatedDisplayAttrs := *op.Properties().DisplayAttrs
+			deprecatedDisplayAttrs.OperationPrefix = b.deprecatedTerms.Replace(op.Properties().DisplayAttrs.OperationPrefix)
+			deprecatedDisplayAttrs.OperationVerb = b.deprecatedTerms.Replace(op.Properties().DisplayAttrs.OperationVerb)
+			deprecatedDisplayAttrs.OperationSuffix = b.deprecatedTerms.Replace(op.Properties().DisplayAttrs.OperationSuffix)
+			deprecatedProperties := pathDeprecated.Operations[i].(*framework.PathOperation)
+			deprecatedProperties.DisplayAttrs = &deprecatedDisplayAttrs
+		}
+	}
+
 	return &pathDeprecated
 }
 

builtin/credential/aws/path_config_certificate.go

@@ -21,6 +21,11 @@ func (b *backend) pathListCertificates() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/certificates/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "certificate-configurations",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathCertificatesList,
@@ -35,6 +40,11 @@ func (b *backend) pathListCertificates() *framework.Path {
 func (b *backend) pathConfigCertificate() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/certificate/" + framework.GenericNameRegex("cert_name"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"cert_name": {
 				Type:        framework.TypeString,
@@ -61,15 +71,29 @@ vary. Defaults to "pkcs7".`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.CreateOperation: &framework.PathOperation{
 				Callback: b.pathConfigCertificateCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "certificate",
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathConfigCertificateCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "certificate",
+				},
 			},
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathConfigCertificateRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "certificate-configuration",
+				},
 			},
 			logical.DeleteOperation: &framework.PathOperation{
 				Callback: b.pathConfigCertificateDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "certificate-configuration",
+				},
 			},
 		},
 

builtin/credential/aws/path_config_client.go

@@ -19,6 +19,11 @@ import (
 func (b *backend) pathConfigClient() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/client$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"access_key": {
 				Type:        framework.TypeString,
@@ -80,15 +85,29 @@ func (b *backend) pathConfigClient() *framework.Path {
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.CreateOperation: &framework.PathOperation{
 				Callback: b.pathConfigClientCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "client",
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathConfigClientCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "client",
+				},
 			},
 			logical.DeleteOperation: &framework.PathOperation{
 				Callback: b.pathConfigClientDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "client-configuration",
+				},
 			},
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathConfigClientRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "client-configuration",
+				},
 			},
 		},
 

builtin/credential/aws/path_config_identity.go

@@ -57,6 +57,11 @@ var (
 func (b *backend) pathConfigIdentity() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/identity$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"iam_alias": {
 				Type:        framework.TypeString,
@@ -75,9 +80,16 @@ func (b *backend) pathConfigIdentity() *framework.Path {
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: pathConfigIdentityRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "identity-integration-configuration",
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: pathConfigIdentityUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "identity-integration",
+				},
 			},
 		},
 

builtin/credential/aws/path_config_rotate_root.go

@@ -24,6 +24,12 @@ func (b *backend) pathConfigRotateRoot() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/rotate-root",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationVerb:   "rotate",
+			OperationSuffix: "auth-root-credentials",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathConfigRotateRootUpdate,

builtin/credential/aws/path_config_sts.go

@@ -20,6 +20,11 @@ func (b *backend) pathListSts() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/sts/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "sts-role-relationships",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathStsList,
@@ -34,6 +39,12 @@ func (b *backend) pathListSts() *framework.Path {
 func (b *backend) pathConfigSts() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/sts/" + framework.GenericNameRegex("account_id"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "sts-role",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"account_id": {
 				Type: framework.TypeString,

builtin/credential/aws/path_config_tidy_identity_accesslist.go

@@ -18,6 +18,11 @@ const (
 func (b *backend) pathConfigTidyIdentityAccessList() *framework.Path {
 	return &framework.Path{
 		Pattern: fmt.Sprintf("%s$", "config/tidy/identity-accesslist"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": {
 				Type:    framework.TypeDurationSecond,
@@ -37,15 +42,29 @@ expiration, before it is removed from the backend storage.`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.CreateOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyIdentityAccessListCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "identity-access-list-tidy-operation",
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyIdentityAccessListCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "identity-access-list-tidy-operation",
+				},
 			},
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyIdentityAccessListRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "identity-access-list-tidy-settings",
+				},
 			},
 			logical.DeleteOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyIdentityAccessListDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "identity-access-list-tidy-settings",
+				},
 			},
 		},
 

