scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 10:12:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

[docs] Convert titles to sentense case (#21426)

Browse Source 
* Convert documentation titles to sentense case

* Docker, Google, Foundry, Cloud proper case
This commit is contained in:
Anton Averchenkov
2023-06-30 19:22:07 -04:00
committed by GitHub
parent d01a3c1763
commit f4f0412b6a
589 changed files with 4744 additions and 4744 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
website/content/api-docs/auth/alicloud.mdx
View File

@@ -4,7 +4,7 @@ page_title: AliCloud - Auth Methods - HTTP API
description: This is the API documentation for the Vault AliCloud auth method.
---
# AliCloud Auth Method (API)
# AliCloud auth method (API)
This is the API documentation for the Vault AliCloud auth method. For
general information about the usage and operation of the AliCloud method, please
@@ -14,7 +14,7 @@ This documentation assumes the AliCloud auth method is mounted at the `/auth/ali
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Create/Update Role
## Create/Update role
Registers a role. Only entities using the role registered using this endpoint
will be able to perform the login operation.
@@ -30,7 +30,7 @@ will be able to perform the login operation.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -39,7 +39,7 @@ will be able to perform the login operation.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -49,7 +49,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -61,7 +61,7 @@ Returns the previously registered role configuration.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -69,7 +69,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
```
### Sample Response
### Sample response
```json
{
@@ -83,7 +83,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are registered with the method.
@@ -91,7 +91,7 @@ Lists all the roles that are registered with the method.
| :----- | :--------------------- |
| `LIST` | `/auth/alicloud/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -100,7 +100,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/alicloud/roles
```
### Sample Response
### Sample response
```json
{
@@ -110,7 +110,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -122,7 +122,7 @@ Deletes the previously registered role.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -151,7 +151,7 @@ GetCallerIdentity request.
string value or an array of string values (though the length of that array
will probably only be one).
### Sample Payload
### Sample payload
```json
{
@@ -161,7 +161,7 @@ GetCallerIdentity request.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -170,7 +170,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/alicloud/login
```
### Sample Response
### Sample response
```json
{

94
website/content/api-docs/auth/approle.mdx
View File

@@ -4,7 +4,7 @@ page_title: AppRole - Auth Methods - HTTP API
description: This is the API documentation for the Vault AppRole auth method.
---
# AppRole Auth Method (API)
# AppRole auth method (API)
This is the API documentation for the Vault AppRole auth method. For
general information about the usage and operation of the AppRole method, please
@@ -14,7 +14,7 @@ This documentation assumes the AppRole method is mounted at the `/auth/approle`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## List Roles
## List roles
This endpoint returns a list the existing AppRoles in the method.
@@ -22,7 +22,7 @@ This endpoint returns a list the existing AppRoles in the method.
| :----- | :------------------- |
| `LIST` | `/auth/approle/role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -31,7 +31,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role
```
### Sample Response
### Sample response
```json
{
@@ -81,7 +81,7 @@ include a-Z, 0-9, space, hyphen, underscore and periods.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -93,7 +93,7 @@ include a-Z, 0-9, space, hyphen, underscore and periods.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -115,7 +115,7 @@ Reads the properties of an existing AppRole.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -123,7 +123,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1
```
### Sample Response
### Sample response
```json
{
@@ -158,7 +158,7 @@ Deletes an existing AppRole from the method.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -167,7 +167,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1
```
## Read AppRole Role ID
## Read AppRole role ID
Reads the RoleID of an existing AppRole.
@@ -179,7 +179,7 @@ Reads the RoleID of an existing AppRole.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -187,7 +187,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
```
### Sample Response
### Sample response
```json
{
@@ -203,7 +203,7 @@ $ curl \
}
```
## Update AppRole Role ID
## Update AppRole role ID
Updates the RoleID of an existing AppRole to a custom value.
@@ -216,7 +216,7 @@ Updates the RoleID of an existing AppRole to a custom value.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
- `role_id` `(string: <required>)` - Value to be set as RoleID.
### Sample Payload
### Sample payload
```json
{
@@ -224,7 +224,7 @@ Updates the RoleID of an existing AppRole to a custom value.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -234,7 +234,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
```
### Sample Response
### Sample response
```json
{
@@ -250,7 +250,7 @@ $ curl \
}
```
## Generate New Secret ID
## Generate new secret ID
Generates and issues a new SecretID on an existing AppRole. Similar to
tokens, the response will also contain a `secret_id_accessor` value which can
@@ -284,7 +284,7 @@ itself, and also to delete the SecretID from the AppRole.
Overrides secret_id_ttl role option when supplied.
May not be longer than role's secret_id_ttl.
### Sample Payload
### Sample payload
```json
{
@@ -294,7 +294,7 @@ itself, and also to delete the SecretID from the AppRole.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -304,7 +304,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
```
### Sample Response
### Sample response
```json
{
@@ -323,7 +323,7 @@ $ curl \
}
```
## List Secret ID Accessors
## List secret ID accessors
Lists the accessors of all the SecretIDs issued against the AppRole.
This includes the accessors for "custom" SecretIDs as well.
@@ -336,7 +336,7 @@ This includes the accessors for "custom" SecretIDs as well.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -345,7 +345,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
```
### Sample Response
### Sample response
```json
{
@@ -367,7 +367,7 @@ $ curl \
}
```
## Read AppRole Secret ID
## Read AppRole secret ID
Reads out the properties of a SecretID.
@@ -380,7 +380,7 @@ Reads out the properties of a SecretID.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
- `secret_id` `(string: <required>)` - Secret ID attached to the role.
### Sample Payload
### Sample payload
```json
{
@@ -388,7 +388,7 @@ Reads out the properties of a SecretID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -398,7 +398,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/lookup
```
## Destroy AppRole Secret ID
## Destroy AppRole secret ID
Destroy an AppRole secret ID.
@@ -411,7 +411,7 @@ Destroy an AppRole secret ID.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
- `secret_id` `(string: <required>)` - Secret ID attached to the role.
### Sample Payload
### Sample payload
```json
{
@@ -419,7 +419,7 @@ Destroy an AppRole secret ID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -429,7 +429,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/destroy
```
## Read AppRole Secret ID Accessor
## Read AppRole secret ID accessor
Reads out the properties of a SecretID.
@@ -442,7 +442,7 @@ Reads out the properties of a SecretID.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
- `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
### Sample Payload
### Sample payload
```json
{
@@ -450,7 +450,7 @@ Reads out the properties of a SecretID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -460,7 +460,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/lookup
```
## Destroy AppRole Secret ID Accessor
## Destroy AppRole secret ID accessor
Destroy an AppRole secret ID by its accessor.
@@ -473,7 +473,7 @@ Destroy an AppRole secret ID by its accessor.
- `role_name` `(string: <required>)` - Name of the AppRole. Must be less than 4096 bytes.
- `secret_id_accessor` `(string: <required>)` - Secret ID accessor attached to the role.
### Sample Payload
### Sample payload
```json
{
@@ -481,7 +481,7 @@ Destroy an AppRole secret ID by its accessor.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -491,7 +491,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/destroy
```
## Create Custom AppRole Secret ID
## Create custom AppRole secret ID
Assigns a "custom" SecretID against an existing AppRole. This is used in the
"Push" model of operation.
@@ -524,7 +524,7 @@ Assigns a "custom" SecretID against an existing AppRole. This is used in the
Overrides secret_id_ttl role option when supplied.
May not be longer than role's secret_id_ttl.
### Sample Payload
### Sample payload
```json
{
@@ -534,7 +534,7 @@ Assigns a "custom" SecretID against an existing AppRole. This is used in the
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -544,7 +544,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/role/application1/custom-secret-id
```
### Sample Response
### Sample response
```json
{
@@ -563,7 +563,7 @@ $ curl \
}
```
## Login With AppRole
## Login with AppRole
Issues a Vault token based on the presented credentials. `role_id` is always
required; if `bind_secret_id` is enabled (the default) on the AppRole,
@@ -579,7 +579,7 @@ AppRole (such as client IP CIDR) are also evaluated.
- `role_id` `(string: <required>)` - RoleID of the AppRole.
- `secret_id` `(string: <required>)` - SecretID belonging to AppRole.
### Sample Payload
### Sample payload
```json
{
@@ -588,7 +588,7 @@ AppRole (such as client IP CIDR) are also evaluated.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -597,7 +597,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/login
```
### Sample Response
### Sample response
```json
{
@@ -618,7 +618,7 @@ $ curl \
}
```
## Read, Update, or Delete AppRole Properties
## Read, update, or delete AppRole properties
Updates the respective property in the existing AppRole. All of these
parameters of the AppRole can be updated using the `/auth/approle/role/:role_name`
@@ -639,7 +639,7 @@ to be able to delegate specific endpoints using Vault's ACL system.
Refer to `/auth/approle/role/:role_name` endpoint.
## Tidy Tokens
## Tidy tokens
Performs some maintenance tasks to clean up invalid entries that may remain
in the token store. Generally, running this is not needed unless upgrade
@@ -650,7 +650,7 @@ storage method so should be used sparingly.
| :----- | :----------------------------- |
| `POST` | `/auth/approle/tidy/secret-id` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -659,7 +659,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/approle/tidy/secret-id
```
### Sample Response
### Sample response
```json
{

192
website/content/api-docs/auth/aws.mdx
View File

@@ -4,7 +4,7 @@ page_title: AWS - Auth Methods - HTTP API
description: This is the API documentation for the Vault AWS auth method.
---
# AWS Auth Method (API)
# AWS auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -22,7 +22,7 @@ please update your API calls accordingly.
[list of affected endpoints](#deprecations-effective-in-vault-1-7) and their
replacements is provided at the end of this document.
## Configure Client
## Configure client
Configures the credentials required to perform API calls to AWS as well as
custom endpoints to talk to AWS APIs. The instance identity document
@@ -78,7 +78,7 @@ capabilities, the credentials are fetched automatically.
an IAM based login call. In any case, a default list of headers AWS STS
expects for a GetCallerIdentity are allowed.
### Sample Payload
### Sample payload
```json
{
@@ -87,7 +87,7 @@ capabilities, the credentials are fetched automatically.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -97,7 +97,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/client
```
## Read Config
## Read config
Returns the previously configured AWS access credentials.
@@ -105,7 +105,7 @@ Returns the previously configured AWS access credentials.
| :----- | :------------------------ |
| `GET` | `/auth/aws/config/client` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -113,7 +113,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/client
```
### Sample Response
### Sample response
```json
{
@@ -128,7 +128,7 @@ $ curl \
}
```
## Delete Config
## Delete config
Deletes the previously configured AWS access credentials.
@@ -136,7 +136,7 @@ Deletes the previously configured AWS access credentials.
| :------- | :------------------------ |
| `DELETE` | `/auth/aws/config/client` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -145,7 +145,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/client
```
## Rotate Root Credentials
## Rotate root credentials
When you have configured Vault with static credentials, you can use this
endpoint to have Vault rotate the access key it used. Note that, due to AWS
@@ -165,7 +165,7 @@ secret key is used to access AWS.
There are no parameters to this operation.
### Sample Request
### Sample request
```$ curl \
--header "X-Vault-Token: ..." \
@@ -173,7 +173,7 @@ There are no parameters to this operation.
http://127.0.0.1:8200/v1/auth/aws/config/rotate-root
```
### Sample Response
### Sample response
```json
{
@@ -185,7 +185,7 @@ There are no parameters to this operation.
The new access key Vault uses is returned by this operation.
## Configure Identity Integration
## Configure identity integration
This configures the way that Vault interacts with the
[Identity](/vault/docs/secrets/identity) store. The default (as of Vault
@@ -237,7 +237,7 @@ This configures the way that Vault interacts with the
**Only select fields that will have a low rate of change** for your `ec2_alias` because
each change triggers a storage write and can have a performance impact at scale.
### Sample Payload
### Sample payload
```json
{
@@ -245,7 +245,7 @@ This configures the way that Vault interacts with the
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -255,7 +255,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/identity
```
## Read Identity Integration Configuration
## Read identity integration configuration
Returns the previously configured Identity integration configuration
@@ -263,7 +263,7 @@ Returns the previously configured Identity integration configuration
| :----- | :-------------------------- |
| `GET` | `/auth/aws/config/identity` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -271,7 +271,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/identity
```
### Sample Response
### Sample response
```json
{
@@ -281,7 +281,7 @@ $ curl \
}
```
## Create Certificate Configuration
## Create certificate configuration
Registers an AWS public key to be used to verify the instance identity
documents. Indicate the type of the public key using the `type` parameter.
@@ -320,7 +320,7 @@ for more information on the signature types and the corresponding certificates.
[/signature](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html)
endpoint. Defaults to "pkcs7".
### Sample Payload
### Sample payload
```json
{
@@ -328,7 +328,7 @@ for more information on the signature types and the corresponding certificates.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -338,7 +338,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
```
## Read Certificate Configuration
## Read certificate configuration
Returns the previously configured AWS public key.
@@ -350,7 +350,7 @@ Returns the previously configured AWS public key.
- `cert_name` `(string: <required>)` - Name of the certificate.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -358,7 +358,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
```
### Sample Response
### Sample response
```json
{
@@ -369,7 +369,7 @@ $ curl \
}
```
## Delete Certificate Configuration
## Delete certificate configuration
Removes the previously configured AWS public key.
@@ -377,7 +377,7 @@ Removes the previously configured AWS public key.
| :------- | :---------------------------------------- |
| `DELETE` | `/auth/aws/config/certificate/:cert_name` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -386,7 +386,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
```
## List Certificate Configurations
## List certificate configurations
Lists all the AWS public certificates that are registered with the method.
@@ -394,7 +394,7 @@ Lists all the AWS public certificates that are registered with the method.
| :----- | :------------------------------ |
| `LIST` | `/auth/aws/config/certificates` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -403,7 +403,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/certificates
```
### Sample Response
### Sample response
```json
{
@@ -413,7 +413,7 @@ $ curl \
}
```
## Create STS Role
## Create STS role
Allows the explicit association of STS roles to satellite AWS accounts
(i.e. those which are not the account in which the Vault server is
@@ -433,7 +433,7 @@ when validating IAM principals or EC2 instances in the particular AWS account.
interacting with the account specified. The Vault server must have
permissions to assume this role.
### Sample Payload
### Sample payload
```json
{
@@ -441,7 +441,7 @@ when validating IAM principals or EC2 instances in the particular AWS account.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -451,7 +451,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
```
## Read STS Role
## Read STS role
Returns the previously configured STS role.
@@ -464,7 +464,7 @@ Returns the previously configured STS role.
- `account_id` `(string: <required>)` - AWS account ID that has been
previously associated with STS role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -472,7 +472,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
```
### Sample Response
### Sample response
```json
{
@@ -482,7 +482,7 @@ $ curl \
}
```
## List STS Roles
## List STS roles
Lists all the AWS Account IDs for which an STS role is registered.
@@ -490,7 +490,7 @@ Lists all the AWS Account IDs for which an STS role is registered.
| :----- | :--------------------- |
| `LIST` | `/auth/aws/config/sts` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -499,7 +499,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/sts
```
### Sample Response
### Sample response
```json
{
@@ -509,7 +509,7 @@ $ curl \
}
```
## Delete STS Role
## Delete STS role
Deletes a previously configured AWS account/STS role association.
@@ -522,7 +522,7 @@ Deletes a previously configured AWS account/STS role association.
- `account_id` `(string: <required>)` - AWS account ID that has been
previously associated with STS role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -531,7 +531,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
```
## Configure Identity Access List Tidy Operation
## Configure identity access list tidy operation
Configures the periodic tidying operation of the access listed identity entries.
@@ -547,7 +547,7 @@ Configures the periodic tidying operation of the access listed identity entries.
- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
periodic tidying of the `identity-accesslist/<instance_id>` entries.
### Sample Payload
### Sample payload
```json
{
@@ -555,7 +555,7 @@ Configures the periodic tidying operation of the access listed identity entries.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -565,7 +565,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
```
## Read Identity Access List Tidy Settings
## Read identity access list tidy settings
Returns the previously configured periodic access list tidying settings.
@@ -573,7 +573,7 @@ Returns the previously configured periodic access list tidying settings.
| :----- | :------------------------------------------ |
| `GET` | `/auth/aws/config/tidy/identity-accesslist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -581,7 +581,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
```
### Sample Response
### Sample response
```json
{
@@ -592,7 +592,7 @@ $ curl \
}
```
## Delete Identity Access List Tidy Settings
## Delete identity access list tidy settings
Deletes the previously configured periodic access list tidying settings.
@@ -600,7 +600,7 @@ Deletes the previously configured periodic access list tidying settings.
| :------- | :------------------------------------------ |
| `DELETE` | `/auth/aws/config/tidy/identity-accesslist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -609,7 +609,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
```
## Configure Role Tag Deny List Tidy Operation
## Configure role tag deny list tidy operation
Configures the periodic tidying operation of the deny listed role tag entries.
@@ -625,7 +625,7 @@ Configures the periodic tidying operation of the deny listed role tag entries.
- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
periodic tidying of the `roletag-denylist/<instance_id>` entries.
### Sample Payload
### Sample payload
```json
{
@@ -633,7 +633,7 @@ Configures the periodic tidying operation of the deny listed role tag entries.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -643,7 +643,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
```
## Read Role Tag Deny List Tidy Settings
## Read role tag deny list tidy settings
Returns the previously configured periodic deny list tidying settings.
@@ -651,7 +651,7 @@ Returns the previously configured periodic deny list tidying settings.
| :----- | :--------------------------------------- |
| `GET` | `/auth/aws/config/tidy/roletag-denylist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -659,7 +659,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
```
### Sample Response
### Sample response
```json
{
@@ -670,7 +670,7 @@ $ curl \
}
```
## Delete Role Tag Deny List Tidy Settings
## Delete role tag deny list tidy settings
Deletes the previously configured periodic deny list tidying settings.
@@ -678,7 +678,7 @@ Deletes the previously configured periodic deny list tidying settings.
| :------- | :--------------------------------------- |
| `DELETE` | `/auth/aws/config/tidy/roletag-denylist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -687,7 +687,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
```
## Create/Update Role
## Create/Update role
Registers a role in the method. Only those instances or principals which
are using the role registered using this endpoint, will be able to perform
@@ -840,7 +840,7 @@ list in order to satisfy that constraint.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -854,7 +854,7 @@ list in order to satisfy that constraint.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -864,7 +864,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/role/dev-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -876,7 +876,7 @@ Returns the previously registered role configuration.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -884,7 +884,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/role/dev-role
```
### Sample Response
### Sample response
```json
{
@@ -899,7 +899,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are registered with the method.
@@ -907,7 +907,7 @@ Lists all the roles that are registered with the method.
| :----- | :---------------- |
| `LIST` | `/auth/aws/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -916,7 +916,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/roles
```
### Sample Response
### Sample response
```json
{
@@ -926,7 +926,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -938,7 +938,7 @@ Deletes the previously registered role.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -947,7 +947,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/role/dev-role
```
## Create Role Tags
## Create role tags
Creates a role tag on the role, which help in restricting the capabilities
that are set on the role. Role tags are not tied to any specific ec2
@@ -989,7 +989,7 @@ given instance can be allowed to gain in a worst-case scenario.
auth/aws/identity-accesslist endpoint. Defaults to 'false'. Mutually exclusive
with `allow_instance_migration`.
### Sample Payload
### Sample payload
```json
{
@@ -997,7 +997,7 @@ given instance can be allowed to gain in a worst-case scenario.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1007,7 +1007,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/role/dev-api-and-web-role/tag
```
### Sample Response
### Sample response
```json
{
@@ -1095,13 +1095,13 @@ for more information on the signature types.
its value must match the value configured, and the header must be included in
the signed headers. This is required when using the iam auth method.
### Sample Payload
### Sample payload
```json
{}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1110,7 +1110,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/login
```
### Sample Response
### Sample response
```json
{
@@ -1131,7 +1131,7 @@ $ curl \
}
```
## Place Role Tags in Deny List
## Place role tags in deny list
Places a valid role tag in a deny list. This ensures that the role tag
cannot be used by any instance to perform a login operation again. Note
@@ -1149,7 +1149,7 @@ token.
created. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64
encoded.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1158,7 +1158,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
```
### Read Role Tag Deny List Information
### Read role tag deny list information
Returns the deny list entry of a previously deny listed role tag.
@@ -1172,7 +1172,7 @@ Returns the deny list entry of a previously deny listed role tag.
supplied as-is. In order to avoid any encoding problems, it can be base64
encoded.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1180,7 +1180,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
```
### Sample Response
### Sample response
```json
{
@@ -1191,7 +1191,7 @@ $ curl \
}
```
## List Deny List Tags
## List deny list tags
Lists all the role tags that are deny listed.
@@ -1199,7 +1199,7 @@ Lists all the role tags that are deny listed.
| :----- | :--------------------------- |
| `LIST` | `/auth/aws/roletag-denylist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1208,7 +1208,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/roletag-denylist
```
### Sample Response
### Sample response
```json
{
@@ -1220,7 +1220,7 @@ $ curl \
}
```
## Delete Deny List Tags
## Delete deny list tags
Deletes a deny listed role tag.
@@ -1234,7 +1234,7 @@ Deletes a deny listed role tag.
supplied as-is. In order to avoid any encoding problems, it can be base64
encoded.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1243,7 +1243,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
```
## Tidy Deny List Tags
## Tidy deny list tags
Cleans up the entries in the deny listed based on expiration time on the entry and
`safety_buffer`.
@@ -1258,7 +1258,7 @@ Cleans up the entries in the deny listed based on expiration time on the entry a
passed beyond the `roletag` expiration, before it is removed from the method
storage. Defaults to 72h.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1267,7 +1267,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/tidy/roletag-denylist
```
### Read Identity Access List Information
### Read identity access list information
Returns an entry in the identity access list. An entry will be created/updated by every
successful login.
@@ -1282,7 +1282,7 @@ successful login.
operation from an EC2 instance gets cached in th access list, keyed off of
instance ID.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1290,7 +1290,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/identity-accesslist/i-aab47d37
```
### Sample Response
### Sample response
```json
{
@@ -1304,7 +1304,7 @@ $ curl \
}
```
## List Identity Access List Entries
## List identity access list entries
Lists all the instance IDs that are in the access list of successful logins.
@@ -1312,7 +1312,7 @@ Lists all the instance IDs that are in the access list of successful logins.
| :----- | :------------------------------ |
| `LIST` | `/auth/aws/identity-accesslist` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1321,7 +1321,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/identity-accesslist
```
### Sample Response
### Sample response
```json
{
@@ -1331,7 +1331,7 @@ $ curl \
}
```
## Delete Identity Access List Entries
## Delete identity access list entries
Deletes a cache of the successful login from an instance.
@@ -1345,7 +1345,7 @@ Deletes a cache of the successful login from an instance.
operation from an EC2 instance gets cached in this access list, keyed off of
instance ID.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1354,7 +1354,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/aws/identity-accesslist/i-aab47d37
```
## Tidy Identity Access List Entries
## Tidy identity access list entries
Cleans up the entries in the access list based on expiration time and
`safety_buffer`.
@@ -1369,7 +1369,7 @@ Cleans up the entries in the access list based on expiration time and
passed beyond the `roletag` expiration, before it is removed from the method
storage. Defaults to 72h.
### Sample Request
### Sample request
```shell-session
$ curl \

50
website/content/api-docs/auth/azure.mdx
View File

@@ -6,7 +6,7 @@ description: |-
method plugin.
---
# Azure Auth Method (API)
# Azure auth method (API)
This is the API documentation for the Vault Azure auth method
plugin. To learn more about the usage and operation, see the
@@ -42,7 +42,7 @@ virtual machine.
- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
This value can also be provided with the `AZURE_CLIENT_SECRET` environment variable.
### Sample Payload
### Sample payload
```json
{
@@ -53,7 +53,7 @@ virtual machine.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -63,7 +63,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/config
```
# Read Config
# Read config
Returns the previously configured config, including credentials.
@@ -71,7 +71,7 @@ Returns the previously configured config, including credentials.
| :----- | :------------------- |
| `GET` | `/auth/azure/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -79,7 +79,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/config
```
### Sample Response
### Sample response
```json
{
@@ -94,7 +94,7 @@ $ curl \
```
## Delete Config
## Delete config
Deletes the previously configured Azure config and credentials.
@@ -102,7 +102,7 @@ Deletes the previously configured Azure config and credentials.
| :------- | :------------------- |
| `DELETE` | `/auth/azure/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -111,7 +111,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/config
```
## Rotate Root
## Rotate root
This endpoint generates a new client secret for the root account defined in the config. The
value generated will only be known by Vault.
@@ -124,7 +124,7 @@ value generated will only be known by Vault.
There are no parameters to this operation.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -133,7 +133,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/rotate-root
```
## Create/Update Role
## Create/Update role
Registers a role in the method. Role types have specific entities
that can perform login operations against this endpoint. Constraints specific
@@ -161,7 +161,7 @@ entities attempting to login.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -172,7 +172,7 @@ entities attempting to login.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -182,7 +182,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/role/dev-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -194,7 +194,7 @@ Returns the previously registered role configuration.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -202,7 +202,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/role/dev-role
```
### Sample Response
### Sample response
```json
{
@@ -225,7 +225,7 @@ $ curl \
```
## List Roles
## List roles
Lists all the roles that are registered with the plugin.
@@ -233,7 +233,7 @@ Lists all the roles that are registered with the plugin.
| :----- | :----------------- |
| `LIST` | `/auth/azure/role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -242,7 +242,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/role
```
### Sample Response
### Sample response
```json
{
@@ -256,7 +256,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -268,7 +268,7 @@ Deletes the previously registered role.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -287,7 +287,7 @@ entity and then authorizes the entity for the given role.
| :----- | :------------------ |
| `POST` | `/auth/azure/login` |
### Sample Payload
### Sample payload
- `role` `(string: <required>)` - Name of the role against which the login is being
attempted.
@@ -311,7 +311,7 @@ entity and then authorizes the entity for the given role.
the format /subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}.
If `vm_name` or `vmss_name` is provided, this value is ignored.
### Sample Payload
### Sample payload
```json
{
@@ -320,7 +320,7 @@ entity and then authorizes the entity for the given role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -329,7 +329,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/azure/login
```
### Sample Response
### Sample response
```json
{

52
website/content/api-docs/auth/cert.mdx
View File

@@ -6,7 +6,7 @@ description: |-
method.
---
# TLS Certificate Auth Method (API)
# TLS certificate auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -18,7 +18,7 @@ This documentation assumes the TLS Certificate method is mounted at the
`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
location, please update your API calls accordingly.
## Create CA Certificate Role
## Create CA certificate role
Sets a CA cert and associated parameters in a role name.
@@ -90,7 +90,7 @@ Sets a CA cert and associated parameters in a role name.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -100,7 +100,7 @@ Sets a CA cert and associated parameters in a role name.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -111,7 +111,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
```
## Read CA Certificate Role
## Read CA certificate role
Gets information associated with the named role.
@@ -123,7 +123,7 @@ Gets information associated with the named role.
- `name` `(string: <required>)` - The name of the certificate role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -132,7 +132,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
```
### Sample Response
### Sample response
```json
{
@@ -154,7 +154,7 @@ $ curl \
}
```
## List Certificate Roles
## List certificate roles
Lists configured certificate names.
@@ -162,7 +162,7 @@ Lists configured certificate names.
| :----- | :----------------- |
| `LIST` | `/auth/cert/certs` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -172,7 +172,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/certs
```
### Sample Response
### Sample response
```json
{
@@ -188,7 +188,7 @@ $ curl \
}
```
## Delete Certificate Role
## Delete certificate role
Deletes the named role and CA cert from the method mount.
@@ -200,7 +200,7 @@ Deletes the named role and CA cert from the method mount.
- `name` `(string: <required>)` - The name of the certificate role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -218,7 +218,7 @@ Lists configured certificate revocation lists.
| :----- | :---------------- |
| `LIST` | `/auth/cert/crls` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -228,7 +228,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/crls
```
### Sample Response
### Sample response
```json
{
@@ -257,7 +257,7 @@ Sets a named CRL.
- `name` `(string: <required>)` - The name of the CRL.
- `crl` `(string: <required>)` - The PEM format CRL.
### Sample Payload
### Sample payload
```json
{
@@ -265,7 +265,7 @@ Sets a named CRL.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -290,7 +290,7 @@ arbitrary size, these are returned as strings.
- `name` `(string: <required>)` - The name of the CRL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -299,7 +299,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
```
### Sample Response
### Sample response
```json
{
@@ -328,7 +328,7 @@ Deletes the named CRL from the auth method mount.
- `name` `(string: <required>)` - The name of the CRL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -338,7 +338,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/crls/cert1
```
## Configure TLS Certificate Method
## Configure TLS certificate method
Configuration options for the method.
@@ -357,7 +357,7 @@ Configuration options for the method.
- `ocsp_cache_size` `(int: 100)` - The size of the OCSP response LRU cache. Note
that this cache is used for all configured certificates.
### Sample Payload
### Sample payload
```json
{
@@ -365,7 +365,7 @@ Configuration options for the method.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -376,7 +376,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/certs/cert1
```
## Login with TLS Certificate Method
## Login with TLS certificate method
Log in and fetch a token. If there is a valid chain to a CA configured in the
method and all role constraints are matched, a token will be issued. If the
@@ -395,7 +395,7 @@ https://tools.ietf.org/html/rfc6125#section-2.3)
returning its policy list if successful. If not set, defaults to trying all
certificate roles and returning any one that matches.
### Sample Payload
### Sample payload
```json
{
@@ -403,7 +403,7 @@ https://tools.ietf.org/html/rfc6125#section-2.3)
}
```
### Sample Request
### Sample request
~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
certificate, not the CA that issued the client authentication certificate. This
@@ -420,7 +420,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/login
```
### Sample Response
### Sample response
```json
{

46
website/content/api-docs/auth/cf.mdx
View File

@@ -4,7 +4,7 @@ page_title: Cloud Foundry - Auth Methods - HTTP API
description: This is the API documentation for the Vault Cloud Foundry auth method.
---
# Pivotal Cloud Foundry (CF) Auth Method (API)
# Pivotal Cloud Foundry (CF) auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the CF method is mounted at the `/auth/cf`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Create Configuration
## Create configuration
Configure the root CA certificate to be used for verifying instance identity
certificates, and configure access to the CF API. For detailed instructions
@@ -47,7 +47,7 @@ documentation](/vault/docs/auth/cf).
seconds in the future when a signature could have been created. The lower the value,
the lower the risk of replay attacks.
### Sample Payload
### Sample payload
```json
{
@@ -65,7 +65,7 @@ documentation](/vault/docs/auth/cf).
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -75,7 +75,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/config
```
## Read Config
## Read config
Returns the present CF configuration.
@@ -83,7 +83,7 @@ Returns the present CF configuration.
| :----- | ----------------- |
| `GET` | `/auth/cf/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -91,7 +91,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/config
```
### Sample Response
### Sample response
```json
{
@@ -108,7 +108,7 @@ $ curl \
}
```
## Delete Config
## Delete config
Deletes the present CF configuration.
@@ -116,7 +116,7 @@ Deletes the present CF configuration.
| :------- | ----------------- |
| `DELETE` | `/auth/cf/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -125,7 +125,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/config
```
## Create/Update Role
## Create/Update role
Create a role in Vault granting a particular level of access to a particular group
of CF instances. We recommend using the CF API or the CF CLI to gain the IDs you
@@ -160,7 +160,7 @@ will be able to authenticate against this role.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -176,7 +176,7 @@ will be able to authenticate against this role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -186,7 +186,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/roles/:role
```
## Read Role
## Read role
Returns a CF role.
@@ -194,7 +194,7 @@ Returns a CF role.
| :----- | ---------------------- |
| `GET` | `/auth/cf/roles/:role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -202,7 +202,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/roles/:role
```
### Sample Response
### Sample response
```json
{
@@ -218,7 +218,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes a CF role.
@@ -226,7 +226,7 @@ Deletes a CF role.
| :------- | ---------------------- |
| `DELETE` | `/auth/cf/roles/:role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -235,7 +235,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/roles/:role
```
## List Roles
## List roles
Returns a CF role.
@@ -243,7 +243,7 @@ Returns a CF role.
| :----- | ---------------- |
| `LIST` | `/auth/cf/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -252,7 +252,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/roles
```
### Sample Response
### Sample response
```json
{
@@ -302,7 +302,7 @@ rsa.SignPSS(rand.Reader, rsaPrivateKey, crypto.SHA256, checksum, nil)
- `signature` `(string: required)` - The signature generated by the algorithm described
above using the `CF_INSTANCE_KEY`.
### Sample Payload
### Sample payload
```json
{
@@ -313,7 +313,7 @@ rsa.SignPSS(rand.Reader, rsaPrivateKey, crypto.SHA256, checksum, nil)
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -323,7 +323,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/cf/login
```
### Sample Response
### Sample response
```json
{

58
website/content/api-docs/auth/gcp.mdx
View File

@@ -6,7 +6,7 @@ description: |-
method.
---
# Google Cloud Auth Method (API)
# Google Cloud auth method (API)
This is the API documentation for the Vault Google Cloud auth method. To learn
more about the usage and operation, see the
@@ -81,7 +81,7 @@ to confirm signed JWTs passed in during login.
The endpoint value provided for a given key has the form of `scheme://host:port`.
The `scheme://` and `:port` portions of the endpoint value are optional.
### Sample Payload
### Sample payload
```json
{
@@ -89,7 +89,7 @@ to confirm signed JWTs passed in during login.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -99,7 +99,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/config
```
## Read Config
## Read config
Returns the configuration, if any, including credentials.
@@ -107,7 +107,7 @@ Returns the configuration, if any, including credentials.
| :----- | :----------------- |
| `GET` | `/auth/gcp/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -115,7 +115,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/config
```
### Sample Response
### Sample response
```json
{
@@ -128,7 +128,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
Registers a role in the method. Role types have specific entities
that can perform login operations against this endpoint. Constraints specific
@@ -164,7 +164,7 @@ entities attempting to login.
@include 'tokenfields.mdx'
#### `iam`-only Parameters
#### `iam`-only parameters
The following parameters are only valid when the role is of type `"iam"`:
@@ -179,7 +179,7 @@ The following parameters are only valid when the role is of type `"iam"`:
allow GCE instances to authenticate by inferring service accounts from the
GCE identity metadata token.
#### `gce`-only Parameters
#### `gce`-only parameters
The following parameters are only valid when the role is of type `"gce"`:
@@ -201,7 +201,7 @@ The following parameters are only valid when the role is of type `"gce"`:
GCP labels are not currently ACL'd, we recommend that this be used in
conjunction with other restrictions.
### Sample Payload
### Sample payload
Example `iam` role:
@@ -231,7 +231,7 @@ Example `gce` role:
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -241,7 +241,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/role/my-role
```
## Edit Service Accounts on IAM Role
## Edit service accounts on IAM role
Edit service accounts for an existing IAM role in the method.
This allows you to add or remove service accounts from the list of
@@ -262,7 +262,7 @@ service accounts on the role.
- `remove` `(array: [])` - The list of service accounts to remove from the
role's service accounts.
### Sample Payload
### Sample payload
```json
{
@@ -271,7 +271,7 @@ service accounts on the role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -281,7 +281,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/role/my-role
```
## Edit Labels on GCE Role
## Edit labels on GCE role
Edit labels for an existing GCE role in the backend. This allows you to add or
remove labels (keys, values, or both) from the list of keys on the role.
@@ -302,7 +302,7 @@ remove labels (keys, values, or both) from the list of keys on the role.
bound labels. If any of the specified keys do not exist, no error is returned
(idempotent).
### Sample Payload
### Sample payload
```json
{
@@ -311,7 +311,7 @@ remove labels (keys, values, or both) from the list of keys on the role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -321,7 +321,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/role/my-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -333,7 +333,7 @@ Returns the previously registered role configuration.
- `name` `(string: <required>)` - The name of the role to read.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -341,7 +341,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/role/my-role
```
### Sample Response
### Sample response
```json
{
@@ -364,7 +364,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are registered with the plugin.
@@ -372,7 +372,7 @@ Lists all the roles that are registered with the plugin.
| :----- | :---------------- |
| `LIST` | `/auth/gcp/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -381,7 +381,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/roles
```
### Sample Response
### Sample response
```json
{
@@ -391,7 +391,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -403,7 +403,7 @@ Deletes the previously registered role.
- `role` `(string: <required>)` - The name of the role to delete.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -423,7 +423,7 @@ role.
| :----- | :---------------- |
| `POST` | `/auth/gcp/login` |
### Sample Payload
### Sample payload
- `role` `(string: <required>)` - The name of the role against which the login
is being attempted.
@@ -435,7 +435,7 @@ role.
- For `gce` type roles, this is an [identity metadata token][instance-token].
### Sample Payload
### Sample payload
```json
{
@@ -444,7 +444,7 @@ role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -453,7 +453,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/gcp/login
```
### Sample Response
### Sample response
```json
{

44
website/content/api-docs/auth/github.mdx
View File

@@ -4,7 +4,7 @@ page_title: GitHub - Auth Methods - HTTP API
description: This is the API documentation for the Vault GitHub auth method.
---
# GitHub Auth Method (API)
# GitHub auth method (API)
This is the API documentation for the Vault GitHub auth method. For
general information about the usage and operation of the GitHub method, please
@@ -14,7 +14,7 @@ This documentation assumes the GitHub method is enabled at the `/auth/github`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Configure Method
## Configure method
Configures the connection parameters for GitHub. This path honors the
distinction between the `create` and `update` capabilities inside ACL policies.
@@ -40,7 +40,7 @@ distinction between the `create` and `update` capabilities inside ACL policies.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -48,7 +48,7 @@ distinction between the `create` and `update` capabilities inside ACL policies.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -58,7 +58,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/config
```
## Read Configuration
## Read configuration
Reads the GitHub configuration.
@@ -66,7 +66,7 @@ Reads the GitHub configuration.
| :----- | :-------------------- |
| `GET` | `/auth/github/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -74,7 +74,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/config
```
### Sample Response
### Sample response
```json
{
@@ -92,7 +92,7 @@ $ curl \
}
```
## Map GitHub Teams
## Map GitHub teams
Map a list of policies to a team that exists in the configured GitHub organization.
@@ -105,7 +105,7 @@ Map a list of policies to a team that exists in the configured GitHub organizati
- `team_name` `(string)` - GitHub team name in "slugified" format
- `value` `(string)` - Comma separated list of policies to assign
### Sample Payload
### Sample payload
```json
{
@@ -113,7 +113,7 @@ Map a list of policies to a team that exists in the configured GitHub organizati
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -123,7 +123,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/map/teams/dev
```
## Read Team Mapping
## Read team mapping
Reads the GitHub team policy mapping.
@@ -131,7 +131,7 @@ Reads the GitHub team policy mapping.
| :----- | :---------------------------------- |
| `GET` | `/auth/github/map/teams/:team_name` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -139,7 +139,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/map/teams/dev
```
### Sample Response
### Sample response
```json
{
@@ -157,7 +157,7 @@ $ curl \
}
```
## Map GitHub Users
## Map GitHub users
Map a list of policies to a specific GitHub user exists in the configured
organization.
@@ -171,7 +171,7 @@ organization.
- `user_name` `(string)` - GitHub user name
- `value` `(string)` - Comma separated list of policies to assign
### Sample Payload
### Sample payload
```json
{
@@ -179,7 +179,7 @@ organization.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -192,7 +192,7 @@ $ curl \
The user with username `sethvargo` will be assigned the `sethvargo-policy`
policy **in addition to** any team policies.
## Read User Mapping
## Read user mapping
Reads the GitHub user policy mapping.
@@ -200,7 +200,7 @@ Reads the GitHub user policy mapping.
| :----- | :---------------------------------- |
| `GET` | `/auth/github/map/users/:user_name` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -208,7 +208,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
```
### Sample Response
### Sample response
```json
{
@@ -238,7 +238,7 @@ Login using GitHub access token.
- `token` `(string: <required>)` - GitHub personal API token.
### Sample Payload
### Sample payload
```json
{
@@ -246,7 +246,7 @@ Login using GitHub access token.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -254,7 +254,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/github/login
```
### Sample Response
### Sample response
```javascript
{

2
website/content/api-docs/auth/index.mdx
View File

@@ -6,7 +6,7 @@ description: |-
These endpoints are documented in this section.
---
# Auth Methods
# Auth methods
Each auth method publishes its own set of API paths and methods. These endpoints
are documented in this section. Auth methods are enabled at a path, but the

56
website/content/api-docs/auth/jwt.mdx
View File

@@ -6,7 +6,7 @@ description: |-
method plugin.
---
# JWT/OIDC Auth Method (API)
# JWT/OIDC auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -46,7 +46,7 @@ set.
- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth, IBM ISAM. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
- `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
### Sample Payload
### Sample payload
```json
{
@@ -55,7 +55,7 @@ set.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -65,7 +65,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/config
```
# Read Config
# Read config
Returns the previously configured config.
@@ -73,7 +73,7 @@ Returns the previously configured config.
| :----- | :----------------- |
| `GET` | `/auth/jwt/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -81,7 +81,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/config
```
### Sample Response
### Sample response
```json
{
@@ -95,7 +95,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
Registers a role in the method. Role types have specific entities
that can perform login operations against this endpoint. Constraints specific
@@ -163,7 +163,7 @@ entities attempting to login. At least one of the bound values must be set.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -183,7 +183,7 @@ entities attempting to login. At least one of the bound values must be set.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -193,7 +193,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -205,7 +205,7 @@ Returns the previously registered role configuration.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -213,7 +213,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
```
### Sample Response
### Sample response
```json
{
@@ -239,7 +239,7 @@ $ curl \
```
## List Roles
## List roles
Lists all the roles that are registered with the plugin.
@@ -247,7 +247,7 @@ Lists all the roles that are registered with the plugin.
| :----- | :--------------- |
| `LIST` | `/auth/jwt/role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -256,7 +256,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/role
```
### Sample Response
### Sample response
```json
{
@@ -270,7 +270,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -282,7 +282,7 @@ Deletes the previously registered role.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -291,7 +291,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
```
## OIDC Authorization URL Request
## OIDC authorization URL request
Obtain an authorization URL from Vault to start an OIDC login flow.
@@ -311,7 +311,7 @@ Obtain an authorization URL from Vault to start an OIDC login flow.
must match the `client_nonce` value provided during a subsequent request to the
[callback](/vault/api-docs/auth/jwt#oidc-callback) API.
### Sample Payload
### Sample payload
```json
{
@@ -320,7 +320,7 @@ Obtain an authorization URL from Vault to start an OIDC login flow.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -329,7 +329,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/oidc/auth_url
```
### Sample Response
### Sample response
```json
{
@@ -341,7 +341,7 @@ $ curl \
}
```
## OIDC Callback
## OIDC callback
Exchange an authorization code for an OIDC ID Token. The ID token will be further validated
against any bound claims, and if valid a Vault token will be returned.
@@ -362,14 +362,14 @@ against any bound claims, and if valid a Vault token will be returned.
match the `client_nonce` value provided during the prior request to the
[auth_url](/vault/api-docs/auth/jwt#oidc-authorization-url-request) API.
### Sample Request
### Sample request
```shell-session
$ curl \
https://127.0.0.1:8200/v1/auth/jwt/oidc/callback?state=n2kfh3nsl&code=mn2ldl2nv98h2jl&nonce=ni42i2idj2jj
```
### Sample Response
### Sample response
```json
{
@@ -388,7 +388,7 @@ $ curl \
}
```
## JWT Login
## JWT login
Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
a role name for some entity. It verifies the JWT signature to authenticate that
@@ -404,7 +404,7 @@ entity and then authorizes the entity for the given role.
attempted. Defaults to configured `default_role` if not provided.
- `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT).
### Sample Payload
### Sample payload
```json
{
@@ -413,7 +413,7 @@ entity and then authorizes the entity for the given role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -422,7 +422,7 @@ $ curl \
https://127.0.0.1:8200/v1/auth/jwt/login
```
### Sample Response
### Sample response
```json
{

44
website/content/api-docs/auth/kerberos.mdx
View File

@@ -4,7 +4,7 @@ page_title: Kerberos - Auth Methods - HTTP API
description: This is the API documentation for the Vault Kerberos auth method plugin.
---
# Kerberos Auth Method (API)
# Kerberos auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -42,7 +42,7 @@ for verifying inbound SPNEGO tokens.
- `add_group_aliases` - When set to true, Vault will add any LDAP groups found for
the user as group aliases.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -52,7 +52,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/config
```
### Sample Payload
### Sample payload
```json
{
@@ -72,7 +72,7 @@ The keytab is not returned because it is sensitive information.
| :----- | :---------------------- |
| `GET` | `/auth/kerberos/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -80,7 +80,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/config
```
### Sample Response
### Sample response
```json
{
@@ -160,7 +160,7 @@ This endpoint configures LDAP in the Kerberos auth method.
@include 'tokenfields.mdx'
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -170,7 +170,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
```
### Sample Payload
### Sample payload
```json
{
@@ -190,7 +190,7 @@ $ curl \
}
```
## Read Kerberos LDAP Configuration
## Read Kerberos LDAP configuration
This endpoint retrieves the LDAP configuration for the Kerberos auth method.
@@ -198,7 +198,7 @@ This endpoint retrieves the LDAP configuration for the Kerberos auth method.
| :----- | :--------------------------- |
| `GET` | `/auth/kerberos/config/ldap` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -206,7 +206,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
```
### Sample Response
### Sample response
```json
{
@@ -237,7 +237,7 @@ $ curl \
}
```
## List Kerberos LDAP Groups
## List Kerberos LDAP groups
This endpoint returns a list of existing LDAP groups in the Kerberos auth method.
@@ -245,7 +245,7 @@ This endpoint returns a list of existing LDAP groups in the Kerberos auth method
| :----- | :---------------------- |
| `LIST` | `/auth/kerberos/groups` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -254,7 +254,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/groups
```
### Sample Response
### Sample response
```json
{
@@ -270,7 +270,7 @@ $ curl \
}
```
## Read Kerberos LDAP Group
## Read Kerberos LDAP group
This endpoint returns the policies associated with a Kerberos LDAP group.
@@ -282,7 +282,7 @@ This endpoint returns the policies associated with a Kerberos LDAP group.
- `name` `(string: <required>)` The name of the LDAP group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -290,7 +290,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
```
### Sample Response
### Sample response
```json
{
@@ -304,7 +304,7 @@ $ curl \
}
```
## Create/Update Kerberos LDAP Group
## Create/Update Kerberos LDAP group
This endpoint creates or updates LDAP group policies.
@@ -318,7 +318,7 @@ This endpoint creates or updates LDAP group policies.
- `policies` `(string: "")` Comma-separated list of policies associated to the
group.
### Sample Payload
### Sample payload
```json
{
@@ -326,7 +326,7 @@ This endpoint creates or updates LDAP group policies.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -336,7 +336,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
```
## Delete Kerberos LDAP Group
## Delete Kerberos LDAP group
This endpoint deletes the LDAP group and policy association.
@@ -348,7 +348,7 @@ This endpoint deletes the LDAP group and policy association.
- `name` `(string: <required>)` The name of the LDAP group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -400,7 +400,7 @@ sWw
| :----- | :--------------------- |
| `POST` | `/auth/kerberos/login` |
### Sample Request
### Sample request
```shell-session
$ curl \