builtin/credential/aws/path_config_tidy_roletag_denylist.go

@@ -17,6 +17,11 @@ const (
 func (b *backend) pathConfigTidyRoletagDenyList() *framework.Path {
 	return &framework.Path{
 		Pattern: "config/tidy/roletag-denylist$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": {
 				Type:    framework.TypeDurationSecond,
@@ -38,15 +43,29 @@ Defaults to 4320h (180 days).`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.CreateOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyRoletagDenyListCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "role-tag-deny-list-tidy-operation",
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyRoletagDenyListCreateUpdate,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "role-tag-deny-list-tidy-operation",
+				},
 			},
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyRoletagDenyListRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "role-tag-deny-list-tidy-settings",
+				},
 			},
 			logical.DeleteOperation: &framework.PathOperation{
 				Callback: b.pathConfigTidyRoletagDenyListDelete,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "role-tag-deny-list-tidy-settings",
+				},
 			},
 		},
 

builtin/credential/aws/path_identity_accesslist.go

@@ -16,6 +16,12 @@ const identityAccessListStorage = "whitelist/identity/"
 func (b *backend) pathIdentityAccessList() *framework.Path {
 	return &framework.Path{
 		Pattern: "identity-accesslist/" + framework.GenericNameRegex("instance_id"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "identity-access-list",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"instance_id": {
 				Type: framework.TypeString,
@@ -42,6 +48,11 @@ func (b *backend) pathListIdentityAccessList() *framework.Path {
 	return &framework.Path{
 		Pattern: "identity-accesslist/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "identity-access-list",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathAccessListIdentitiesList,

builtin/credential/aws/path_login.go

@@ -55,6 +55,10 @@ var (
 func (b *backend) pathLogin() *framework.Path {
 	return &framework.Path{
 		Pattern: "login$",
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationVerb:   "log-in",
+		},
 		Fields: map[string]*framework.FieldSchema{
 			"role": {
 				Type: framework.TypeString,

builtin/credential/aws/path_role.go

@@ -23,6 +23,12 @@ var currentRoleStorageVersion = 3
 func (b *backend) pathRole() *framework.Path {
 	p := &framework.Path{
 		Pattern: "role/" + framework.GenericNameRegex("role"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "auth-role",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"role": {
 				Type:        framework.TypeString,
@@ -202,6 +208,11 @@ func (b *backend) pathListRole() *framework.Path {
 	return &framework.Path{
 		Pattern: "role/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "auth-roles",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathRoleList,
@@ -217,6 +228,11 @@ func (b *backend) pathListRoles() *framework.Path {
 	return &framework.Path{
 		Pattern: "roles/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "roles2",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathRoleList,

builtin/credential/aws/path_role_tag.go

@@ -26,6 +26,12 @@ const roleTagVersion = "v1"
 func (b *backend) pathRoleTag() *framework.Path {
 	return &framework.Path{
 		Pattern: "role/" + framework.GenericNameRegex("role") + "/tag$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "role-tag",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"role": {
 				Type:        framework.TypeString,

builtin/credential/aws/path_roletag_denylist.go

@@ -15,6 +15,12 @@ import (
 func (b *backend) pathRoletagDenyList() *framework.Path {
 	return &framework.Path{
 		Pattern: "roletag-denylist/(?P<role_tag>.*)",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "role-tag-deny-list",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"role_tag": {
 				Type: framework.TypeString,
@@ -45,6 +51,11 @@ func (b *backend) pathListRoletagDenyList() *framework.Path {
 	return &framework.Path{
 		Pattern: "roletag-denylist/?",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "role-tag-deny-lists",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ListOperation: &framework.PathOperation{
 				Callback: b.pathRoletagDenyListsList,

builtin/credential/aws/path_tidy_identity_accesslist.go

@@ -18,6 +18,13 @@ import (
 func (b *backend) pathTidyIdentityAccessList() *framework.Path {
 	return &framework.Path{
 		Pattern: "tidy/identity-accesslist$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "identity-access-list",
+			OperationVerb:   "tidy",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": {
 				Type:    framework.TypeDurationSecond,