44
website/content/api-docs/auth/kubernetes.mdx
View File

@@ -4,7 +4,7 @@ page_title: Kubernetes - Auth Methods - HTTP API
description: This is the API documentation for the Vault Kubernetes auth method plugin.
---
# Kubernetes Auth Method (API)
# Kubernetes auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the Kubernetes method is mounted at the
`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
any location, please update your API calls accordingly.
## Configure Method
## Configure method
The Kubernetes auth method validates service account JWTs and verifies their
existence with the Kubernetes TokenReview API. This endpoint configures the
@@ -43,7 +43,7 @@ access the Kubernetes API.
keys.
- `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
### Deprecated Parameters
### Deprecated parameters
-> The following fields have been deprecated and will be removed in a future release:
@@ -63,7 +63,7 @@ behavior may be disabled by setting `disable_local_ca_jwt` to `true`.
When Vault is running in a non-Kubernetes environment, either
`kubernetes_ca_cert` or `pem_keys` must be set by the user.
### Sample Payload
### Sample payload
```json
{
@@ -73,7 +73,7 @@ When Vault is running in a non-Kubernetes environment, either
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -83,7 +83,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/config
```
## Read Config
## Read config
Returns the previously configured config, excluding credentials.
@@ -91,7 +91,7 @@ Returns the previously configured config, excluding credentials.
| :----- | :------------------------ |
| `GET` | `/auth/kubernetes/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -99,7 +99,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/config
```
### Sample Response
### Sample response
```json
{
@@ -112,7 +112,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
Registers a role in the auth method. Role types have specific entities
that can perform login operations against this endpoint. Constraints specific
@@ -143,7 +143,7 @@ entities attempting to login.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -154,7 +154,7 @@ entities attempting to login.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -164,7 +164,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -176,7 +176,7 @@ Returns the previously registered role configuration.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -184,7 +184,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
```
### Sample Response
### Sample response
```json
{
@@ -199,7 +199,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are registered with the auth method.
@@ -208,7 +208,7 @@ Lists all the roles that are registered with the auth method.
| `LIST` | `/auth/kubernetes/role` |
| `GET` | `/auth/kubernetes/role?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -217,7 +217,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/role
```
### Sample Response
### Sample response
```json
{
@@ -227,7 +227,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -239,7 +239,7 @@ Deletes the previously registered role.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -266,7 +266,7 @@ entity and then authorizes the entity for the given role.
Token](https://tools.ietf.org/html/rfc7519) (JWT) for authenticating a service
account.
### Sample Payload
### Sample payload
```json
{
@@ -275,7 +275,7 @@ entity and then authorizes the entity for the given role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -284,7 +284,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/kubernetes/login
```
### Sample Response
### Sample response
```json
{

64
website/content/api-docs/auth/ldap.mdx
View File

@@ -4,7 +4,7 @@ page_title: LDAP - Auth Methods - HTTP API
description: This is the API documentation for the Vault LDAP auth method.
---
# LDAP Auth Method (API)
# LDAP auth method (API)
@include 'x509-sha1-deprecation.mdx'
@@ -107,7 +107,7 @@ This endpoint configures the LDAP auth method.
@include 'ldap-auth-userfilter-warning.mdx'
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -117,7 +117,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/config
```
### Sample Payload
### Sample payload
```json
{
@@ -139,7 +139,7 @@ $ curl \
}
```
## Read LDAP Configuration
## Read LDAP configuration
This endpoint retrieves the LDAP configuration for the auth method.
@@ -147,7 +147,7 @@ This endpoint retrieves the LDAP configuration for the auth method.
| :----- | :------------------ |
| `GET` | `/auth/ldap/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -155,7 +155,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/config
```
### Sample Response
### Sample response
```json
{
@@ -187,7 +187,7 @@ $ curl \
}
```
## List LDAP Groups
## List LDAP groups
This endpoint returns a list of existing groups in the method.
@@ -195,7 +195,7 @@ This endpoint returns a list of existing groups in the method.
| :----- | :------------------ |
| `LIST` | `/auth/ldap/groups` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -204,7 +204,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/groups
```
### Sample Response
### Sample response
```json
{
@@ -220,7 +220,7 @@ $ curl \
}
```
## Read LDAP Group
## Read LDAP group
This endpoint returns the policies associated with a LDAP group.
@@ -232,7 +232,7 @@ This endpoint returns the policies associated with a LDAP group.
- `name` `(string: <required>)` The name of the LDAP group
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -240,7 +240,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
### Sample Response
### Sample response
```json
{
@@ -257,7 +257,7 @@ $ curl \
}
```
## Create/Update LDAP Group
## Create/Update LDAP group
This endpoint creates or updates LDAP group policies.
@@ -271,7 +271,7 @@ This endpoint creates or updates LDAP group policies.
- `policies` `(string: "")` Comma-separated list of policies associated to the
group.
### Sample Payload
### Sample payload
```json
{
@@ -279,7 +279,7 @@ This endpoint creates or updates LDAP group policies.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -289,7 +289,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
## Delete LDAP Group
## Delete LDAP group
This endpoint deletes the LDAP group and policy association.
@@ -301,7 +301,7 @@ This endpoint deletes the LDAP group and policy association.
- `name` `(string: <required>)` The name of the LDAP group
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -310,7 +310,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/groups/admins
```
## List LDAP Users
## List LDAP users
This endpoint returns a list of existing users in the method.
@@ -318,7 +318,7 @@ This endpoint returns a list of existing users in the method.
| :----- | :----------------- |
| `LIST` | `/auth/ldap/users` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -327,7 +327,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/users
```
### Sample Response
### Sample response
```json
{
@@ -343,7 +343,7 @@ $ curl \
}
```
## Read LDAP User
## Read LDAP user
This endpoint returns the policies associated with a LDAP user.
@@ -355,7 +355,7 @@ This endpoint returns the policies associated with a LDAP user.
- `username` `(string: <required>)` The username of the LDAP user
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -363,7 +363,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
### Sample Response
### Sample response
```json
{
@@ -381,7 +381,7 @@ $ curl \
}
```
## Create/Update LDAP User
## Create/Update LDAP user
This endpoint creates or updates LDAP users policies and group associations.
@@ -397,7 +397,7 @@ This endpoint creates or updates LDAP users policies and group associations.
- `groups` `(string: "")` Comma-separated list of groups associated to the
user.
### Sample Payload
### Sample payload
```json
{
@@ -405,7 +405,7 @@ This endpoint creates or updates LDAP users policies and group associations.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -415,7 +415,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
## Delete LDAP User
## Delete LDAP user
This endpoint deletes the LDAP user and policy association.
@@ -427,7 +427,7 @@ This endpoint deletes the LDAP user and policy association.
- `username` `(string: <required>)` The username of the LDAP user
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -436,7 +436,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
```
## Login with LDAP User
## Login with LDAP user
This endpoint allows you to log in with LDAP credentials
@@ -451,7 +451,7 @@ This endpoint allows you to log in with LDAP credentials
When authenticating with the Vault CLI, i.e. `vault login -method=ldap username=mitchellh`
the password can alternatively be supplied via the `VAULT_LDAP_PASSWORD` environment variable.
### Sample Payload
### Sample payload
```json
{
@@ -459,7 +459,7 @@ the password can alternatively be supplied via the `VAULT_LDAP_PASSWORD` environ
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -468,7 +468,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
```
### Sample Response
### Sample response
```json
{

42
website/content/api-docs/auth/oci.mdx
View File

@@ -4,7 +4,7 @@ page_title: OCI - Auth Methods - HTTP API
description: This is the API documentation for the Vault OCI auth method plugin.
---
# OCI Auth Method (API)
# OCI auth method (API)
This is the API documentation for the Vault OCI auth method plugin. To
learn more about the usage and operation, see the
@@ -14,7 +14,7 @@ This documentation assumes the OCI method is mounted at the
`/auth/oci` path in Vault. Since it is possible to enable auth methods at
any location, please update your API calls accordingly.
## Configure Home Tenancy Method
## Configure home tenancy method
Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.
@@ -26,7 +26,7 @@ Configure your home tenancy in the Vault, so that only users or instances from y
- `home_tenancy_id` `(string: <required>)` - The Tenancy OCID of your OCI account.
### Sample Payload
### Sample payload
```json
{
@@ -34,7 +34,7 @@ Configure your home tenancy in the Vault, so that only users or instances from y
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -44,7 +44,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/config
```
## Read Config
## Read config
Returns the previously configured config.
@@ -52,7 +52,7 @@ Returns the previously configured config.
| :----- | :----------------- |
| `GET` | `/auth/oci/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -60,7 +60,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/config
```
### Sample Response
### Sample response
```json
{
@@ -70,7 +70,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
Create a Vault administrator role in the OCI Auth method.
@@ -85,7 +85,7 @@ Create a Vault administrator role in the OCI Auth method.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -95,7 +95,7 @@ Create a Vault administrator role in the OCI Auth method.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -105,7 +105,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/role/devrole
```
## Read Role
## Read role
Returns the previously registered role configuration.
@@ -117,7 +117,7 @@ Returns the previously registered role configuration.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -125,7 +125,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/role/devrole
```
### Sample Response
### Sample response
```json
{
@@ -140,7 +140,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are registered with the auth method.
@@ -149,7 +149,7 @@ Lists all the roles that are registered with the auth method.
| `LIST` | `/auth/oci/role` |
| `GET` | `/auth/oci/role?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -158,7 +158,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/role
```
### Sample Response
### Sample response
```json
{
@@ -168,7 +168,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously registered role.
@@ -180,7 +180,7 @@ Deletes the previously registered role.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -204,7 +204,7 @@ entity and then authorizes the entity for the given role.
- `role` `(string: <required>)` - Name of the role against which the login is being attempted.
- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)
### Sample Payload
### Sample payload
```json
{
@@ -220,7 +220,7 @@ entity and then authorizes the entity for the given role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -229,7 +229,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/oci/login/devrole
```
### Sample Response
### Sample response
```json
{

64
website/content/api-docs/auth/okta.mdx
View File

@@ -4,7 +4,7 @@ page_title: Okta - Auth Methods - HTTP API
description: This is the API documentation for the Vault Okta auth method.
---
# Okta Auth Method (API)
# Okta auth method (API)
This is the API documentation for the Vault Okta auth method. For
general information about the usage and operation of the Okta method, please
@@ -14,7 +14,7 @@ This documentation assumes the Okta method is mounted at the `/auth/okta`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Create Configuration
## Create configuration
Configures the connection parameters for Okta. This path honors the
distinction between the `create` and `update` capabilities inside ACL policies.
@@ -40,7 +40,7 @@ distinction between the `create` and `update` capabilities inside ACL policies.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ distinction between the `create` and `update` capabilities inside ACL policies.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -59,7 +59,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/config
```
## Read Configuration
## Read configuration
Reads the Okta configuration.
@@ -67,7 +67,7 @@ Reads the Okta configuration.
| :----- | :------------------ |
| `GET` | `/auth/okta/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -75,7 +75,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/config
```
### Sample Response
### Sample response
```json
{
@@ -101,7 +101,7 @@ $ curl \
}
```
## List Users
## List users
List the users configured in the Okta method.
@@ -109,7 +109,7 @@ List the users configured in the Okta method.
| :----- | :----------------- |
| `LIST` | `/auth/okta/users` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -118,7 +118,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/users
```
### Sample Response
### Sample response
```json
{
@@ -134,7 +134,7 @@ $ curl \
}
```
## Register User
## Register user
Registers a new user and maps a set of policies to it.
@@ -154,7 +154,7 @@ Registers a new user and maps a set of policies to it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -164,7 +164,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/users/fred
```
## Read User
## Read user
Reads the properties of an existing username.
@@ -176,7 +176,7 @@ Reads the properties of an existing username.
- `username` `(string: <required>)` - Username for this user.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -184,7 +184,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/users/test-user
```
### Sample Response
### Sample response
```json
{
@@ -200,7 +200,7 @@ $ curl \
}
```
## Delete User
## Delete user
Deletes an existing username from the method.
@@ -212,7 +212,7 @@ Deletes an existing username from the method.
- `username` `(string: <required>)` - Username for this user.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -221,7 +221,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/users/test-user
```
## List Groups
## List groups
List the groups configured in the Okta method.
@@ -229,7 +229,7 @@ List the groups configured in the Okta method.
| :----- | :------------------ |
| `LIST` | `/auth/okta/groups` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -238,7 +238,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/groups
```
### Sample Response
### Sample response
```json
{
@@ -254,7 +254,7 @@ $ curl \
}
```
## Register Group
## Register group
Registers a new group and maps a set of policies to it.
@@ -273,7 +273,7 @@ Registers a new group and maps a set of policies to it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -283,7 +283,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/groups/admins
```
## Read Group
## Read group
Reads the properties of an existing group.
@@ -295,7 +295,7 @@ Reads the properties of an existing group.
- `name` `(string: <required>)` - The name for the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -303,7 +303,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/groups/admins
```
### Sample Response
### Sample response
```json
{
@@ -318,7 +318,7 @@ $ curl \
}
```
## Delete Group
## Delete group
Deletes an existing group from the method.
@@ -330,7 +330,7 @@ Deletes an existing group from the method.
- `name` `(string: <required>)` - The name for the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -356,7 +356,7 @@ Login with the username and password.
- `nonce` `(string: <optional>)` - Nonce provided during a login request to
retrieve the number verification challenge for the matching request.
### Sample Payload
### Sample payload
```json
{
@@ -364,7 +364,7 @@ Login with the username and password.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -373,7 +373,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/okta/login/fred
```
### Sample Response
### Sample response
```json
{
@@ -410,14 +410,14 @@ Verify a number challenge that may result from an Okta Verify Push challenge.
requires number verification challenge. Logins through the vault login CLI
command will automatically generate a nonce.
### Sample Request
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/auth/okta/verify/nonce/BCR66Ru6oJKPtC00PxJJ
```
### Sample Response
### Sample response
```json
{

32
website/content/api-docs/auth/radius.mdx
View File

@@ -4,7 +4,7 @@ page_title: RADIUS - Auth Methods - HTTP API
description: This is the API documentation for the Vault RADIUS auth method.
---
# RADIUS Auth Method (API)
# RADIUS auth method (API)
This is the API documentation for the Vault RADIUS auth method. For
general information about the usage and operation of the RADIUS method, please
@@ -39,7 +39,7 @@ RADIUS.
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ RADIUS.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -59,7 +59,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/config
```
## Register User
## Register user
Registers a new user and maps a set of policies to it. This path honors the
distinction between the `create` and `update` capabilities inside ACL policies.
@@ -80,7 +80,7 @@ distinction between the `create` and `update` capabilities inside ACL policies.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -90,7 +90,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/users/test-user
```
## Read User
## Read user
Reads the properties of an existing username.
@@ -102,7 +102,7 @@ Reads the properties of an existing username.
- `username` `(string: <required>)` - Username for this user.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -110,7 +110,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/users/test-user
```
### Sample Response
### Sample response
```json
{
@@ -125,7 +125,7 @@ $ curl \
}
```
## Delete User
## Delete user
Deletes an existing username from the method.
@@ -137,7 +137,7 @@ Deletes an existing username from the method.
- `username` `(string: <required>)` - Username for this user.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -146,7 +146,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/users/test-user
```
## List Users
## List users
List the users registered with the method.
@@ -154,7 +154,7 @@ List the users registered with the method.
| :----- | :------------------- |
| `LIST` | `/auth/radius/users` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -163,7 +163,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/users
```
### Sample Response
### Sample response
```json
{
@@ -193,7 +193,7 @@ Login with the username and password.
- `username` `(string: <required>)` - Username for this user.
- `password` `(string: <required>)` - Password for the authenticating user.
### Sample Payload
### Sample payload
```json
{
@@ -201,7 +201,7 @@ Login with the username and password.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -210,7 +210,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/radius/login/test-user
```
### Sample Response
### Sample response
```javascript
{

112
website/content/api-docs/auth/token.mdx
View File

@@ -4,13 +4,13 @@ page_title: Token - Auth Methods - HTTP API
description: This is the API documentation for the Vault token auth method.
---
# Token Auth Method (API)
# Token auth method (API)
This is the API documentation for the Vault token auth method. For
general information about the usage and operation of the token method, please
see the [Vault Token method documentation](/vault/docs/auth/token).
## List Accessors
## List accessors
This endpoint lists token accessor. This requires `sudo` capability, and access
to it should be tightly controlled as the accessors can be used to revoke very
@@ -20,7 +20,7 @@ large numbers of tokens and their associated leases at once.
| :----- | :---------------------- |
| `LIST` | `/auth/token/accessors` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -29,7 +29,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/accessors
```
### Sample Response
### Sample response
```json
{
@@ -48,7 +48,7 @@ $ curl \
}
```
## Create Token
## Create token
Creates a new token. Certain options are only available when called by a
root token. If used via the `/auth/token/create-orphan` endpoint, a root
@@ -109,7 +109,7 @@ during this call.
and used entity alias must be listed in `allowed_entity_aliases`. If this has
been specified, the entity will not be inherited from the parent.
### Sample Payload
### Sample payload
```json
{
@@ -122,7 +122,7 @@ during this call.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -132,7 +132,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/create
```
### Sample Response
### Sample response
```json
{
@@ -164,7 +164,7 @@ $ curl \
}
```
## Lookup a Token
## Lookup a token
Returns information about the client token.
@@ -176,7 +176,7 @@ Returns information about the client token.
- `token` `(string: <required>)` - Token to lookup.
### Sample Payload
### Sample payload
```json
{
@@ -184,7 +184,7 @@ Returns information about the client token.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -194,7 +194,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/lookup
```
### Sample Response
### Sample response
```json
{
@@ -222,7 +222,7 @@ $ curl \
}
```
## Lookup a Token (Self)
## Lookup a token (Self)
Returns information about the current client token.
@@ -230,7 +230,7 @@ Returns information about the current client token.
| :----- | :------------------------ |
| `GET` | `/auth/token/lookup-self` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -238,7 +238,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/lookup-self
```
### Sample Response
### Sample response
```json
{
@@ -266,7 +266,7 @@ $ curl \
}
```
## Lookup a Token (Accessor)
## Lookup a token (Accessor)
Returns information about the client token from the accessor.
@@ -278,7 +278,7 @@ Returns information about the client token from the accessor.
- `accessor` `(string: <required>)` - Token accessor to lookup.
### Sample Payload
### Sample payload
```json
{
@@ -286,7 +286,7 @@ Returns information about the client token from the accessor.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -296,7 +296,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/lookup-accessor
```
### Sample Response
### Sample response
```json
{
@@ -324,7 +324,7 @@ $ curl \
}
```
## Renew a Token
## Renew a token
Renews a lease associated with a token. This is used to prevent the expiration
of a token, and the automatic revocation of it. Token renewal is possible only
@@ -343,7 +343,7 @@ if there is a lease associated with it.
If not supplied, Vault will use the default TTL. This is specified as a numeric string
with suffix like "30s" or "5m".
### Sample Payload
### Sample payload
```json
{
@@ -351,7 +351,7 @@ if there is a lease associated with it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -361,7 +361,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/renew
```
### Sample Response
### Sample response
```json
{
@@ -377,7 +377,7 @@ $ curl \
}
```
## Renew a Token (Self)
## Renew a token (Self)
Renews a lease associated with the calling token. This is used to prevent the
expiration of a token, and the automatic revocation of it. Token renewal is
@@ -394,7 +394,7 @@ possible only if there is a lease associated with it.
If not supplied, Vault will use the default TTL. This is specified as a numeric string
with suffix like "30s" or "5m".
### Sample Payload
### Sample payload
```json
{
@@ -402,7 +402,7 @@ possible only if there is a lease associated with it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -412,7 +412,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/renew-self
```
### Sample Response
### Sample response
```json
{
@@ -428,7 +428,7 @@ $ curl \
}
```
## Renew a Token (Accessor)
## Renew a token (Accessor)
Renews a lease associated with a token using its accessor. This is used to
prevent the expiration of a token, and the automatic revocation of it. Token
@@ -445,7 +445,7 @@ renewal is possible only if there is a lease associated with it.
- `increment` `(string: "")` - An optional requested lease increment can be
provided. This increment may be ignored.
### Sample Payload
### Sample payload
```json
{
@@ -453,7 +453,7 @@ renewal is possible only if there is a lease associated with it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -463,7 +463,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/renew-accessor
```
### Sample Response
### Sample response
```json
{
@@ -479,7 +479,7 @@ $ curl \
}
```
## Revoke a Token
## Revoke a token
Revokes a token and all child tokens. When the token is revoked, all dynamic secrets
generated with it are also revoked.
@@ -492,7 +492,7 @@ generated with it are also revoked.
- `token` `(string: <required>)` - Token to revoke.
### Sample Payload
### Sample payload
```json
{
@@ -500,7 +500,7 @@ generated with it are also revoked.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -510,7 +510,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/revoke
```
## Revoke a Token (Self)
## Revoke a token (Self)
Revokes the token used to call it and all child tokens. When the token is
revoked, all dynamic secrets generated with it are also revoked.
@@ -519,7 +519,7 @@ revoked, all dynamic secrets generated with it are also revoked.
| :----- | :------------------------ |
| `POST` | `/auth/token/revoke-self` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -528,7 +528,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/revoke-self
```
## Revoke a Token Accessor
## Revoke a token accessor
Revoke the token associated with the accessor and all the child tokens. This is
meant for purposes where there is no access to token ID but there is need to
@@ -542,7 +542,7 @@ revoke a token and its children.
- `accessor` `(string: <required>)` - Accessor of the token.
### Sample Payload
### Sample payload
```json
{
@@ -550,7 +550,7 @@ revoke a token and its children.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -560,7 +560,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/revoke-accessor
```
## Revoke Token and Orphan Children
## Revoke token and orphan children
Revokes a token but not its child tokens. When the token is revoked, all secrets
generated with it are also revoked. All child tokens are orphaned, but can be
@@ -576,7 +576,7 @@ endpoint.
- `token` `(string: <required>)` - Token to revoke. This can be part of the URL
or the body.
### Sample Payload
### Sample payload
```json
{
@@ -584,7 +584,7 @@ endpoint.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -594,7 +594,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/revoke-orphan
```
## Read Token Role
## Read token role
Fetches the named role configuration.
@@ -606,7 +606,7 @@ Fetches the named role configuration.
- `role_name` `(string: <required>)` - The name of the token role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -614,7 +614,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/roles/nomad
```
### Sample Response
### Sample response
```javascript
{
@@ -645,7 +645,7 @@ $ curl \
}
```
## List Token Roles
## List token roles
List available token roles.
@@ -653,7 +653,7 @@ List available token roles.
| :----- | :------------------ |
| `LIST` | `/auth/token/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -662,7 +662,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/roles
```
### Sample Response
### Sample response
```json
{
@@ -672,7 +672,7 @@ $ curl \
}
```
## Create/Update Token Role
## Create/Update token role
Creates (or replaces) the named role. Roles enforce specific behavior when
creating tokens that allow token functionality that is otherwise not
@@ -739,7 +739,7 @@ tokens created against a role to be revoked using the
@include 'tokenstorefields.mdx'
### Sample Payload
### Sample payload
```json
"allowed_policies": [
@@ -752,7 +752,7 @@ tokens created against a role to be revoked using the
"allowed_entity_aliases": ["web-entity-alias", "app-entity-*"]
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -762,7 +762,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/roles/nomad
```
## Delete Token Role
## Delete token role
This endpoint deletes the named token role.
@@ -774,7 +774,7 @@ This endpoint deletes the named token role.
- `role_name` `(string: <required>)` - The name of the token role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -783,7 +783,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/roles/admins
```
## Tidy Tokens
## Tidy tokens
Performs some maintenance tasks to clean up invalid entries that may remain
in the token store. On Enterprise, Tidy will only impact the tokens in the
@@ -824,7 +824,7 @@ valid in the above steps will be deleted.
| :----- | :----------------- |
| `POST` | `/auth/token/tidy` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -833,7 +833,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/token/tidy
```
### Sample Response
### Sample response
```json
{

42
website/content/api-docs/auth/userpass.mdx
View File

@@ -6,7 +6,7 @@ description: |-
auth method.
---
# Userpass Auth Method (HTTP API)
# Userpass auth method (HTTP API)
This is the API documentation for the Vault Username & Password auth method. For
general information about the usage and operation of the Username and Password method, please
@@ -16,7 +16,7 @@ This documentation assumes the Username & Password method is mounted at the `/au
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.
## Create/Update User
## Create/Update user
Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
@@ -32,7 +32,7 @@ Create a new user or update an existing user. This path honors the distinction b
@include 'tokenfields.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -42,7 +42,7 @@ Create a new user or update an existing user. This path honors the distinction b
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -52,7 +52,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```
## Read User
## Read user
Reads the properties of an existing username.
@@ -60,7 +60,7 @@ Reads the properties of an existing username.
| :----- | :------------------------------- |
| `GET` | `/auth/userpass/users/:username` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -68,7 +68,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```
### Sample Response
### Sample response
```json
{
@@ -99,7 +99,7 @@ $ curl \
}
```
## Delete User
## Delete user
This endpoint deletes the user from the method.
@@ -111,7 +111,7 @@ This endpoint deletes the user from the method.
- `username` `(string: <required>)` - The username for the user.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -120,7 +120,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```
## Update Password on User
## Update password on user
Update password for an existing user.
@@ -133,7 +133,7 @@ Update password for an existing user.
- `username` `(string: <required>)` The username for the user.
- `password` `(string: <required>)` - The password for the user.
### Sample Payload
### Sample payload
```json
{
@@ -141,7 +141,7 @@ Update password for an existing user.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -151,7 +151,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
```
## Update Policies on User
## Update policies on user
Update policies for an existing user.
@@ -166,7 +166,7 @@ Update policies for an existing user.
policies to encode onto generated tokens. Depending on the auth method, this
list may be supplemented by user/group/other values.
### Sample Payload
### Sample payload
```json
{
@@ -174,7 +174,7 @@ Update policies for an existing user.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -184,7 +184,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
```
## List Users
## List users
List available userpass users.
@@ -192,7 +192,7 @@ List available userpass users.
| :----- | :--------------------- |
| `LIST` | `/auth/userpass/users` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -201,7 +201,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/users
```
### Sample Response
### Sample response
```json
{
@@ -224,7 +224,7 @@ Login with the username and password.
- `username` `(string: <required>)` The username for the user.
- `password` `(string: <required>)` - The password for the user.
### Sample Payload
### Sample payload
```json
{
@@ -232,7 +232,7 @@ Login with the username and password.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -241,7 +241,7 @@ $ curl \
http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
```
### Sample Response
### Sample response
```json
{

8
website/content/api-docs/index.mdx
View File

@@ -83,7 +83,7 @@ $ curl \
http://127.0.0.1:8200/v1/ns1/ns2/secret/foo
```
## API Operations
## API operations
Typically the request data, body and response data to and from Vault is in JSON.
Vault sets the `Content-Type` header appropriately with its response and does
@@ -177,7 +177,7 @@ $ curl \
For more examples, please look at the Vault API client.
## The `X-Vault-Request` Header
## The `X-Vault-Request` header
Requests that are sent to a [Vault Proxy][proxy] that is configured to use the
`require_request_header` option must include the `X-Vault-Request` header
@@ -256,7 +256,7 @@ Example response:
}
```
## Error Response
## Error response
A common JSON structure is always returned to return errors:
@@ -271,7 +271,7 @@ A common JSON structure is always returned to return errors:
This structure will be returned for any HTTP status greater than or equal to 400.
## HTTP Status Codes
## HTTP status codes
The following HTTP status codes are used throughout the API. Vault tries to
adhere to these whenever possible, but in case it doesn't -- then feel free to

6
website/content/api-docs/relatedtools.mdx
View File

@@ -4,9 +4,9 @@ page_title: Related Tools
description: Short list of third-party tools that work with or are related to Vault.
---
# Related Tools
# Related tools
## HashiCorp Tools
## HashiCorp tools
- [Vault Agent](/vault/docs/agent-and-proxy/agent) can render Vault secrets either to files or directly into a child process as environment variables using `consul-template` templating syntax
- [Vault Proxy](/vault/docs/agent-and-proxy/proxy) acts as an API Proxy for Vault, and can optionally allow or force interacting clients to use its automatically authenticated token
@@ -14,7 +14,7 @@ description: Short list of third-party tools that work with or are related to Va
- [consul-template](https://github.com/hashicorp/consul-template) is a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data
- [vault-ssh-helper](https://github.com/hashicorp/vault-ssh-helper) can be used to enable one-time passwords for SSH authentication via Vault
## Third-Party Tools
## Third-Party tools
The following list of tools is maintained by the community of Vault users; HashiCorp has not tested or approved them and makes no claims as to their suitability or security.

56
website/content/api-docs/secret/ad.mdx
View File

@@ -4,7 +4,7 @@ page_title: Active Directory - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Active Directory secrets engine.
---
# Active Directory Secrets Engine (API)
# Active directory secrets engine (API)
@include 'ad-secrets-deprecation.mdx'
@@ -80,7 +80,7 @@ valid AD credentials with proper permissions.
| `GET` | `/ad/config` |
| `DELETE` | `/ad/config` |
### Sample Post Request
### Sample post request
<Tabs>
<Tab heading="cURL">
@@ -107,7 +107,7 @@ $ vault write ad/config \
</Tab>
</Tabs>
### Sample Post Payload
### Sample post payload
```json
{
@@ -118,7 +118,7 @@ $ vault write ad/config \
}
```
### Sample Get Response Data
### Sample get response data
```json
{
@@ -155,7 +155,7 @@ When adding a role, Vault verifies its associated service account exists.
| `GET` | `/ad/roles/:role_name` |
| `DELETE` | `/ad/roles/:role_name` |
### Sample Post Request
### Sample post request
<Tabs>
<Tab heading="cURL">
@@ -180,7 +180,7 @@ $ vault write ad/roles/my-application \
</Tab>
</Tabs>
### Sample Post Payload
### Sample post payload
```json
{
@@ -189,7 +189,7 @@ $ vault write ad/roles/my-application \
}
```
### Sample Get Role Response
### Sample get role response
```json
{
@@ -200,7 +200,7 @@ $ vault write ad/roles/my-application \
}
```
### Sample List Roles Response
### Sample list roles response
Performing a `LIST` on the `/ad/roles` endpoint will list the names of all the roles Vault contains.
@@ -216,7 +216,7 @@ The `creds` endpoint offers the credential information for a given role.
| :----- | :--------------------- |
| `GET` | `/ad/creds/:role_name` |
### Sample Get Request
### Sample get request
<Tabs>
<Tab heading="cURL">
@@ -238,7 +238,7 @@ $ vault read ad/creds/my-application
</Tab>
</Tabs>
### Sample Get Response
### Sample get response
```json
{
@@ -276,7 +276,7 @@ When adding a service account to the library, Vault verifies it already exists i
| `GET` | `/ad/library/:set_name` |
| `DELETE` | `/ad/library/:set_name` |
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -286,7 +286,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/library/accounting-team
```
### Sample Post Payload
### Sample post payload
```json
{
@@ -297,7 +297,7 @@ $ curl \
}
```
### Sample Get Response
### Sample get response
```json
{
@@ -308,7 +308,7 @@ $ curl \
}
```
### Sample List Response
### Sample list response
Performing a `LIST` on the `/ad/library` endpoint will list the names of all the sets of service accounts Vault contains.
@@ -334,7 +334,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
| :----- | :-------------------------------- |
| `POST` | `/ad/library/:set_name/check-out` |
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -344,7 +344,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/library/accounting-team/check-out
```
### Sample Post Payload
### Sample post payload
```json
{
@@ -352,7 +352,7 @@ $ curl \
}
```
### Sample Post Response
### Sample post response
```json
{
@@ -392,7 +392,7 @@ in _by this particular call_.
| `POST` | `/ad/library/:set_name/check-in` |
| `POST` | `/ad/library/manage/:set_name/check-in` |
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -402,7 +402,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/library/accounting-team/check-in
```
### Sample Post Payload
### Sample post payload
```json
{
@@ -410,7 +410,7 @@ $ curl \
}
```
### Sample Post Response
### Sample post response
```json
{
@@ -433,7 +433,7 @@ $ curl \
| :----- | :----------------------------- |
| `GET` | `/ad/library/:set_name/status` |
### Sample Get Request
### Sample get request
```shell-session
$ curl \
@@ -442,7 +442,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/library/accounting-team/status
```
### Sample Get Response
### Sample get response
```json
{
@@ -466,7 +466,7 @@ $ curl \
}
```
## Rotate Root Credentials
## Rotate root credentials
Rotate the `bindpass` to a new one known only to Vault.
@@ -475,7 +475,7 @@ Rotate the `bindpass` to a new one known only to Vault.
1. When the `bindpass` is rotated, it successfully gets rotated in Active Directory but Vault can't store it so it becomes unknown.
2. If the `binddn` in use applies to more than one entity in Active Directory, root credential rotation will fail because it's unclear which entity to perform the operation for.
### Mitigating Risks
### Mitigating risks
1. Always have another account that can provision a new `binddn` and `bindpass` to replace one whose password becomes unknown.
2. Ensure the `binddn` in use only applies to one entity by including all distinguished name parameters possible. For example, use `"CN=vault-ad-test,CN=Users,DC=example,DC=com"` instead of `"CN=vault-ad-test"`.
@@ -489,7 +489,7 @@ Rotate the `bindpass` to a new one known only to Vault.
Generally, `rotate-root` returns a 204. However, if `rotate-root` is already in progress, it may return a 200 with a warning that root credential rotation is already in progress.
### Sample Get Request
### Sample get request
```shell-session
$ curl \
@@ -498,7 +498,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/rotate-root
```
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -507,7 +507,7 @@ $ curl \
http://127.0.0.1:8200/v1/ad/rotate-root
```
## Rotate Role Credentials
## Rotate role credentials
Manually rotate the password of a managed Active Directory service account.
@@ -519,7 +519,7 @@ Manually rotate the password of a managed Active Directory service account.
Generally, `rotate-role` returns a 204. However, if `rotate-role` is already in progress, it may return a 200 with a warning that credential rotation is already in progress.
### Sample Post Request
### Sample post request
```shell-session
$ curl \

28
website/content/api-docs/secret/alicloud.mdx
View File

@@ -4,7 +4,7 @@ page_title: AliCloud - Secrets Engines - HTTP API
description: This is the API documentation for the Vault AliCloud secrets engine.
---
# AliCloud Secrets Engine (API)
# AliCloud secrets engine (API)
This is the API documentation for the Vault AliCloud secrets engine. For general
information about the usage and operation of the AliCloud secrets engine, please see
@@ -41,7 +41,7 @@ the policies that should be attached to the access key you provide.
- `access_key` (string, required) - The ID of an access key with appropriate policies.
- `secret_key` (string, required) - The secret for that key.
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -51,7 +51,7 @@ $ curl \
http://127.0.0.1:8200/v1/alicloud/config
```
### Sample Post Payload
### Sample post payload
```json
{
@@ -60,7 +60,7 @@ $ curl \
}
```
### Sample Get Response Data
### Sample get response data
```json
{
@@ -88,7 +88,7 @@ The `role` endpoint configures how Vault will generate credentials for users of
| `GET` | `/alicloud/role/:role_name` |
| `DELETE` | `/alicloud/role/:role_name` |
### Sample Post Request
### Sample post request
```shell-session
$ curl \
@@ -98,7 +98,7 @@ $ curl \
http://127.0.0.1:8200/v1/alicloud/role/my-application
```
### Sample Post Payload Using Policies
### Sample post payload using policies
```json
{
@@ -110,7 +110,7 @@ $ curl \
}
```
### Sample Get Role Response Using Policies
### Sample get role response using policies
```json
{
@@ -145,7 +145,7 @@ $ curl \
}
```
### Sample Post Payload Using Assume-Role
### Sample post payload using Assume-Role
```json
{
@@ -153,7 +153,7 @@ $ curl \
}
```
### Sample Get Role Response Using Assume-Role
### Sample get role response using Assume-Role
```json
{
@@ -165,7 +165,7 @@ $ curl \
}
```
### Sample List Roles Response
### Sample list roles response
Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all the roles Vault contains.
@@ -173,7 +173,7 @@ Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all
["policy-based", "role-based"]
```
## Generate RAM Credentials
## Generate RAM credentials
This endpoint generates dynamic RAM credentials based on the named role. This
role must be created before queried.
@@ -186,7 +186,7 @@ role must be created before queried.
- `name` (string, required) Specifies the name of the role to generate credentials against. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -194,7 +194,7 @@ $ curl \
http://127.0.0.1:8200/v1/alicloud/creds/example-role
```
### Sample Response for Roles Using Policies
### Sample response for roles using policies
```json
{
@@ -203,7 +203,7 @@ $ curl \
}
```
### Sample Response for Roles Using Assume-Role
### Sample response for roles using Assume-Role
```json
{

84
website/content/api-docs/secret/aws.mdx
View File

@@ -4,7 +4,7 @@ page_title: AWS - Secrets Engines - HTTP API
description: This is the API documentation for the Vault AWS secrets engine.
---
# AWS Secrets Engine (API)
# AWS secrets engine (API)
This is the API documentation for the Vault AWS secrets engine. For general
information about the usage and operation of the AWS secrets engine, please see
@@ -14,7 +14,7 @@ This documentation assumes the AWS secrets engine is enabled at the `/aws` path
in Vault. Since it is possible to enable secrets engines at any location, please
update your API calls accordingly.
## Configure Root IAM Credentials
## Configure root IAM credentials
This endpoint configures the root IAM credentials to communicate with AWS. There
are multiple ways to pass root IAM credentials to the Vault server, specified
@@ -76,7 +76,7 @@ valid AWS credentials with proper permissions.
{{ end }}
```
### Sample Payload
### Sample payload
```json
{
@@ -86,7 +86,7 @@ valid AWS credentials with proper permissions.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -96,7 +96,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/config/root
```
## Read Root Configuration
## Read root configuration
This endpoint allows you to read non-secure values that have been configured in the
`config/root` endpoint. In particular, the `secret_key` parameter is never returned.
@@ -105,7 +105,7 @@ This endpoint allows you to read non-secure values that have been configured in
| :----- | :----------------- |
| `GET` | `/aws/config/root` |
### Sample Request
### Sample request
```shell-session
$ curl
@@ -114,7 +114,7 @@ $ curl
```
### Sample Response
### Sample response
```json
{
@@ -128,7 +128,7 @@ $ curl
}
```
## Rotate Root IAM Credentials
## Rotate root IAM credentials
When you have configured Vault with static credentials, you can use this
endpoint to have Vault rotate the access key it used. Note that, due to AWS
@@ -148,7 +148,7 @@ secret key is used to access AWS.
There are no parameters to this operation.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -157,7 +157,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/config/rotate-root
```
### Sample Response
### Sample response
```json
{
@@ -169,7 +169,7 @@ $ curl \
The new access key Vault uses is returned by this operation.
## Configure Lease
## Configure lease
This endpoint configures lease settings for the AWS secrets engine. It is
optional, as there are default values for `lease` and `lease_max`.
@@ -187,7 +187,7 @@ optional, as there are default values for `lease` and `lease_max`.
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
### Sample payload
```json
{
@@ -196,7 +196,7 @@ optional, as there are default values for `lease` and `lease_max`.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -206,7 +206,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/config/lease
```
## Read Lease
## Read lease
This endpoint returns the current lease settings for the AWS secrets engine.
@@ -214,7 +214,7 @@ This endpoint returns the current lease settings for the AWS secrets engine.
| :----- | :------------------ |
| `GET` | `/aws/config/lease` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -222,7 +222,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/config/lease
```
### Sample Response
### Sample response
```json
{
@@ -233,7 +233,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
This endpoint creates or updates the role with the given `name`. If a role with
the name does not exist, it will be created. If the role exists, it will be
@@ -313,7 +313,7 @@ mixed with the parameters listed above.
- `arn` `(string: <required unless policy provided>)`  Specifies the full ARN
reference to the desired existing policy.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -323,7 +323,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/roles/example-role
```
### Sample Payloads
### Sample payloads
Using an inline IAM policy:
@@ -406,7 +406,7 @@ Using tags:
</Tab>
</Tabs>
## Read Role
## Read role
This endpoint queries an existing role by the given name. If the role does not
exist, a 404 is returned.
@@ -423,7 +423,7 @@ then it will show up in the response as `invalid_data`.
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -431,7 +431,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/roles/example-role
```
### Sample Responses
### Sample responses
For an inline IAM policy:
@@ -475,7 +475,7 @@ For IAM groups:
}
```
## List Roles
## List roles
This endpoint lists all existing roles in the secrets engine.
@@ -483,7 +483,7 @@ This endpoint lists all existing roles in the secrets engine.
| :----- | :----------- |
| `LIST` | `/aws/roles` |
### Sample Request
### Sample request
```shell-session
$ curl
@@ -492,7 +492,7 @@ $ curl
http://127.0.0.1:8200/v1/aws/roles
```
### Sample Response
### Sample response
```json
{
@@ -502,7 +502,7 @@ $ curl
}
```
## Delete Role
## Delete role
This endpoint deletes an existing role by the given name. If the role does not
exist, a 404 is returned.
@@ -516,7 +516,7 @@ exist, a 404 is returned.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -525,7 +525,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/roles/example-role
```
## Generate Credentials
## Generate credentials
This endpoint generates credentials based on the named role. This role must be
created before queried.
@@ -565,7 +565,7 @@ credentials retrieved through `/aws/creds` must be of the `iam_user` type.
[GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
(for `federation_token` credential types) for more details.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -573,7 +573,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/creds/example-role
```
### Sample Response
### Sample response
```json
{
@@ -586,7 +586,7 @@ $ curl \
}
```
## Create Static Role
## Create static role
This endpoint creates or updates static role definitions. A static role is a 1-to-1 mapping
with an AWS IAM User, which will be adopted and managed by Vault, including rotating it according
to the configured `rotation_period`.
@@ -614,7 +614,7 @@ is specified as part of the URL.
Vault should wait before rotating the password. The minimum is 1 minute. Can be
specified in either `24h` or `86400` format (see [duration format strings](/vault/docs/concepts/duration-format)).
### Sample Payload
### Sample payload
```json
{
@@ -623,7 +623,7 @@ specified in either `24h` or `86400` format (see [duration format strings](/vaul
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -633,9 +633,9 @@ $ curl \
http://127.0.0.1:8200/v1/aws/static-roles/my-static-role
```
### Sample Response
### Sample response
## Read Static Role
## Read static role
This endpoint queries the static role definition.
@@ -648,7 +648,7 @@ This endpoint queries the static role definition.
- `name` `(string: <required>)` Specifies the name of the static role to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -656,7 +656,7 @@ $ curl \
--request GET \
http://127.0.0.1:8200/v1/aws/static-roles/my-static-role
```
### Sample Response
### Sample response
```json
{
@@ -666,7 +666,7 @@ $ curl \
}
```
## Delete Static Role
## Delete static role
This endpoint deletes the static role definition. The user, having been defined externally,
must be cleaned up manually.
@@ -680,7 +680,7 @@ must be cleaned up manually.
- `name` `(string: <required>)` Specifies the name of the static role to
delete. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -689,7 +689,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/static-roles/my-static-role
```
## Get Static Credentials
## Get static credentials
This endpoint returns the current credentials based on the named static role.
@@ -702,7 +702,7 @@ This endpoint returns the current credentials based on the named static role.
- `name` `(string: <required>)` Specifies the name of the static role to get
credentials for. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -710,7 +710,7 @@ $ curl \
http://127.0.0.1:8200/v1/aws/static-creds/my-static-role
```
### Sample Response
### Sample response
```json
{

42
website/content/api-docs/secret/azure.mdx
View File

@@ -4,7 +4,7 @@ page_title: Azure - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Azure secrets engine.
---
# Azure Secrets Engine (API)
# Azure secrets engine (API)
This is the API documentation for the Vault Azure
secrets engine. For general information about the usage and operation of
@@ -14,7 +14,7 @@ This documentation assumes the Azure secrets engine is enabled at the `/azure` p
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Configure Access
## Configure access
Configures the credentials required for the plugin to perform API calls
to Azure. These credentials will be used to query roles and create/delete
@@ -39,7 +39,7 @@ service principals. Environment variables will override any parameters set in th
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -53,7 +53,7 @@ service principals. Environment variables will override any parameters set in th
}
```
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -82,7 +82,7 @@ $ vault write azure/config \
</Tab>
</Tabs>
## Read Config
## Read config
Return the stored configuration, omitting `client_secret`.
@@ -90,7 +90,7 @@ Return the stored configuration, omitting `client_secret`.
| :----- | :-------------- |
| `GET` | `/azure/config` |
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -112,7 +112,7 @@ $ vault read azure/config
</Tab>
</Tabs>
### Sample Response
### Sample response
```json
{
@@ -126,7 +126,7 @@ $ vault read azure/config
}
```
## Delete Config
## Delete config
Deletes the stored Azure configuration and credentials.
@@ -134,7 +134,7 @@ Deletes the stored Azure configuration and credentials.
| :------- | :-------------- |
| `DELETE` | `/azure/config` |
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -156,7 +156,7 @@ $ vault delete azure/config
</Tab>
</Tabs>
## Rotate Root
## Rotate root
This endpoint generates a new client secret for the root account defined in the config. The
value generated will only be known by Vault.
@@ -173,7 +173,7 @@ datacenters.
There are no parameters to this operation.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -182,7 +182,7 @@ $ curl \
http://127.0.0.1:8200/v1/azure/rotate-root
```
## Create/Update Role
## Create/Update role
Create or update a Vault role. Either `application_object_id` or
`azure_roles` must be provided, and these resources must exist for this
@@ -213,7 +213,7 @@ information about roles.
- `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
### Sample Payload
### Sample payload
```json
{
@@ -232,7 +232,7 @@ information about roles.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -242,7 +242,7 @@ $ curl \
https://127.0.0.1:8200/v1/azure/roles/my-role
```
## List Roles
## List roles
Lists all of the roles that are registered with the plugin.
@@ -250,7 +250,7 @@ Lists all of the roles that are registered with the plugin.
| :----- | :------------- |
| `LIST` | `/azure/roles` |
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -272,7 +272,7 @@ $ vault list azure/roles
</Tab>
</Tabs>
### Sample Response
### Sample response
```json
{
@@ -282,7 +282,7 @@ $ vault list azure/roles
}
```
## Generate Credentials
## Generate credentials
This endpoint generates a new service principal based on the named role.
@@ -294,7 +294,7 @@ This endpoint generates a new service principal based on the named role.
- `name` (`string: <required>`) - Specifies the name of the role to create credentials against.
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -315,7 +315,7 @@ $ vault read azure/creds/my-role
</Tab>
</Tabs>
### Sample Response
### Sample response
```json
{
@@ -327,7 +327,7 @@ $ vault read azure/creds/my-role
}
```
## Revoking/Renewing Secrets
## Revoking/Renewing secrets
See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.