builtin/credential/aws/path_tidy_roletag_denylist.go

@@ -22,6 +22,13 @@ const (
 func (b *backend) pathTidyRoletagDenyList() *framework.Path {
 	return &framework.Path{
 		Pattern: "tidy/roletag-denylist$",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "role-tag-deny-list",
+			OperationVerb:   "tidy",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": {
 				Type:    framework.TypeDurationSecond,

builtin/logical/aws/backend.go

@@ -18,6 +18,8 @@ import (
 const (
 	rootConfigPath        = "config/root"
 	minAwsUserRollbackAge = 5 * time.Minute
+	operationPrefixAWS    = "aws"
+	operationPrefixAWSASD = "aws-config"
 )
 
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {

builtin/logical/aws/path_config_lease.go

@@ -15,6 +15,11 @@ import (
 func pathConfigLease(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "config/lease",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"lease": {
 				Type:        framework.TypeString,
@@ -27,9 +32,20 @@ func pathConfigLease(b *backend) *framework.Path {
 			},
 		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathLeaseRead,
+			logical.ReadOperation: &framework.PathOperation{
-			logical.UpdateOperation: b.pathLeaseWrite,
+				Callback: b.pathLeaseRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "lease-configuration",
+				},
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathLeaseWrite,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "lease",
+				},
+			},
 		},
 
 		HelpSynopsis:    pathConfigLeaseHelpSyn,

builtin/logical/aws/path_config_root.go

@@ -17,6 +17,11 @@ const defaultUserNameTemplate = `{{ if (eq .Type "STS") }}{{ printf "vault-%s-%s
 func pathConfigRoot(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "config/root",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"access_key": {
 				Type:        framework.TypeString,
@@ -51,9 +56,20 @@ func pathConfigRoot(b *backend) *framework.Path {
 			},
 		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathConfigRootRead,
+			logical.ReadOperation: &framework.PathOperation{
-			logical.UpdateOperation: b.pathConfigRootWrite,
+				Callback: b.pathConfigRootRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "root-iam-credentials-configuration",
+				},
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathConfigRootWrite,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationVerb:   "configure",
+					OperationSuffix: "root-iam-credentials",
+				},
+			},
 		},
 
 		HelpSynopsis:    pathConfigRootHelpSyn,

builtin/logical/aws/path_config_rotate_root.go

@@ -16,6 +16,13 @@ import (
 func pathConfigRotateRoot(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "config/rotate-root",
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "root-iam-credentials",
+			OperationVerb:   "rotate",
+		},
+
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback:                    b.pathConfigRotateRootUpdate,

builtin/logical/aws/path_roles.go

@@ -27,6 +27,11 @@ func pathListRoles(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "roles/?$",
 
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "roles",
+		},
+
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ListOperation: b.pathRoleList,
 		},
@@ -39,6 +44,12 @@ func pathListRoles(b *backend) *framework.Path {
 func pathRoles(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "roles/" + framework.GenericNameWithAtRegex("name"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationSuffix: "role",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"name": {
 				Type:        framework.TypeString,

builtin/logical/aws/path_user.go

@@ -21,6 +21,12 @@ import (
 func pathUser(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "(creds|sts)/" + framework.GenericNameWithAtRegex("name"),
+
+		DisplayAttrs: &framework.DisplayAttributes{
+			OperationPrefix: operationPrefixAWS,
+			OperationVerb:   "generate",
+		},
+
 		Fields: map[string]*framework.FieldSchema{
 			"name": {
 				Type:        framework.TypeString,
@@ -41,9 +47,19 @@ func pathUser(b *backend) *framework.Path {
 			},
 		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathCredsRead,
+			logical.ReadOperation: &framework.PathOperation{
-			logical.UpdateOperation: b.pathCredsRead,
+				Callback: b.pathCredsRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "credentials|sts-credentials",
+				},
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathCredsRead,
+				DisplayAttrs: &framework.DisplayAttributes{
+					OperationSuffix: "credentials2|sts-credentials2",
+				},
+			},
 		},
 
 		HelpSynopsis:    pathUserHelpSyn,