30
website/content/api-docs/secret/cassandra.mdx
View File

@@ -4,7 +4,7 @@ page_title: Cassandra - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Cassandra secrets engine.
---
# Cassandra Secrets Engine (API)
# Cassandra secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -22,7 +22,7 @@ This documentation assumes the Cassandra backend is mounted at the `/cassandra`
path in Vault. Since it is possible to enable secrets engines at any location,
please update your API calls accordingly.
## Configure Connection
## Configure connection
This endpoint configures the connection information used to communicate with
Cassandra.
@@ -88,7 +88,7 @@ certificate, an issuing CA certificate, or both. `pem_json` should contain the
same information; for convenience, the JSON format is the same as that output by
the issue command from the PKI backend.
### Sample Payload
### Sample payload
```json
{
@@ -98,7 +98,7 @@ the issue command from the PKI backend.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -108,7 +108,7 @@ $ curl \
http://127.0.0.1:8200/v1/cassandra/config/connection
```
## Create Role
## Create role
This endpoint creates or updates the role definition.
@@ -141,7 +141,7 @@ This endpoint creates or updates the role definition.
provided as a string. Determines the consistency level used for operations
performed on the Cassandra database.
### Sample Payload
### Sample payload
```json
{
@@ -149,7 +149,7 @@ This endpoint creates or updates the role definition.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -159,7 +159,7 @@ $ curl \
http://127.0.0.1:8200/v1/cassandra/roles/my-role
```
## Read Role
## Read role
This endpoint queries the role definition.
@@ -172,7 +172,7 @@ This endpoint queries the role definition.
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -180,7 +180,7 @@ $ curl \
http://127.0.0.1:8200/v1/cassandra/roles/my-role
```
### Sample Response
### Sample response
```json
{
@@ -193,7 +193,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes the role definition.
@@ -206,7 +206,7 @@ This endpoint deletes the role definition.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -215,7 +215,7 @@ $ curl \
http://127.0.0.1:8200/v1/cassandra/roles/my-role
```
## Generate Credentials
## Generate credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
@@ -229,7 +229,7 @@ role.
- `name` `(string: <required>)`  Specifies the name of the role to create
credentials against. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -237,7 +237,7 @@ $ curl \
http://127.0.0.1:8200/v1/cassandra/creds/my-role
```
### Sample Response
### Sample response
```json
{

52
website/content/api-docs/secret/consul.mdx
View File

@@ -4,7 +4,7 @@ page_title: Consul - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Consul secrets engine.
---
# Consul Secrets Engine (API)
# Consul secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -18,7 +18,7 @@ This documentation assumes the Consul secrets engine is enabled at the `/consul`
path in Vault. Since it is possible to enable secrets engines at any location,
please update your API calls accordingly.
## Configure Access
## Configure access
This endpoint configures the access information for Consul. This access
information is used so that Vault can communicate with Consul and generate
@@ -48,7 +48,7 @@ Consul tokens.
- `client_key` `(string: "")` - Client key used for Consul's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.
### Sample Payload
### Sample payload
```json
{
@@ -58,7 +58,7 @@ Consul tokens.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -68,7 +68,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/config/access
```
## Create/Update Role
## Create/Update role
This endpoint creates or updates the Consul role definition. If the role does
not exist, it will be created. If the role already exists, it will receive
@@ -80,7 +80,7 @@ Consul version.
| :----- | :-------------------- |
| `POST` | `/consul/roles/:name` |
### Parameters for Consul versions 1.11 and above
### Parameters for consul versions 1.11 and above
- `partition` `(string: "")` - Specifies the Consul admin partition in which the token is generated.
The partition must exist, and the Consul policies or roles assigned to the
@@ -95,7 +95,7 @@ To create a client token within a particular Consul admin partition:
}
```
### Parameters for Consul versions 1.8 and above
### Parameters for consul versions 1.8 and above
- `node_identities` `(list: <node identity or identities>)` - The list of node identities to assign to the generated
token. This may be a comma-separated list to attach multiple node identities to a token.
@@ -111,7 +111,7 @@ To create a client token with node identities attached:
}
```
### Parameters for Consul versions 1.7 and above
### Parameters for consul versions 1.7 and above
- `consul_namespace` `(string: "")` - Specifies the Consul namespace in which the token is generated.
The namespace must exist, and the Consul policies or roles assigned to the Vault role must also exist
@@ -125,7 +125,7 @@ To create a client token within a particular Consul namespace:
}
```
### Parameters for Consul version 1.5 and above
### Parameters for consul version 1.5 and above
- `service_identities` `(list: <service identity or identities>)` - The list of service identities to assign to the generated
token. This may be a comma-separated list to attach multiple service identities to a token.
@@ -135,7 +135,7 @@ To create a client token within a particular Consul namespace:
To create a client token with roles defined in Consul:
### Sample Payload
### Sample payload
```json
{
@@ -154,7 +154,7 @@ To create a client token with service identities attached:
}
```
### Parameters for Consul versions 1.4 and above
### Parameters for consul versions 1.4 and above
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Consul credential. This is part of the request URL.
@@ -184,7 +184,7 @@ To create a client token with service identities attached:
- `max_ttl` `(duration: "")`  Specifies the max TTL for this role. If not
provided, the default Vault Max TTL is used. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
To create a client token with policies defined in Consul:
@@ -194,7 +194,7 @@ To create a client token with policies defined in Consul:
}
```
### Parameters for Consul version below 1.4
### Parameters for consul version below 1.4
- `lease` <sup>DEPRECATED (1.11)</sup> `(string: "")`  Specifies the lease for this role.
Uses [duration format strings](/vault/docs/concepts/duration-format). If not
@@ -205,7 +205,7 @@ To create a client token with policies defined in Consul:
documentation](/consul/docs/security/acl/acl-legacy). This is
required unless the `token_type` is `"management"`.
### Sample Payload
### Sample payload
To create a client token with a base64-encoded policy:
@@ -223,7 +223,7 @@ To create management tokens:
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -233,7 +233,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/roles/example-role
```
## Read Role
## Read role
This endpoint queries for information about a Consul role with the given name.
If no role exists with that name, a 404 is returned.
@@ -247,7 +247,7 @@ If no role exists with that name, a 404 is returned.
- `name` `(string: <required>)`  Specifies the name of the role to query. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -255,7 +255,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/roles/example-role
```
### Sample Response
### Sample response
```json
{
@@ -267,7 +267,7 @@ $ curl \
}
```
## List Roles
## List roles
This endpoint lists all existing roles in the secrets engine.
@@ -275,7 +275,7 @@ This endpoint lists all existing roles in the secrets engine.
| :----- | :-------------- |
| `LIST` | `/consul/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -284,7 +284,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/roles
```
### Sample Response
### Sample response
```json
{
@@ -294,7 +294,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes a Consul role with the given name. Even if the role does
not exist, this endpoint will still return a successful response.
@@ -308,7 +308,7 @@ not exist, this endpoint will still return a successful response.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -317,7 +317,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/roles/example-role
```
## Generate Credential
## Generate credential
This endpoint generates a dynamic Consul token based on the given role
definition.
@@ -331,7 +331,7 @@ definition.
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Consul credential. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -339,7 +339,7 @@ $ curl \
http://127.0.0.1:8200/v1/consul/creds/example-role
```
### Sample Response
### Sample response
```json
{

24
website/content/api-docs/secret/cubbyhole.mdx
View File

@@ -4,7 +4,7 @@ page_title: Cubbyhole - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Cubbyhole secrets engine.
---
# Cubbyhole Secrets Engine (API)
# Cubbyhole secrets engine (API)
This is the API documentation for the Vault Cubbyhole secrets engine. For
general information about the usage and operation of the Cubbyhole secrets
@@ -15,7 +15,7 @@ This documentation assumes the Cubbyhole secrets engine is enabled at the
`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
any location, please update your API calls accordingly.
## Read Secret
## Read secret
This endpoint retrieves the secret at the specified location.
@@ -28,7 +28,7 @@ This endpoint retrieves the secret at the specified location.
- `path` `(string: <required>)` Specifies the path of the secret to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -36,7 +36,7 @@ $ curl \
http://127.0.0.1:8200/v1/cubbyhole/my-secret
```
### Sample Response
### Sample response
```json
{
@@ -50,7 +50,7 @@ $ curl \
}
```
## List Secrets
## List secrets
This endpoint returns a list of secret entries at the specified location.
Folders are suffixed with `/`. The input must be a folder; list on a file will
@@ -65,7 +65,7 @@ not return a value. The values themselves are not accessible via this command.
- `path` `(string: <required>)` Specifies the path of the secrets to list.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -74,7 +74,7 @@ $ curl \
http://127.0.0.1:8200/v1/cubbyhole/my-secret
```
### Sample Response
### Sample response
The example below shows output for a query path of `cubbyhole/` when there are
secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the
@@ -92,7 +92,7 @@ two entries.
}
```
## Create/Update Secret
## Create/Update secret
This endpoint stores a secret at the specified location.
@@ -109,7 +109,7 @@ This endpoint stores a secret at the specified location.
be held at the given location. Multiple key/value pairs can be specified, and
all will be returned on a read operation.
### Sample Payload
### Sample payload
```json
{
@@ -118,7 +118,7 @@ This endpoint stores a secret at the specified location.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -128,7 +128,7 @@ $ curl \
http://127.0.0.1:8200/v1/cubbyhole/my-secret
```
## Delete Secret
## Delete secret
This endpoint deletes the secret at the specified location.
@@ -141,7 +141,7 @@ This endpoint deletes the secret at the specified location.
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/cassandra.mdx
View File

@@ -6,7 +6,7 @@ description: >-
credentials to access Cassandra servers.
---
# Cassandra Database Plugin HTTP API
# Cassandra database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The Cassandra database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Cassandra database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -146,7 +146,7 @@ certificate, an issuing CA certificate, or both. `pem_json` should contain the
same information; for convenience, the JSON format is the same as that output by
the issue command from the PKI secrets engine.
### Sample Payload
### Sample payload
```json
{
@@ -158,7 +158,7 @@ the issue command from the PKI secrets engine.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/couchbase.mdx
View File

@@ -6,7 +6,7 @@ description: >-
credentials to access Couchbase servers.
---
# Couchbase Database Plugin HTTP API
# Couchbase database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The Couchbase database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Couchbase database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -75,7 +75,7 @@ V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate
</details>
</details>
### Sample Payload
### Sample payload
```json
{
@@ -87,7 +87,7 @@ V_{{.DisplayName | uppercase | truncate 64}}_{{.RoleName | uppercase | truncate
}
```
### Sample Request
### Sample request
```bash
$ curl \

10
website/content/api-docs/secret/databases/elasticdb.mdx
View File

@@ -6,7 +6,7 @@ description: >-
database credentials to access Elasticsearch.
---
# Elasticsearch Database Plugin HTTP API
# Elasticsearch database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The Elasticsearch database plugin is one of the supported plugins for the databa
secrets engine. This plugin generates credentials dynamically based on
configured roles for Elasticsearch.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -38,7 +38,7 @@ has a number of parameters to further configure a connection.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `use_old_xpack` `(bool: false)` - Can be set to `true` to use the `/_xpack/security` base API path when managing Elasticsearch. May be required for Elasticsearch server versions prior to 6.
### Sample Payload
### Sample payload
```json
{
@@ -53,7 +53,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -87,7 +87,7 @@ list the plugin does not support that statement type.
roles because a privilege escalation could be performed by editing the roles used
out-of-band in Elasticsearch.
### Sample Creation Statements
### Sample creation statements
```json
{

8
website/content/api-docs/secret/databases/hanadb.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access HANA servers.
---
# HANA Database Plugin HTTP API
# HANA database plugin HTTP API
The HANA database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the HANA database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [database
secrets engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -50,7 +50,7 @@ has a number of parameters to further configure a connection.
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
### Sample payload
```json
{
@@ -64,7 +64,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

96
website/content/api-docs/secret/databases/index.mdx
View File

@@ -4,7 +4,7 @@ page_title: Database - Secrets Engines - HTTP API
description: Top page for database secrets engine information
---
# Database Secrets Engine (API)
# Database secrets engine (API)
This is the API documentation for the Vault Database secrets engine. For
general information about the usage and operation of the database secrets engine,
@@ -15,7 +15,7 @@ This documentation assumes the database secrets engine is enabled at the
`/database` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Configure Connection
## Configure connection
This endpoint configures the connection string used to communicate with the
desired database. In addition to the parameters listed here, each Database
@@ -93,7 +93,7 @@ are supported and any additional details about them.
[databases secrets engine docs.](/vault/docs/secrets/databases#disable-character-escaping)
Defaults to `false`.
### Sample Payload
### Sample payload
```json
{
@@ -105,7 +105,7 @@ are supported and any additional details about them.
}
```
### Sample cURL Request
### Sample cURL request
```shell-session
$ curl \
@@ -115,7 +115,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/config/mysql
```
### Sample CLI Request
### Sample CLI request
```shell-session
$ vault write database/config/mysql \
@@ -126,7 +126,7 @@ $ vault write database/config/mysql \
password="secretpassword"
```
### Sample CLI Request with ADO-style Connection String
### Sample CLI request with ADO-style connection string
```shell-session
$ vault write database/config/mssql \
@@ -137,7 +137,7 @@ $ vault write database/config/mssql \
disable_escaping="true"
```
## Read Connection
## Read connection
This endpoint returns the configuration settings for a connection.
@@ -150,7 +150,7 @@ This endpoint returns the configuration settings for a connection.
- `name` `(string: <required>)` Specifies the name of the connection to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -159,7 +159,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/config/mysql
```
### Sample Response
### Sample response
```json
{
@@ -177,7 +177,7 @@ $ curl \
}
```
## List Connections
## List connections
This endpoint returns a list of available connections. Only the connection names
are returned, not any values.
@@ -186,7 +186,7 @@ are returned, not any values.
| :----- | :----------------- |
| `LIST` | `/database/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -195,7 +195,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/config
```
### Sample Response
### Sample response
```json
{
@@ -205,7 +205,7 @@ $ curl \
}
```
## Delete Connection
## Delete connection
This endpoint deletes a connection.
@@ -218,7 +218,7 @@ This endpoint deletes a connection.
- `name` `(string: <required>)` Specifies the name of the connection to delete.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -227,7 +227,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/config/mysql
```
## Reset Connection
## Reset connection
This endpoint closes a connection and it's underlying plugin and restarts it
with the configuration stored in the barrier.
@@ -241,7 +241,7 @@ with the configuration stored in the barrier.
- `name` `(string: <required>)` Specifies the name of the connection to reset.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -250,7 +250,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/reset/mysql
```
## Rotate Root Credentials
## Rotate root credentials
This endpoint is used to rotate the "root" user credentials stored for
the database connection. This user must have permissions to update its own
@@ -268,7 +268,7 @@ recommended that you create a user for Vault to utilize rather than using the ac
- `name` `(string: <required>)` Specifies the name of the connection to rotate.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -277,7 +277,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/rotate-root/mysql
```
## Create Role
## Create role
This endpoint creates or updates a role definition.
@@ -323,7 +323,7 @@ This endpoint creates or updates a role definition.
@include 'db-secrets-credential-types.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -337,7 +337,7 @@ This endpoint creates or updates a role definition.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -347,7 +347,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/roles/my-role
```
## Read Role
## Read role
This endpoint queries the role definition.
@@ -360,7 +360,7 @@ This endpoint queries the role definition.
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -368,7 +368,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/roles/my-role
```
### Sample Response
### Sample response
```json
{
@@ -388,7 +388,7 @@ $ curl \
}
```
## List Roles
## List roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
@@ -397,7 +397,7 @@ returned, not any values.
| :----- | :---------------- |
| `LIST` | `/database/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -406,7 +406,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/roles
```
### Sample Response
### Sample response
```json
{
@@ -420,7 +420,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes the role definition.
@@ -433,7 +433,7 @@ This endpoint deletes the role definition.
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -442,7 +442,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/roles/my-role
```
## Generate Credentials
## Generate credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
@@ -456,7 +456,7 @@ role.
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -464,7 +464,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/creds/my-role
```
### Sample Response
### Sample response
```json
{
@@ -475,7 +475,7 @@ $ curl \
}
```
## Create Static Role
## Create static role
This endpoint creates or updates a static role definition. Static Roles are a
1-to-1 mapping of a Vault Role to a user in a database which are automatically
@@ -512,7 +512,7 @@ this in order to know the password.
@include 'db-secrets-credential-types.mdx'
### Sample Payload
### Sample payload
```json
{
@@ -525,7 +525,7 @@ this in order to know the password.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -535,7 +535,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/static-roles/my-static-role
```
## Read Static Role
## Read static role
This endpoint queries the static role definition.
@@ -548,7 +548,7 @@ This endpoint queries the static role definition.
- `name` `(string: <required>)` Specifies the name of the static role to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -556,7 +556,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/static-roles/my-static-role
```
### Sample Response
### Sample response
```json
{
@@ -572,7 +572,7 @@ $ curl \
}
```
## List Static Roles
## List static roles
This endpoint returns a list of available static roles. Only the role names are
returned, not any values.
@@ -581,7 +581,7 @@ returned, not any values.
| :----- | :----------------------- |
| `LIST` | `/database/static-roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -590,7 +590,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/static-roles
```
### Sample Response
### Sample response
```json
{
@@ -601,7 +601,7 @@ $ curl \
}
```
## Delete Static Role
## Delete static role
This endpoint deletes the static role definition. The user, having been defined externally,
must be cleaned up manually.
@@ -615,7 +615,7 @@ must be cleaned up manually.
- `name` `(string: <required>)` Specifies the name of the static role to
delete. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -624,7 +624,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/static-roles/my-role
```
## Get Static Credentials
## Get static credentials
This endpoint returns the current credentials based on the named static role.
@@ -637,7 +637,7 @@ This endpoint returns the current credentials based on the named static role.
- `name` `(string: <required>)` Specifies the name of the static role to get
credentials for. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -645,7 +645,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/static-creds/my-static-role
```
### Sample Response
### Sample response
```json
{
@@ -659,7 +659,7 @@ $ curl \
}
```
## Rotate Static Role Credentials
## Rotate static role credentials
This endpoint is used to rotate the Static Role credentials stored for a given
role name. While Static Roles are rotated automatically by Vault at configured
@@ -675,7 +675,7 @@ change the stored password and reset the TTL of the Static Role's password.
- `name` `(string: <required>)` Specifies the name of the Static Role to
trigger the password rotation for. The name is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/influxdb.mdx
View File

@@ -6,7 +6,7 @@ description: >-
credentials to access Influxdb servers.
---
# Influxdb Database Plugin HTTP API
# Influxdb database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The Influxdb database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Influxdb database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -80,7 +80,7 @@ certificate, an issuing CA certificate, or both. `pem_json` should contain the
same information; for convenience, the JSON format is the same as that output by
the issue command from the PKI secrets engine.
### Sample Payload
### Sample payload
```json
{
@@ -92,7 +92,7 @@ the issue command from the PKI secrets engine.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

12
website/content/api-docs/secret/databases/mongodb.mdx
View File

@@ -6,7 +6,7 @@ description: >-
credentials to access MongoDB servers.
---
# MongoDB Database Plugin HTTP API
# MongoDB database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The MongoDB database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the MongoDB database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -75,7 +75,7 @@ has a number of parameters to further configure a connection.
</details>
</details>
### Sample Payload
### Sample payload
```json
{
@@ -88,7 +88,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -125,7 +125,7 @@ list the plugin does not support that statement type.
serialized JSON object. The object can optionally contain a `db` string. If no
`db` value is provided, it defaults to the `admin` database.
### Sample Creation Statement
### Sample creation statement
```json
{
@@ -139,7 +139,7 @@ list the plugin does not support that statement type.
}
```
### Sample Revocation Statement
### Sample revocation statement
```json
{

10
website/content/api-docs/secret/databases/mongodbatlas.mdx
View File

@@ -5,13 +5,13 @@ description: |-
The MongoDB Atlas plugin for Vault's Database Secrets Engine generates MongoDB Database User credentials for MongoDB Atlas.
---
# MongoDB Atlas Database Plugin HTTP API
# MongoDB atlas database plugin HTTP API
The MongoDB Atlas plugin is one of the supported plugins for the Database
Secrets Engine. This plugin generates MongoDB Atlas Database User credentials dynamically based on
configured roles.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -30,7 +30,7 @@ has a number of parameters to further configure a connection.
dynamic usernames are generated.
### Sample Payload
### Sample payload
```json
{
@@ -42,7 +42,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -84,7 +84,7 @@ list the plugin does not support that statement type.
is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
### Sample Creation Statement
### Sample creation statement
```json
{

8
website/content/api-docs/secret/databases/mssql.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access MSSQL servers.
---
# MSSQL Database Plugin HTTP API
# MSSQL database plugin HTTP API
The MSSQL database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the MSSQL database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -80,7 +80,7 @@ has a number of parameters to further configure a connection.
</details>
</details>
### Sample Payload
### Sample payload
```json
{
@@ -94,7 +94,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/mysql-maria.mdx
View File

@@ -6,7 +6,7 @@ description: >-
database credentials to access MySQL and MariaDB servers.
---
# MySQL/MariaDB Database Plugin HTTP API
# MySQL/MariaDB database plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
@@ -14,7 +14,7 @@ The MySQL database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the MySQL database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -121,7 +121,7 @@ has a number of parameters to further configure a connection.
</details>
</details>
### Sample Payload
### Sample payload
```json
{
@@ -135,7 +135,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/oracle.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access Oracle servers.
---
# Oracle Database Plugin HTTP API
# Oracle database plugin HTTP API
The Oracle database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Oracle database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -73,7 +73,7 @@ has a number of parameters to further configure a connection.
</details>
</details>
### Sample Payload
### Sample payload
```json
{
@@ -87,7 +87,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

16
website/content/api-docs/secret/databases/postgresql.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access PostgreSQL servers.
---
# PostgreSQL Database Plugin HTTP API
# PostgreSQL database plugin HTTP API
The PostgreSQL database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the PostgreSQL database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -89,7 +89,7 @@ has a number of parameters to further configure a connection.
</details>
</details>
### Sample Payload with URI-format Connection String
### Sample payload with URI-format connection string
```json
{
@@ -103,7 +103,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Payload with Keyword/Value-format Connection String
### Sample payload with Keyword/Value-format connection string
```json
{
@@ -117,7 +117,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -127,7 +127,7 @@ $ curl \
http://127.0.0.1:8200/v1/database/config/postgresql
```
### Connection Strings with Multiple Hosts
### Connection strings with multiple hosts
Postgres supports multiple hosts in the connection string. An example use-case for this might be having
Postgres set up with Replication Manager. However, there are some formatting rules to consider when using
@@ -135,7 +135,7 @@ this feature. Please refer to the ["Specifying Multiple Hosts" section of the
official Postgres documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING)
for more information. Below are two small examples.
#### URI-format Multi-Host String:
#### URI-format Multi-Host string:
```json
{
@@ -143,7 +143,7 @@ for more information. Below are two small examples.
}
```
#### Keyword/Value-format Multi-Host String:
#### Keyword/Value-format Multi-Host string:
```json
{

8
website/content/api-docs/secret/databases/redis.mdx
View File

@@ -6,13 +6,13 @@ description: >-
to access Redis servers.
---
# Redis Database Plugin HTTP API
# Redis database plugin HTTP API
The Redis database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Redis database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -37,7 +37,7 @@ has a number of parameters to further configure a connection.
- `insecure_tls` `(bool: false)` Specifies whether to skip verification of the
server certificate when using TLS.
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ server certificate when using TLS.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

10
website/content/api-docs/secret/databases/rediselasticache.mdx
View File

@@ -5,13 +5,13 @@ description: >-
The Redis ElastiCache plugin for Vault's database secrets engine generates new passwords for ElastiCache users.
---
# Redis ElastiCache Database Plugin HTTP API
# Redis ElastiCache database plugin HTTP API
The Redis ElastiCache database plugin is one of the supported plugins for the database
secrets engine. This plugin generates static database credentials based on
configured roles for the Redis ElastiCache database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -34,13 +34,13 @@ If omitted, authentication falls back on the AWS credentials provider chain and
- `region` `(string)` Specifies the AWS region where to ElastiCache cluster is provisioned. If omitted, falls back on
the context from the environment.
### Deprecated Parameters
### Deprecated parameters
- `username` `(string)` Use `access_key_id` instead, it is strictly equivalent.
- `password` `(string)` Use `secret_access_key` instead, it is strictly equivalent.
### Sample Payload
### Sample payload
```json
{
@@ -53,7 +53,7 @@ the context from the environment.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/redshift.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access the AWS Redshift service.
---
# Redshift Database Plugin HTTP API
# Redshift database plugin HTTP API
The Redshift database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Redshift database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -50,7 +50,7 @@ has a number of parameters to further configure a connection.
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
### Sample payload
```json
{
@@ -64,7 +64,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/secret/databases/snowflake.mdx
View File

@@ -6,13 +6,13 @@ description: >-
credentials to access Snowflake servers.
---
# Snowflake Database Plugin HTTP API
# Snowflake database plugin HTTP API
The Snowflake database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Snowflake database.
## Configure Connection
## Configure connection
In addition to the parameters defined by the [Database
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
@@ -50,7 +50,7 @@ has a number of parameters to further configure a connection.
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
### Sample payload
```json
{
@@ -64,7 +64,7 @@ has a number of parameters to further configure a connection.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

116
website/content/api-docs/secret/gcp.mdx
View File

@@ -4,7 +4,7 @@ page_title: Google Cloud - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Google Cloud secrets engine.
---
# Google Cloud Secrets Engine (API)
# Google Cloud secrets engine (API)
This is the API documentation for the Vault Google Cloud Platform (GCP)
secrets engine. For general information about the usage and operation of
@@ -14,7 +14,7 @@ This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Write Config
## Write config
| Method | Path |
| :----- | :------------ |
@@ -35,7 +35,7 @@ This endpoint configures shared information for the secrets engine.
- `max_ttl` (`int: 0 || string:"0s"`) Specifies the maximum config TTL for long-lived credentials
(i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).\*\*
### Sample Payload
### Sample payload
```json
{
@@ -45,7 +45,7 @@ This endpoint configures shared information for the secrets engine.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -55,7 +55,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/config
```
## Rotate Root Credentials
## Rotate root credentials
Request to rotate the GCP service account credentials used by Vault
for this mount. A new key will be generated for the service account,
@@ -72,7 +72,7 @@ account keys.
| :----- | :------------------------ |
| `POST` | `/gcp/config/rotate-root` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -81,7 +81,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/config/rotate-root
```
## Read Config
## Read config
| Method | Path |
| :----- | :------------ |
@@ -89,7 +89,7 @@ $ curl \
Credentials will be omitted from returned data.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -98,7 +98,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/config
```
### Sample Response
### Sample response
```json
{
@@ -109,7 +109,7 @@ $ curl \
}
```
## Create/Update Roleset
## Create/Update roleset
| Method | Path |
| :----- | :------------------- |
@@ -129,7 +129,7 @@ generated under this roleset.**
- `bindings` (`string: <required>`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
### Sample Payload
### Sample payload
```json
{
@@ -143,7 +143,7 @@ generated under this roleset.**
}
```
#### Sample Bindings:
#### Sample bindings:
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
@@ -168,7 +168,7 @@ resource "https://selflink/to/my/resource" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -178,7 +178,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
```
## Rotate Roleset Account
## Rotate roleset account
| Method | Path | |
| :----- | :-------------------------- | ------------------ |
@@ -189,7 +189,7 @@ This will rotate the service account this roleset uses to generate secrets.
old secrets generated by the roleset or fix issues if a roleset's service account
(and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -198,7 +198,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate
```
## Rotate Roleset Account Key (`access_token` Roleset Only)
## Rotate roleset account key (`access_token` roleset only)
| Method | Path | |
| :----- | :------------------------------ | ------------------ |
@@ -207,7 +207,7 @@ $ curl \
This will rotate the service account key this roleset uses to generate
access tokens. This does not recreate the roleset service account.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -216,7 +216,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate-key
```
## Read Roleset
## Read roleset
| Method | Path |
| :----- | :------------------- |
@@ -226,7 +226,7 @@ $ curl \
- `name` (`string:<required>`): Name of the roleset to read.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -235,7 +235,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
```
### Sample Response
### Sample response
```json
{
@@ -255,13 +255,13 @@ $ curl \
}
```
## List Rolesets
## List rolesets
| Method | Path |
| :----- | :-------------- |
| `LIST` | `/gcp/rolesets` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -270,7 +270,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/rolesets
```
### Sample Response
### Sample response
```json
{
@@ -280,7 +280,7 @@ $ curl \
}
```
## Delete Roleset
## Delete roleset
This endpoint deletes an existing roleset by the given name.
@@ -292,7 +292,7 @@ This endpoint deletes an existing roleset by the given name.
- `name` (`string:<required>`): Name of the roleset to delete.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -301,7 +301,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
```
## Create/Update Static Account
## Create/Update static account
| Method | Path |
| :----- | :-------------------------- |
@@ -321,7 +321,7 @@ generated under this static account.**
- `bindings` (`string`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string). Optional.
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
### Sample Payload
### Sample payload
```json
{
@@ -335,7 +335,7 @@ generated under this static account.**
}
```
#### Sample Bindings:
#### Sample bindings:
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
@@ -360,7 +360,7 @@ resource "https://selflink/to/my/resource" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -370,7 +370,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
## Rotate Static Account Key (`access_token` Static Account Only)
## Rotate static account key (`access_token` static account only)
| Method | Path | |
| :----- | :------------------------------ | ------------------------- |
@@ -379,7 +379,7 @@ $ curl \
This will rotate the service account key this static account uses to generate
access tokens. This does not recreate the service account.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -388,7 +388,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account/rotate-key
```
## Read Static Account
## Read static account
| Method | Path |
| :----- | :-------------------------- |
@@ -401,7 +401,7 @@ $ curl \
This endpoint will only return bindings that are managed through the secrets engine. Bindings
manually managed outside of Vault will not be returned.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -410,7 +410,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
### Sample Response
### Sample response
```json
{
@@ -430,13 +430,13 @@ $ curl \
}
```
## List Static Accounts
## List static accounts
| Method | Path |
| :----- | :--------------------- |
| `LIST` | `/gcp/static-accounts` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -445,7 +445,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/static-accounts
```
### Sample Response
### Sample response
```json
{
@@ -455,7 +455,7 @@ $ curl \
}
```
## Delete Static Account
## Delete static account
This endpoint deletes an existing static account by the given name.
@@ -467,7 +467,7 @@ This endpoint deletes an existing static account by the given name.
- `name` (`string:<required>`): Name of the static account to delete.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -476,7 +476,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
```
## Create/Update Impersonated Account
## Create/Update impersonated account
| Method | Path |
| :----- | :-------------------------------- |
@@ -495,7 +495,7 @@ impersonated account.
- `ttl` (`duration: ""`): Lifetime of the token generated. Defaults to 1 hour and
is limited to a maximum of 12 hours. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -508,7 +508,7 @@ impersonated account.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -518,7 +518,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
```
## Read Impersonated Account
## Read impersonated account
| Method | Path |
| :----- | :-------------------------------- |
@@ -528,7 +528,7 @@ $ curl \
- `name` (`string:<required>`): Name of the impersonated account to read.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -537,7 +537,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
```
### Sample Response
### Sample response
```json
{
@@ -552,7 +552,7 @@ $ curl \
},
}
```
## List Impersonated Accounts
## List impersonated accounts
This endpoint lists the configured Vault roles for impersonated accounts.
@@ -560,7 +560,7 @@ This endpoint lists the configured Vault roles for impersonated accounts.
| :----- | :--------------------- |
| `LIST` | `/gcp/impersonated-accounts` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -569,7 +569,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/impersonated-accounts
```
### Sample Response
### Sample response
```json
{
@@ -582,7 +582,7 @@ $ curl \
}
```
## Delete Impersonated Account
## Delete impersonated account
This endpoint deletes an existing impersonated account by the given name.
@@ -594,7 +594,7 @@ This endpoint deletes an existing impersonated account by the given name.
- `name` (`string:<required>`): Name of the impersonated account to delete.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -603,7 +603,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
```
## Generate Secret (IAM Service Account Creds): OAuth2 Access Token
## Generate secret (IAM service account creds): OAuth2 access token
| Method | Path |
| :------------- | :------------------------------------------------------ |
@@ -627,7 +627,7 @@ do not apply.
- `impersonated-account` (`string:<required>`): Name of the impersonated account to
generate access_token_under.
### Sample Request
### Sample request
**Roleset:**
```shell-session
@@ -653,7 +653,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate/token
```
### Sample Response
### Sample response
```json
{
@@ -669,7 +669,7 @@ $ curl \
}
```
## Generate Secret (IAM Service Account Creds): Service Account Key
## Generate secret (IAM service account creds): service account key
| Method | Path |
| :------------- | :---------------------------------------- |
@@ -695,7 +695,7 @@ or the system default if config was not defined.
Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/vault/docs/concepts/duration-format). If not set, uses the system default value.
### Sample Payload
### Sample payload
```json
{
@@ -704,7 +704,7 @@ or the system default if config was not defined.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -721,7 +721,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset/key
```
### Sample Response
### Sample response
```json
{
@@ -740,7 +740,7 @@ $ curl \
}
```
## Revoking/Renewing Secrets
## Revoking/Renewing secrets
See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
Note this only applies to service account keys.

146
website/content/api-docs/secret/gcpkms.mdx
View File

@@ -4,7 +4,7 @@ page_title: Google Cloud KMS - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Google Cloud KMS secrets engine.
---
# Google Cloud KMS Secrets Engine (API)
# Google Cloud KMS secrets engine (API)
This is the API documentation for the Vault Google Cloud KMS secrets engine. For
general information about the usage and operation of the Google Cloud KMS
@@ -15,7 +15,7 @@ This documentation assumes the Google Cloud KMS secrets engine is enabled at the
`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Configure Credentials
## Configure credentials
This endpoint configures the Google Cloud KMS secrets engine with credentials
and manages the requested scope(s) for authentication.
@@ -24,7 +24,7 @@ and manages the requested scope(s) for authentication.
| :----- | :-------------- |
| `POST` | `gcpkms/config` |
### Example Policy
### Example policy
```hcl
path "gcpkms/config" {
@@ -42,7 +42,7 @@ path "gcpkms/config" {
The list of full-URL scopes to request when authenticating. By default, this
requests https://www.googleapis.com/auth/cloudkms.
### Sample Payload
### Sample payload
```json
{
@@ -50,7 +50,7 @@ path "gcpkms/config" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -60,7 +60,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/config
```
## Read Configuration
## Read configuration
This endpoint returns the configuration endpoint for the Google Cloud KMS
secrets engine. The credentials are not returned.
@@ -69,7 +69,7 @@ secrets engine. The credentials are not returned.
| :----- | :-------------- |
| `GET` | `gcpkms/config` |
### Example Policy
### Example policy
```hcl
path "gcpkms/config" {
@@ -77,7 +77,7 @@ path "gcpkms/config" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -86,7 +86,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/config
```
### Sample Response
### Sample response
```json
{
@@ -96,7 +96,7 @@ $ curl \
}
```
## Delete Configuration
## Delete configuration
This endpoint deletes any configuration for the Google Cloud KMS secrets engine.
If there is no configuration, the endpoint still returns successfully.
@@ -105,7 +105,7 @@ If there is no configuration, the endpoint still returns successfully.
| :------- | :-------------- |
| `DELETE` | `gcpkms/config` |
### Example Policy
### Example policy
```hcl
path "gcpkms/config" {
@@ -113,7 +113,7 @@ path "gcpkms/config" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -122,7 +122,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/config
```
## Decrypt Ciphertext
## Decrypt ciphertext
This endpoint uses the named encryption key to decrypt the ciphertext string. For symmetric key types, the provided ciphertext must come from a previous invocation of the `/encrypt` endpoint. For asymmetric key types, the provided ciphertext must be from the encrypt operation against the corresponding key version's public key.
@@ -130,7 +130,7 @@ This endpoint uses the named encryption key to decrypt the ciphertext string. Fo
| :----- | :-------------------- |
| `POST` | `gcpkms/decrypt/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/decrypt/my-key" {
@@ -158,7 +158,7 @@ path "gcpkms/decrypt/my-key" {
required for asymmetric keys. For symmetric keys, Cloud KMS will choose the
correct version automatically.
### Sample Payload
### Sample payload
```json
{
@@ -166,7 +166,7 @@ path "gcpkms/decrypt/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -176,7 +176,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/decrypt/my-key
```
### Sample Response
### Sample response
```json
{
@@ -186,7 +186,7 @@ $ curl \
}
```
## Encrypt Plaintext
## Encrypt plaintext
This endpoint uses the named encryption key to encrypt arbitrary plaintext
string data. The response will be base64-encoded encrypted ciphertext.
@@ -195,7 +195,7 @@ string data. The response will be base64-encoded encrypted ciphertext.
| :----- | :-------------------- |
| `POST` | `gcpkms/encrypt/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/encrypt/my-key" {
@@ -223,7 +223,7 @@ path "gcpkms/encrypt/my-key" {
is limited. See the Google Cloud KMS documentation for information on size
limitations by key types.
### Sample Payload
### Sample payload
```json
{
@@ -231,7 +231,7 @@ path "gcpkms/encrypt/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -241,7 +241,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/encrypt/my-key
```
### Sample Response
### Sample response
```json
{
@@ -252,7 +252,7 @@ $ curl \
}
```
## Re-Encrypt Existing Ciphertext
## Re-Encrypt existing ciphertext
This endpoint uses the named encryption key to re-encrypt the underlying
cryptokey to the latest version for this ciphertext without disclosing the
@@ -263,7 +263,7 @@ Vault's transit secrets engine.
| :----- | :---------------------- |
| `POST` | `gcpkms/reencrypt/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/reencrypt/my-key" {
@@ -289,7 +289,7 @@ path "gcpkms/reencrypt/my-key" {
Integer version of the crypto key version to use for re-encryption. If unspecified,
this defaults to the latest active crypto key version.
### Sample Payload
### Sample payload
```json
{
@@ -297,7 +297,7 @@ path "gcpkms/reencrypt/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -307,7 +307,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/reencrypt/my-key
```
### Sample Response
### Sample response
```json
{
@@ -318,7 +318,7 @@ $ curl \
}
```
## Sign Digest
## Sign digest
This endpoint uses the named encryption key to sign digest string data. The
response will include the base64-encoded signature.
@@ -327,7 +327,7 @@ response will include the base64-encoded signature.
| :----- | :----------------- |
| `POST` | `gcpkms/sign/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/sign/my-key" {
@@ -353,7 +353,7 @@ path "gcpkms/sign/my-key" {
$ openssl dgst -sha256 -binary /my/file | base64
```
### Sample Payload
### Sample payload
```json
{
@@ -362,7 +362,7 @@ path "gcpkms/sign/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -372,7 +372,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/sign/my-key
```
### Sample Response
### Sample response
```json
{
@@ -382,7 +382,7 @@ $ curl \
}
```
## Verify Digest
## Verify digest
This endpoint uses the named encryption key to verify a signature and digest
string data.
@@ -391,7 +391,7 @@ string data.
| :----- | :------------------- |
| `POST` | `gcpkms/verify/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/verify/my-key" {
@@ -420,7 +420,7 @@ path "gcpkms/verify/my-key" {
- `signature` (`string: <required>`) -
Signature of the digest as returned from a signing operation.
### Sample Payload
### Sample payload
```json
{
@@ -430,7 +430,7 @@ path "gcpkms/verify/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -440,7 +440,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/verify/my-key
```
### Sample Response
### Sample response
```json
{
@@ -450,7 +450,7 @@ $ curl \
}
```
## List Keys
## List keys
This endpoint lists the named keys available for use in Vault. It does not list
all Google Cloud KMS keys.
@@ -459,7 +459,7 @@ all Google Cloud KMS keys.
| :----- | :------------ |
| `LIST` | `gcpkms/keys` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys" {
@@ -467,7 +467,7 @@ path "gcpkms/keys" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -476,7 +476,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys
```
### Sample Response
### Sample response
```json
{
@@ -496,7 +496,7 @@ Google Cloud KMS key with the given configuration options.
| :----- | :----------------- |
| `POST` | `gcpkms/keys/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/my-key" {
@@ -549,7 +549,7 @@ path "gcpkms/keys/my-key" {
| `asymmetric_decrypt` | `rsa_decrypt_oaep_2048_sha256`<br/>`rsa_decrypt_oaep_3072_sha256`<br/>`rsa_decrypt_oaep_4096_sha256` |
| `asymmetric_sign` | `rsa_sign_pss_2048_sha256`<br/>`rsa_sign_pss_3072_sha256`<br/>`rsa_sign_pss_4096_sha256`<br/>`rsa_sign_pkcs1_2048_sha256`<br/>`rsa_sign_pkcs1_3072_sha256`<br/>`rsa_sign_pkcs1_4096_sha256`<br/>`ec_sign_p256_sha256`<br/>`ec_sign_p384_sha384` |
### Sample Payload
### Sample payload
```json
{
@@ -561,7 +561,7 @@ path "gcpkms/keys/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -571,7 +571,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
## Delete Google Cloud KMS Key
## Delete Google Cloud KMS key
This endpoint deletes a key from both Vault and Google Cloud KMS. This will
disable all crypto key versions for this crypto key in Google Cloud KMS and
@@ -581,7 +581,7 @@ delete Vault's reference to the crypto key.
| :------- | :----------------- |
| `DELETE` | `gcpkms/keys/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/my-key" {
@@ -589,7 +589,7 @@ path "gcpkms/keys/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -598,7 +598,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
## Read Google Cloud KMS Key
## Read Google Cloud KMS key
This endpoint reads data about a Google Cloud KMS crypto key, including the key
status and current primary key version.
@@ -607,7 +607,7 @@ status and current primary key version.
| :----- | :----------------- |
| `GET` | `gcpkms/keys/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/my-key" {
@@ -615,7 +615,7 @@ path "gcpkms/keys/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -624,7 +624,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
### Sample Response
### Sample response
```json
{
@@ -642,7 +642,7 @@ $ curl \
}
```
## Read Vault Key Configuration
## Read Vault key configuration
This endpoint reads data about a Vault's configuration of the key.
@@ -650,7 +650,7 @@ This endpoint reads data about a Vault's configuration of the key.
| :----- | :------------------------ |
| `GET` | `gcpkms/keys/config/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/config/my-key" {
@@ -658,7 +658,7 @@ path "gcpkms/keys/config/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -667,7 +667,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
```
### Sample Response
### Sample response
```json
{
@@ -679,7 +679,7 @@ $ curl \
}
```
## Update Vault Key Configuration
## Update Vault key configuration
This endpoint is used to update Vault's information about an existing key.
@@ -687,7 +687,7 @@ This endpoint is used to update Vault's information about an existing key.
| :----- | :------------------------ |
| `POST` | `gcpkms/keys/config/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/my-key" {
@@ -711,7 +711,7 @@ path "gcpkms/keys/my-key" {
greater than the given value are not permitted to be used. If set to 0 or a
negative value, there is no maximum key version.
### Sample Payload
### Sample payload
```json
{
@@ -719,7 +719,7 @@ path "gcpkms/keys/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -729,7 +729,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
```
## Deregister Crypto Key
## Deregister crypto key
This endpoint deregisters an existing reference Vault has to a crypto key in
Google Cloud KMS. The underlying Google Cloud KMS key remains unchanged.
@@ -738,7 +738,7 @@ Google Cloud KMS. The underlying Google Cloud KMS key remains unchanged.
| :----- | :---------------------------- |
| `POST` | `gcpkms/keys/deregister/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/deregister/my-key" {
@@ -746,7 +746,7 @@ path "gcpkms/keys/deregister/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -755,7 +755,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/deregister/my-key
```
## Register Crypto Key
## Register crypto key
This endpoint registers an existing crypto key in Google Cloud KMS and makes it
available for encryption and decryption in Vault.
@@ -764,7 +764,7 @@ available for encryption and decryption in Vault.
| :----- | :-------------------------- |
| `POST` | `gcpkms/keys/register/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/register/my-key" {
@@ -790,7 +790,7 @@ path "gcpkms/keys/register/my-key" {
before creating the storage entry in Vault. Set this to "false" if the key will
not exist at creation time.
### Sample Payload
### Sample payload
```json
{
@@ -799,7 +799,7 @@ path "gcpkms/keys/register/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -809,7 +809,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/register/my-key
```
## Rotate Crypto Key
## Rotate crypto key
This endpoint rotates a crypto key by creating a new crypto key version for the
corresponding Google Cloud KMS key and updates the new crypto key to be the
@@ -823,7 +823,7 @@ with this key.**
| :----- | :------------------------ |
| `POST` | `gcpkms/keys/rotate/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/rotate/my-key" {
@@ -831,7 +831,7 @@ path "gcpkms/keys/rotate/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -840,7 +840,7 @@ $ curl \
https://127.0.0.1:8200/v1/gcpkms/keys/rotate/my-key
```
### Sample Response
### Sample response
```json
{
@@ -850,7 +850,7 @@ $ curl \
}
```
## Trim KMS Key Versions
## Trim KMS key versions
This endpoint deletes old crypto key versions that are older than the key's specified `min_version`.
@@ -860,7 +860,7 @@ This endpoint deletes old crypto key versions that are older than the key's spec
| :----- | :---------------------- |
| `POST` | `gcpkms/keys/trim/:key` |
### Example Policy
### Example policy
```hcl
path "gcpkms/keys/trim/my-key" {
@@ -868,7 +868,7 @@ path "gcpkms/keys/trim/my-key" {
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

32
website/content/api-docs/secret/identity/entity-alias.mdx
View File

@@ -11,7 +11,7 @@ If a user can modify an entity, they can grant it additional privileges through
policies. If a user can modify an alias they can login with, they can bind it to
an entity with higher privileges.
## Create an Entity Alias
## Create an entity alias
~> **IMPORTANT NOTE:** Prior to creating any alias it is important to consider the cardinality of the alias' name,
since there are potential security issues to be aware of. The main one revolves around alias reuse. It is possible
@@ -44,7 +44,7 @@ This endpoint creates a new alias for an entity.
- `custom_metadata` `(map<string|string>: <optional>)` - A map of arbitrary string to string valued
user-provided metadata meant to describe the alias.
### Sample Payload
### Sample payload
```json
{
@@ -57,7 +57,7 @@ This endpoint creates a new alias for an entity.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -67,7 +67,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity-alias
```
### Sample Response
### Sample response
```json
{
@@ -78,7 +78,7 @@ $ curl \
}
```
## Read Entity Alias by ID
## Read entity alias by ID
This endpoint queries the entity alias by its identifier.
@@ -90,7 +90,7 @@ This endpoint queries the entity alias by its identifier.
- `id` `(string: <required>)` Identifier of entity alias.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -98,7 +98,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
```
### Sample Response
### Sample response
```json
{
@@ -123,7 +123,7 @@ $ curl \
}
```
## Update Entity Alias by ID
## Update entity alias by ID
This endpoint is used to update an existing entity alias.
@@ -148,7 +148,7 @@ This endpoint is used to update an existing entity alias.
- `custom_metadata` `(map<string|string>: <optional>)` - A map of arbitrary string to string valued
user-provided metadata meant to describe the alias.
### Sample Payload
### Sample payload
```json
{
@@ -161,7 +161,7 @@ This endpoint is used to update an existing entity alias.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -171,7 +171,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
```
### Sample Response
### Sample response
```json
{
@@ -182,7 +182,7 @@ $ curl \
}
```
## Delete Entity Alias by ID
## Delete entity alias by ID
This endpoint deletes an alias from its corresponding entity.
@@ -194,7 +194,7 @@ This endpoint deletes an alias from its corresponding entity.
- `id` `(string: <required>)` Identifier of the entity alias.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -203,7 +203,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity-alias/id/34982d3d-e3ce-5d8b-6e5f-b9bb34246c31
```
## List Entity Aliases by ID
## List entity aliases by ID
This endpoint returns a list of available entity aliases by their identifiers.
@@ -212,7 +212,7 @@ This endpoint returns a list of available entity aliases by their identifiers.
| `LIST` | `/identity/entity-alias/id` |
| `GET` | `/identity/entity-alias/id?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -221,7 +221,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity-alias/id
```
### Sample Response
### Sample response
```json
{

68
website/content/api-docs/secret/identity/entity.mdx
View File

@@ -4,7 +4,7 @@ page_title: 'Identity Secret Backend: Entity - HTTP API'
description: This is the API documentation for managing entities in the identity store.
---
## Create an Entity
## Create an entity
This endpoint creates or updates an Entity.
@@ -27,7 +27,7 @@ This endpoint creates or updates an Entity.
- `disabled` `(bool: false)` Whether the entity is disabled. Disabled
entities' associated tokens cannot be used, but are not revoked.
### Sample Payload
### Sample payload
```json
{
@@ -39,7 +39,7 @@ This endpoint creates or updates an Entity.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -49,7 +49,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity
```
### Sample Response
### Sample response
```json
{
@@ -60,7 +60,7 @@ $ curl \
}
```
## Read Entity by ID
## Read entity by ID
This endpoint queries the entity by its identifier.
@@ -72,7 +72,7 @@ This endpoint queries the entity by its identifier.
- `id` `(string: <required>)` Identifier of the entity.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -80,7 +80,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
```
### Sample Response
### Sample response
```json
{
@@ -101,7 +101,7 @@ $ curl \
}
```
## Update Entity by ID
## Update entity by ID
This endpoint is used to update an existing entity.
@@ -118,7 +118,7 @@ This endpoint is used to update an existing entity.
- `disabled` `(bool: false)` Whether the entity is disabled. Disabled
entities' associated tokens cannot be used, but are not revoked.
### Sample Payload
### Sample payload
```json
{
@@ -131,7 +131,7 @@ This endpoint is used to update an existing entity.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -141,7 +141,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
```
### Sample Response
### Sample response
```json
{
@@ -152,7 +152,7 @@ $ curl \
}
```
## Delete Entity by ID
## Delete entity by ID
This endpoint deletes an entity and all its associated aliases.
@@ -164,7 +164,7 @@ This endpoint deletes an entity and all its associated aliases.
- `id` `(string: <required>)` Identifier of the entity.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -173,7 +173,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/id/8d6a45e5-572f-8f13-d226-cd0d1ec57297
```
## Batch Delete Entities
## Batch delete entities
This endpoint deletes all entities provided.
@@ -185,7 +185,7 @@ This endpoint deletes all entities provided.
- `entity_ids` `([]string: <required>)` List of entity identifiers to delete.
### Sample Payload
### Sample payload
```json
{
@@ -201,7 +201,7 @@ This endpoint deletes all entities provided.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -211,7 +211,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/batch-delete
```
## List Entities by ID
## List entities by ID
This endpoint returns a list of available entities by their identifiers.
@@ -220,7 +220,7 @@ This endpoint returns a list of available entities by their identifiers.
| `LIST` | `/identity/entity/id` |
| `GET` | `/identity/entity/id?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -229,7 +229,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/id
```
### Sample Response
### Sample response
```json
{
@@ -247,7 +247,7 @@ $ curl \
}
```
## Create/Update Entity by Name
## Create/Update entity by name
This endpoint is used to create or update an entity by a given name.
@@ -266,7 +266,7 @@ This endpoint is used to create or update an entity by a given name.
- `disabled` `(bool: false)` Whether the entity is disabled. Disabled
entities' associated tokens cannot be used, but are not revoked.
### Sample Payload
### Sample payload
```json
{
@@ -278,7 +278,7 @@ This endpoint is used to create or update an entity by a given name.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -288,7 +288,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/name/testentityname
```
### Sample Response
### Sample response
```json
{
@@ -299,7 +299,7 @@ $ curl \
}
```
## Read Entity by Name
## Read entity by name
This endpoint queries the entity by its name.
@@ -311,7 +311,7 @@ This endpoint queries the entity by its name.
- `name` `(string: <required>)` Name of the entity.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -319,7 +319,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/name/testentityname
```
### Sample Response
### Sample response
```json
{
@@ -343,7 +343,7 @@ $ curl \
}
```
## Delete Entity by Name
## Delete entity by name
This endpoint deletes an entity and all its associated aliases, given the
entity name.
@@ -356,7 +356,7 @@ entity name.
- `name` `(string: <required>)` Name of the entity.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -365,7 +365,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/name/testentityname
```
## List Entities by Name
## List entities by name
This endpoint returns a list of available entities by their names.
@@ -374,7 +374,7 @@ This endpoint returns a list of available entities by their names.
| `LIST` | `/identity/entity/name` |
| `GET` | `/identity/entity/name?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -383,7 +383,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/entity/name
```
### Sample Response
### Sample response
```json
{
@@ -393,7 +393,7 @@ $ curl \
}
```
## Merge Entities
## Merge entities
This endpoint merges many entities into one entity. Additionally, all groups associated with `from_entity_ids` are merged with those of `to_entity_id`.
Note that if these entities contain aliases sharing the same mount accessor, the merge will fail unless `conflicting_alias_ids_to_keep` is present, and
@@ -424,7 +424,7 @@ information, see the [identity concepts page](/vault/docs/concepts/identity).
the alias ID given in this list will be kept or merged, and the other alias will be deleted.
Note that merges requiring this parameter must have only one from-Entity.
### Sample Payload
### Sample payload
```json
{
@@ -436,7 +436,7 @@ information, see the [identity concepts page](/vault/docs/concepts/identity).
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

32
website/content/api-docs/secret/identity/group-alias.mdx
View File

@@ -6,7 +6,7 @@ description: >-
store.
---
## Create a Group Alias
## Create a group alias
This endpoint creates or updates a group alias.
@@ -26,7 +26,7 @@ This endpoint creates or updates a group alias.
- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
### Sample Payload
### Sample payload
```json
{
@@ -36,7 +36,7 @@ This endpoint creates or updates a group alias.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -46,7 +46,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group-alias
```
### Sample Response
### Sample response
```json
{
@@ -57,7 +57,7 @@ $ curl \
}
```
## Update Group Alias by ID
## Update group alias by ID
This endpoint is used to update an existing group alias.
@@ -76,7 +76,7 @@ This endpoint is used to update an existing group alias.
- `canonical_id` `(string: "")` - ID of the group to which this is an alias.
### Sample Payload
### Sample payload
```json
{
@@ -86,7 +86,7 @@ This endpoint is used to update an existing group alias.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -96,7 +96,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
```
### Sample Response
### Sample response
```json
{
@@ -107,7 +107,7 @@ $ curl \
}
```
## Read Group Alias by ID
## Read group alias by ID
This endpoint queries the group alias by its identifier.
@@ -119,7 +119,7 @@ This endpoint queries the group alias by its identifier.
- `id` `(string: <required>)` ID of the group alias.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -127,7 +127,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
```
### Sample Response
### Sample response
```json
{
@@ -146,7 +146,7 @@ $ curl \
}
```
## Delete Group Alias by ID
## Delete group alias by ID
This endpoint deletes a group alias.
@@ -158,7 +158,7 @@ This endpoint deletes a group alias.
- `id` `(string: <required>)` ID of the group alias.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -167,7 +167,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group-alias/id/ca726050-d8ac-6f1f-4210-3b5c5b613824
```
## List Group Alias by ID
## List group alias by ID
This endpoint returns a list of available group aliases by their identifiers.
@@ -176,7 +176,7 @@ This endpoint returns a list of available group aliases by their identifiers.
| `LIST` | `/identity/group-alias/id` |
| `GET` | `/identity/group-alias/id?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -185,7 +185,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group-alias/id
```
### Sample Response
### Sample response
```json
{

56
website/content/api-docs/secret/identity/group.mdx
View File

@@ -8,7 +8,7 @@ description: This is the API documentation for managing groups in the identity s
endpoints. If a user can modify group membership, they can add their entity to
a group with higher privileges.
## Create a Group
## Create a group
This endpoint creates or updates a Group.
@@ -38,7 +38,7 @@ This endpoint creates or updates a Group.
- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
group members.
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ This endpoint creates or updates a Group.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -59,7 +59,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group
```
### Sample Response
### Sample response
```json
{
@@ -70,7 +70,7 @@ $ curl \
}
```
## Read Group by ID
## Read group by ID
This endpoint queries the group by its identifier.
@@ -82,7 +82,7 @@ This endpoint queries the group by its identifier.
- `id` `(string: <required>)` Identifier of the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -90,7 +90,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
```
### Sample Response
### Sample response
```json
{
@@ -112,7 +112,7 @@ $ curl \
}
```
## Update Group by ID
## Update group by ID
This endpoint is used to update an existing group.
@@ -140,7 +140,7 @@ This endpoint is used to update an existing group.
- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
group members.
### Sample Payload
### Sample payload
```json
{
@@ -152,7 +152,7 @@ This endpoint is used to update an existing group.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -162,7 +162,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
```
### Sample Response
### Sample response
```json
{
@@ -173,7 +173,7 @@ $ curl \
}
```
## Delete Group by ID
## Delete group by ID
This endpoint deletes a group.
@@ -185,7 +185,7 @@ This endpoint deletes a group.
- `id` `(string: <required>)` Identifier of the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -194,7 +194,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/id/363926d8-dd8b-c9f0-21f8-7b248be80ce1
```
## List Groups by ID
## List groups by ID
This endpoint returns a list of available groups by their identifiers.
@@ -203,7 +203,7 @@ This endpoint returns a list of available groups by their identifiers.
| `LIST` | `/identity/group/id` |
| `GET` | `/identity/group/id?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -212,7 +212,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/id
```
### Sample Response
### Sample response
```json
{
@@ -229,7 +229,7 @@ $ curl \
}
```
## Create/Update Group by Name
## Create/Update group by name
This endpoint is used to create or update a group by its name.
@@ -255,7 +255,7 @@ This endpoint is used to create or update a group by its name.
- `member_entity_ids` `(list of strings: [])` - Entity IDs to be assigned as
group members.
### Sample Payload
### Sample payload
```json
{
@@ -266,7 +266,7 @@ This endpoint is used to create or update a group by its name.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -276,7 +276,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/name/testgroupname
```
### Sample Response
### Sample response
```json
{
@@ -292,7 +292,7 @@ $ curl \
}
```
## Read Group by Name
## Read group by name
This endpoint queries the group by its name.
@@ -304,7 +304,7 @@ This endpoint queries the group by its name.
- `name` `(string: <required>)` Name of the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -312,7 +312,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/name/testgroupname
```
### Sample Response
### Sample response
```json
{
@@ -335,7 +335,7 @@ $ curl \
}
```
## Delete Group by Name
## Delete group by name
This endpoint deletes a group, given its name.
@@ -347,7 +347,7 @@ This endpoint deletes a group, given its name.
- `name` `(string: <required>)` Name of the group.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -356,7 +356,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/name/testgroupname
```
## List Groups by Name
## List groups by name
This endpoint returns a list of available groups by their names.
@@ -365,7 +365,7 @@ This endpoint returns a list of available groups by their names.
| `LIST` | `/identity/group/name` |
| `GET` | `/identity/group/name?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -374,7 +374,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/group/name
```
### Sample Response
### Sample response
```json
{

4
website/content/api-docs/secret/identity/index.mdx
View File

@@ -4,13 +4,13 @@ page_title: Identity - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Identity secrets engine.
---
# Identity Secrets Engine (API)
# Identity secrets engine (API)
This is the API documentation for the Vault Identity secrets engine. For general
information about the usage and operation of the Identity secrets engine, please
see the [Vault Identity documentation](/vault/docs/secrets/identity).
## API Sections
## API sections
- [Entity](/vault/api-docs/secret/identity/entity)
- [Entity Alias](/vault/api-docs/secret/identity/entity-alias)

16
website/content/api-docs/secret/identity/lookup.mdx
View File

@@ -6,7 +6,7 @@ description: |-
store.
---
## Lookup an Entity
## Lookup an entity
This endpoint looks up an entity based on the given criteria. The criteria can
be `name`, `id`, `alias_id`, or a combination of `alias_name` and
@@ -30,7 +30,7 @@ be `name`, `id`, `alias_id`, or a combination of `alias_name` and
- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
alias belongs to. This should be supplied in conjunction with `alias_name`.
### Sample Payload
### Sample payload
```json
{
@@ -38,7 +38,7 @@ be `name`, `id`, `alias_id`, or a combination of `alias_name` and
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -48,7 +48,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/lookup/entity
```
### Sample Response
### Sample response
```json
{
@@ -68,7 +68,7 @@ $ curl \
}
```
## Lookup a Group
## Lookup a group
This endpoint looks up a group based on the given criteria. The criteria can
be `name`, `id`, `alias_id`, or a combination of `alias_name` and
@@ -92,7 +92,7 @@ be `name`, `id`, `alias_id`, or a combination of `alias_name` and
- `alias_mount_accessor` `(string: "")` - Accessor of the mount to which the
alias belongs to. This should be supplied in conjunction with `alias_name`.
### Sample Payload
### Sample payload
```json
{
@@ -100,7 +100,7 @@ be `name`, `id`, `alias_id`, or a combination of `alias_name` and
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -110,7 +110,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/lookup/group
```
### Sample Response
### Sample response
```json
{

30
website/content/api-docs/secret/identity/mfa/duo.mdx
View File

@@ -5,7 +5,7 @@ description: >-
The '/identity/mfa/method/duo' endpoint focuses on managing Duo MFA behaviors in Vault.
---
## Create Duo MFA Method
## Create Duo MFA method
This endpoint creates a new MFA method of type Duo.
@@ -29,7 +29,7 @@ This endpoint creates a new MFA method of type Duo.
- `use_passcode` `(bool: false)` - If true, the user is reminded to use the passcode upon MFA validation.
### Sample Payload
### Sample payload
```json
{
@@ -41,7 +41,7 @@ This endpoint creates a new MFA method of type Duo.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -51,7 +51,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/duo
```
### Sample Response
### Sample response
```json
{
@@ -61,7 +61,7 @@ $ curl \
}
```
## Update Duo MFA Method
## Update Duo MFA method
This endpoint updates the configuration of an MFA method of type Duo.
@@ -75,11 +75,11 @@ This endpoint updates the configuration of an MFA method of type Duo.
- and all of the parameters documented under the preceding "Create" endpoint.
### Sample Payload
### Sample payload
Identical to the preceding "Create" endpoint.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -89,7 +89,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```
## Read Duo MFA Method
## Read Duo MFA method
This endpoint queries the MFA configuration of Duo type for a given method
ID.
@@ -102,7 +102,7 @@ ID.
- `id` `(string: <required>)` UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -111,7 +111,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```
### Sample Response
### Sample response
```json
{
@@ -128,7 +128,7 @@ $ curl \
}
```
## Delete Duo MFA Method
## Delete Duo MFA method
This endpoint deletes a Duo MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
@@ -141,7 +141,7 @@ by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
- `method_id` `(string: <required>)` - UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -150,7 +150,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/duo/4194659f-139b-400b-b5dd-86bfb726759d
```
## List Duo MFA Methods
## List Duo MFA methods
This endpoint lists Duo MFA methods that are visible in the current namespace or in parent namespaces.
@@ -158,7 +158,7 @@ This endpoint lists Duo MFA methods that are visible in the current namespace or
|:-------|:---------------------------|
| `LIST` | `/identity/mfa/method/duo` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -167,7 +167,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/duo
```
### Sample Response
### Sample response
```json
{

20
website/content/api-docs/secret/identity/mfa/login-enforcement.mdx
View File

@@ -38,7 +38,7 @@ IDs are checked during login. Note that these IDs can be from the current namesp
Note that while none of `auth_method_accessors`, `auth_method_types`, `identity_group_ids`, or `identity_entity_ids` is
individually required, at least one of those four fields must be present to create a login enforcement.
### Sample Payload
### Sample payload
```json
{
@@ -47,7 +47,7 @@ individually required, at least one of those four fields must be present to crea
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -57,7 +57,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
```
## Read Login Enforcement
## Read login enforcement
This endpoint reads the login enforcement configuration for a given name.
@@ -69,7 +69,7 @@ This endpoint reads the login enforcement configuration for a given name.
- `name` `(string: <required>)` Name of the login enforcement.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -79,7 +79,7 @@ $ curl \
```
### Sample Response
### Sample response
```json
{
@@ -100,7 +100,7 @@ $ curl \
}
```
## Delete Login Enforcement
## Delete login enforcement
This endpoint deletes a login enforcement configuration by the given name.
@@ -112,7 +112,7 @@ This endpoint deletes a login enforcement configuration by the given name.
- `name` `(string: <required>)` - Name of the login enforcement.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -122,7 +122,7 @@ $ curl \
```
## List Login Enforcements
## List login enforcements
This endpoint lists login enforcements that are visible in the current namespace or in parent namespaces.
@@ -130,7 +130,7 @@ This endpoint lists login enforcements that are visible in the current namespace
|:-------|:----------------------------------|
| `LIST` | `/identity/mfa/login-enforcement` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -140,7 +140,7 @@ $ curl \
```
### Sample Response
### Sample response
```json
{

30
website/content/api-docs/secret/identity/mfa/okta.mdx
View File

@@ -5,7 +5,7 @@ description: >-
The '/identity/mfa/method/okta' endpoint focuses on managing Okta MFA behaviors in Vault.
---
## Create Okta MFA Method
## Create okta MFA method
This endpoint creates a new MFA method of type Okta.
@@ -27,7 +27,7 @@ This endpoint creates a new MFA method of type Okta.
- `primary_email` `(bool: false)` - If set, the username will only match the primary email for the account.
### Sample Payload
### Sample payload
```json
{
@@ -37,7 +37,7 @@ This endpoint creates a new MFA method of type Okta.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -47,7 +47,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/okta
```
### Sample Response
### Sample response
```json
{
@@ -57,7 +57,7 @@ $ curl \
}
```
## Update Okta MFA Method
## Update okta MFA method
This endpoint updates the configuration of an MFA method of type Okta.
@@ -71,11 +71,11 @@ This endpoint updates the configuration of an MFA method of type Okta.
- and all of the parameters documented under the preceding "Create" endpoint.
### Sample Payload
### Sample payload
Identical to the preceding "Create" endpoint.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -85,7 +85,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```
## Read Okta MFA Method
## Read okta MFA method
This endpoint queries the MFA configuration of Okta type for a given method
name.
@@ -98,7 +98,7 @@ name.
- `method_id` `(string: <required>)` UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -107,7 +107,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```
### Sample Response
### Sample response
```json
{
@@ -122,7 +122,7 @@ $ curl \
}
```
## Delete Okta MFA Method
## Delete okta MFA method
This endpoint deletes a Okta MFA method. The MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
@@ -135,7 +135,7 @@ by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
- `method_id` `(string: <required>)` - UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -144,7 +144,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/okta/1db034b5-81f1-4a2b-8c2b-0f51ed0bd9fc
```
## List Okta MFA Methods
## List okta MFA methods
This endpoint lists Okta MFA methods that are visible in the current namespace or in parent namespaces.
@@ -152,7 +152,7 @@ This endpoint lists Okta MFA methods that are visible in the current namespace o
|:-------|:----------------------------|
| `LIST` | `/identity/mfa/method/okta` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -161,7 +161,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/okta
```
### Sample Response
### Sample response
```json
{

28
website/content/api-docs/secret/identity/mfa/pingid.mdx
View File

@@ -5,7 +5,7 @@ description: >-
The '/identity/mfa/method/pingid' endpoint focuses on managing PingID MFA behaviors in Vault.
---
## Create PingID MFA Method
## Create PingID MFA method
This endpoint creates an MFA method of type PingID.
@@ -21,7 +21,7 @@ This endpoint creates an MFA method of type PingID.
- `settings_file_base64` `(string: <required>)` - A base64-encoded third-party settings file retrieved from PingID's configuration page.
### Sample Payload
### Sample payload
```json
{
@@ -30,7 +30,7 @@ This endpoint creates an MFA method of type PingID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -40,7 +40,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/pingid
```
## Update PingID MFA Method
## Update PingID MFA method
This endpoint updates the configuration of an MFA method of type PingID.
@@ -54,11 +54,11 @@ This endpoint updates the configuration of an MFA method of type PingID.
- and all of the parameters documented under the preceding "Create" endpoint.
### Sample Payload
### Sample payload
Identical to the preceding "Create" endpoint.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -68,7 +68,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/pingid/f8381105-67f0-4105-8662-4b07ae5c1233
```
## Read PingID MFA Method
## Read PingID MFA method
This endpoint queries the MFA configuration of PingID type for a given method
name.
@@ -81,7 +81,7 @@ name.
- `id` `(string: <required>)` UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -90,7 +90,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/pingid/f8381105-67f0-4105-8662-4b07ae5c1233
```
### Sample Response
### Sample response
```json
{
@@ -106,7 +106,7 @@ $ curl \
}
```
## Delete PingID MFA Method
## Delete PingID MFA method
This endpoint deletes a PingID MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
@@ -119,7 +119,7 @@ by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
- `id` `(string: <required>)` - UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -128,7 +128,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/pingid/f8381105-67f0-4105-8662-4b07ae5c1233
```
## List PingID MFA Methods
## List PingID MFA methods
This endpoint lists PingID MFA methods that are visible in the current namespace or in parent namespaces.
@@ -136,7 +136,7 @@ This endpoint lists PingID MFA methods that are visible in the current namespace
|:-------|:------------------------------|
| `LIST` | `/identity/mfa/method/pingid` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -145,7 +145,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/pingid
```
### Sample Response
### Sample response
```json
{

50
website/content/api-docs/secret/identity/mfa/totp.mdx
View File

@@ -5,7 +5,7 @@ description: >-
The '/identity/mfa/method/totp' endpoint focuses on managing TOTP MFA behaviors in Vault.
---
## Create TOTP MFA Method
## Create TOTP MFA method
This endpoint creates an MFA method of type TOTP.
@@ -33,7 +33,7 @@ This endpoint creates an MFA method of type TOTP.
- `max_validation_attempts` `(int: 5)` - The maximum number of consecutive failed validation attempts.
### Sample Payload
### Sample payload
```json
{
@@ -41,7 +41,7 @@ This endpoint creates an MFA method of type TOTP.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -51,7 +51,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp
```
## Update TOTP MFA Method
## Update TOTP MFA method
This endpoint updates the configuration of an MFA method of type TOTP.
@@ -65,11 +65,11 @@ This endpoint updates the configuration of an MFA method of type TOTP.
- and all of the parameters documented under the preceding "Create" endpoint.
### Sample Payload
### Sample payload
Identical to the preceding "Create" endpoint.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -79,7 +79,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp/1f36d4cf-52c9-475d-a5cd-49c573c54e55
```
## Read TOTP MFA Method
## Read TOTP MFA method
This endpoint queries the MFA configuration of TOTP type for a given method
ID.
@@ -92,7 +92,7 @@ ID.
- `method_id` `(string: <required>)` UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -101,7 +101,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp/4c6b1968-b385-4c46-ac5e-9b74e7b206be
```
### Sample Response
### Sample response
```json
{
@@ -120,7 +120,7 @@ $ curl \
}
```
## Delete TOTP MFA Method
## Delete TOTP MFA method
This endpoint deletes a TOTP MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
@@ -133,7 +133,7 @@ by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
- `method_id` `(string: <required>)` - UUID of the MFA method.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -142,7 +142,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp/4c6b1968-b385-4c46-ac5e-9b74e7b206be
```
## List TOTP MFA Methods
## List TOTP MFA methods
This endpoint lists TOTP MFA methods that are visible in the current namespace or in parent namespaces.
@@ -150,7 +150,7 @@ This endpoint lists TOTP MFA methods that are visible in the current namespace o
|:-------|:----------------------------|
| `LIST` | `/identity/mfa/method/totp` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -159,7 +159,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp
```
### Sample Response
### Sample response
```json
{
@@ -172,7 +172,7 @@ $ curl \
}
```
## Generate a TOTP MFA Secret
## Generate a TOTP MFA secret
This endpoint generates an MFA secret in the entity of the calling token, if it
doesn't exist already, using the configuration stored under the given MFA
@@ -186,7 +186,7 @@ method ID.
- `method_id` `(string: <required>)` - UUID of the MFA method.
### Sample Payload
### Sample payload
```json
{
@@ -194,7 +194,7 @@ method ID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -204,7 +204,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp/generate
```
### Sample Response
### Sample response
```json
{
@@ -215,7 +215,7 @@ $ curl \
}
```
## Administratively Generate a TOTP MFA Secret
## Administratively generate a TOTP MFA secret
This endpoint can be used to generate a TOTP MFA secret. Unlike the `generate`
API which stores the generated secret on the entity ID of the calling token,
@@ -232,7 +232,7 @@ the `admin-generate` API stores the generated secret on the given entity ID.
- `entity_id` `(string: <required>)` - Entity ID on which the generated secret
needs to get stored.
### Sample Payload
### Sample payload
```json
{
@@ -241,7 +241,7 @@ the `admin-generate` API stores the generated secret on the given entity ID.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -251,7 +251,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/mfa/method/totp/admin-generate
```
### Sample Response
### Sample response
```json
{
@@ -262,7 +262,7 @@ $ curl \
}
```
### Administratively Destroy TOTP MFA Secret
### Administratively destroy TOTP MFA secret
This endpoint deletes a TOTP MFA secret from the given entity ID.
@@ -282,7 +282,7 @@ secret.
- `entity_id` `(string: <required>)` - Entity ID from which the MFA secret
should be removed.
### Sample Payload
### Sample payload
```json
{
@@ -291,7 +291,7 @@ secret.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

120
website/content/api-docs/secret/identity/oidc-provider.mdx
View File

@@ -5,7 +5,7 @@ description: >-
This is the API documentation for configuring and managing OIDC providers with Vault.
---
## Create or Update a Provider
## Create or update a provider
This endpoint creates or updates a Provider.
@@ -25,7 +25,7 @@ This endpoint creates or updates a Provider.
- `scopes_supported` `([]string: <optional>)` The scopes available for requesting on the provider.
### Sample Payload
### Sample payload
```json
{
@@ -34,7 +34,7 @@ This endpoint creates or updates a Provider.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -44,7 +44,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
## Read Provider by Name
## Read provider by name
This endpoint queries the OIDC provider by its name.
@@ -56,7 +56,7 @@ This endpoint queries the OIDC provider by its name.
- `name` `(string: <required>)` The name of the provider.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -64,7 +64,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
### Sample Response
### Sample response
```json
{
@@ -76,7 +76,7 @@ $ curl \
}
```
## List Providers
## List providers
This endpoint returns a list of all OIDC providers.
@@ -84,12 +84,12 @@ This endpoint returns a list of all OIDC providers.
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/provider` |
### Query Parameters
### Query parameters
- `allowed_client_id` `(string: <optional>)` Filters the list of OIDC providers to those
that allow the given client ID in their set of [allowed_client_ids](/vault/api-docs/secret/identity/oidc-provider#allowed_client_ids).
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -98,7 +98,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider
```
### Sample Response
### Sample response
```json
{
@@ -119,7 +119,7 @@ $ curl \
}
```
## Delete Provider by Name
## Delete provider by name
This endpoint deletes an OIDC provider.
@@ -131,7 +131,7 @@ This endpoint deletes an OIDC provider.
- `name` `(string: <required>)` The name of the provider.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -140,7 +140,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
## Create or Update a Scope
## Create or update a scope
This endpoint creates or updates a scope.
@@ -157,7 +157,7 @@ This endpoint creates or updates a scope.
- `description` `(string: <optional>)` A description of the scope.
### Sample Payload
### Sample payload
```json
{
@@ -166,7 +166,7 @@ This endpoint creates or updates a scope.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -176,7 +176,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
## Read Scope by Name
## Read scope by name
This endpoint queries a scope by its name.
@@ -188,7 +188,7 @@ This endpoint queries a scope by its name.
- `name` `(string: <required>)` The name of the scope.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -196,7 +196,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
### Sample Response
### Sample response
```json
{
@@ -207,7 +207,7 @@ $ curl \
}
```
## List Scopes
## List scopes
This endpoint returns a list of all configured scopes.
@@ -215,7 +215,7 @@ This endpoint returns a list of all configured scopes.
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/scope` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -224,7 +224,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/scope
```
### Sample Response
### Sample response
```json
{
@@ -236,7 +236,7 @@ $ curl \
}
```
## Delete Scope by Name
## Delete scope by name
This endpoint deletes a scope.
@@ -248,7 +248,7 @@ This endpoint deletes a scope.
- `name` `(string: <required>)` The name of the scope.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -257,7 +257,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
## Create or Update a Client
## Create or update a client
This endpoint creates or updates a client.
@@ -306,7 +306,7 @@ This endpoint creates or updates a client.
- `access_token_ttl` `(int or duration: "24h")` The time-to-live for access tokens obtained by the client.
Accepts [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -316,7 +316,7 @@ This endpoint creates or updates a client.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -326,7 +326,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
## Read Client by Name
## Read client by name
This endpoint queries a client by its name.
@@ -338,7 +338,7 @@ This endpoint queries a client by its name.
- `name` `(string: <required>)` The name of the client.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -346,7 +346,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
### Sample Response
### Sample response
```json
{
@@ -363,7 +363,7 @@ $ curl \
}
```
## List Clients
## List clients
This endpoint returns a list of all configured clients.
@@ -371,7 +371,7 @@ This endpoint returns a list of all configured clients.
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/client` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -380,7 +380,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/client
```
### Sample Response
### Sample response
```json
{
@@ -407,7 +407,7 @@ $ curl \
}
```
## Delete Client by Name
## Delete client by name
This endpoint deletes a client.
@@ -419,7 +419,7 @@ This endpoint deletes a client.
- `name` `(string: <required>)` The name of the client.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -428,7 +428,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
## Create or Update an Assignment
## Create or update an assignment
This endpoint creates or updates an assignment.
@@ -444,7 +444,7 @@ This endpoint creates or updates an assignment.
- `group_ids` `([]string: <optional>)` A list of Vault [group](/vault/docs/secrets/identity#identity-groups) IDs.
### Sample Payload
### Sample payload
```json
{
@@ -453,7 +453,7 @@ This endpoint creates or updates an assignment.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -463,7 +463,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
## Read Assignment by Name
## Read assignment by name
This endpoint queries an assignment by its name.
@@ -475,7 +475,7 @@ This endpoint queries an assignment by its name.
- `name` `(string: <required>)` The name of the assignment.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -483,7 +483,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
### Sample Response
### Sample response
```json
{
@@ -498,7 +498,7 @@ $ curl \
}
```
## List Assignments
## List assignments
This endpoint returns a list of all configured assignments.
@@ -506,7 +506,7 @@ This endpoint returns a list of all configured assignments.
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/assignment` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -515,7 +515,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/assignment
```
### Sample Response
### Sample response
```json
{
@@ -527,7 +527,7 @@ $ curl \
}
```
## Delete Assignment by Name
## Delete assignment by name
This endpoint deletes an assignment.
@@ -539,7 +539,7 @@ This endpoint deletes an assignment.
- `name` `(string: <required>)` The name of the assignment.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -548,7 +548,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
## Read Provider OpenID Configuration
## Read provider OpenID configuration
Returns OpenID Connect Metadata for a named OIDC provider. The response is a
compliant [OpenID Provider Configuration Response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
@@ -561,7 +561,7 @@ compliant [OpenID Provider Configuration Response](https://openid.net/specs/open
- `name` `(string: <required>)` The name of the provider. This parameter is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -569,7 +569,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/openid-configuration
```
### Sample Response
### Sample response
```json
{
@@ -608,7 +608,7 @@ $ curl \
]}
```
## Read Provider Public Keys
## Read provider public keys
Query this path to retrieve the public portion of keys for an OIDC provider.
Clients can use them to validate the authenticity of an identity token.
@@ -621,7 +621,7 @@ Clients can use them to validate the authenticity of an identity token.
- `name` `(string: <required>)` The name of the provider. This parameter is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -629,7 +629,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys
```
### Sample Response
### Sample response
```json
{
@@ -653,7 +653,7 @@ $ curl \
]}
```
## Authorization Endpoint
## Authorization endpoint
Provides the [Authorization Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint)
for an OIDC provider. This allows OIDC clients to request an authorization code
@@ -690,7 +690,7 @@ to be used for the [Authorization Code Flow](https://openid.net/specs/openid-con
[PKCE](https://datatracker.ietf.org/doc/html/rfc7636) code challenge. The following
methods are supported: `S256`, `plain`.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -706,7 +706,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/authorize
```
### Sample Response
### Sample response
```json
{
@@ -715,7 +715,7 @@ $ curl \
}
```
## Token Endpoint
## Token endpoint
Provides the [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint)
for an OIDC provider.
@@ -758,7 +758,7 @@ for an OIDC provider.
authentication method. This header is only required for `confidential` clients using
the `client_secret_basic` client authentication method.
### Sample Request
### Sample request
```shell-session
$ BASIC_AUTH_CREDS=$(printf "%s:%s" "$CLIENT_ID" "$CLIENT_SECRET" | base64)
@@ -772,7 +772,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token
```
### Sample Response
### Sample response
```json
{
@@ -783,7 +783,7 @@ $ curl \
}
```
## UserInfo Endpoint
## UserInfo endpoint
Provides the [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
for an OIDC provider. The UserInfo Endpoint is an OAuth 2.0 Protected
@@ -804,7 +804,7 @@ specified as part of the URL.
`Authorization: Bearer <access_token>` HTTP header acquired from the authorization
endpoint.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -813,7 +813,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo
```
### Sample Response
### Sample response
```json
{

90
website/content/api-docs/secret/identity/tokens.mdx
View File

@@ -6,7 +6,7 @@ description: >-
issued identity tokens.
---
## Configure the Identity Tokens Backend
## Configure the identity tokens backend
This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.
@@ -18,7 +18,7 @@ This endpoint updates configurations for OIDC-compliant identity tokens issued b
- `issuer` `(string: "")` Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and an optional port number.
### Sample Payload
### Sample payload
```json
{
@@ -26,7 +26,7 @@ This endpoint updates configurations for OIDC-compliant identity tokens issued b
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -36,7 +36,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/config
```
### Sample Response
### Sample response
```json
{
@@ -47,7 +47,7 @@ $ curl \
}
```
## Read Configurations for the Identity Tokens Backend
## Read configurations for the identity tokens backend
This endpoint queries vault identity tokens configurations.
@@ -55,7 +55,7 @@ This endpoint queries vault identity tokens configurations.
| :----- | :--------------------- |
| `GET` | `identity/oidc/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -64,7 +64,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/config
```
### Sample Response
### Sample response
```json
{
@@ -74,7 +74,7 @@ $ curl \
}
```
## Create a Named Key
## Create a named key
This endpoint creates or updates a named key which is used by a role to sign tokens.
@@ -94,7 +94,7 @@ This endpoint creates or updates a named key which is used by a role to sign tok
- `algorithm` `(string: "RS256")` - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
### Sample Payload
### Sample payload
```json
{
@@ -103,7 +103,7 @@ This endpoint creates or updates a named key which is used by a role to sign tok
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -113,7 +113,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
```
## Read a Named Key
## Read a named key
This endpoint queries a named key and returns its configurations.
@@ -125,7 +125,7 @@ This endpoint queries a named key and returns its configurations.
- `name` `(string)` Name of the key.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -134,7 +134,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
```
### Sample Response
### Sample response
```json
{
@@ -146,7 +146,7 @@ $ curl \
}
```
## Delete a Named Key
## Delete a named key
This endpoint deletes a named key.
@@ -158,7 +158,7 @@ This endpoint deletes a named key.
- `name` `(string)` Name of the key.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -167,7 +167,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
```
## List Named Keys
## List named keys
This endpoint will List all named keys.
@@ -175,7 +175,7 @@ This endpoint will List all named keys.
| :----- | :------------------ |
| `LIST` | `identity/oidc/key` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -184,7 +184,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/key
```
### Sample Response
### Sample response
```json
{
@@ -194,7 +194,7 @@ $ curl \
}
```
## Rotate a Named Key
## Rotate a named key
This endpoint rotates a named key.
@@ -208,7 +208,7 @@ This endpoint rotates a named key.
- `verification_ttl` `(string: <optional>)` - Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
### Sample Payload
### Sample payload
```json
{
@@ -216,7 +216,7 @@ This endpoint rotates a named key.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -226,7 +226,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001/rotate
```
## Create or Update a Role
## Create or update a role
Create or update a role. ID tokens are generated against a role and signed against a named key.
@@ -246,7 +246,7 @@ Create or update a role. ID tokens are generated against a role and signed again
- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -255,7 +255,7 @@ Create or update a role. ID tokens are generated against a role and signed again
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -265,7 +265,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/role/role-001
```
## Read a Role
## Read a role
This endpoint queries a role and returs its configuration.
@@ -277,7 +277,7 @@ This endpoint queries a role and returs its configuration.
- `name` `(string)` Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -286,7 +286,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/role/role-001
```
### Sample Response
### Sample response
```json
{
@@ -299,7 +299,7 @@ $ curl \
}
```
## Delete a Role
## Delete a role
This endpoint deletes a role.
@@ -311,7 +311,7 @@ This endpoint deletes a role.
- `name` `(string)` Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -320,7 +320,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/role/role-001
```
## List Roles
## List roles
This endpoint will list all signing keys.
@@ -328,7 +328,7 @@ This endpoint will list all signing keys.
| :----- | :------------------- |
| `LIST` | `identity/oidc/role` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -337,7 +337,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/role
```
### Sample Response
### Sample response
```json
{
@@ -347,7 +347,7 @@ $ curl \
}
```
## Generate a Signed ID Token
## Generate a signed ID token
Use this endpoint to generate a signed ID (OIDC) token.
@@ -359,7 +359,7 @@ Use this endpoint to generate a signed ID (OIDC) token.
- `name` `(string: "")` The name of the role against which to generate a signed ID token
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -369,7 +369,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/token/role-001
```
### Sample Response
### Sample response
```json
{
@@ -381,7 +381,7 @@ $ curl \
}
```
## Introspect a signed ID Token
## Introspect a signed ID token
This endpoint can verify the authenticity and active state of a signed ID token.
@@ -395,7 +395,7 @@ This endpoint can verify the authenticity and active state of a signed ID token.
- `client_id` `(string: <optional>)` - Specifying the client ID additionally requires the token to contain a matching `aud` claim
### Sample Payload
### Sample payload
```json
{
@@ -403,7 +403,7 @@ This endpoint can verify the authenticity and active state of a signed ID token.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -413,7 +413,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/introspect
```
### Sample Response
### Sample response
```json
{
@@ -421,7 +421,7 @@ $ curl \
}
```
## Read .well-known Configurations
## Read .well-known configurations
Query this path to retrieve a set of claims about the identity tokens' configuration. The response is a compliant [OpenID Provider Configuration Response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
@@ -429,7 +429,7 @@ Query this path to retrieve a set of claims about the identity tokens' configura
| :----- | :----------------------------------------------- |
| `GET` | `identity/oidc/.well-known/openid-configuration` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -437,7 +437,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/.well-known/openid-configuration
```
### Sample Response
### Sample response
```json
{
@@ -454,11 +454,11 @@ $ curl \
}
```
## Read Active Public Keys
## Read active public keys
Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -466,7 +466,7 @@ $ curl \
http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys
```
### Sample Response
### Sample response
```json
{

2
website/content/api-docs/secret/index.mdx
View File

@@ -6,7 +6,7 @@ description: |-
endpoints are documented in this section.
---
# Secrets Engines
# Secrets engines
Each secrets engine publishes its own set of API paths and methods. These
endpoints are documented in this section. secrets engines are enabled at a path,

2
website/content/api-docs/secret/key-management/awskms.mdx
View File

@@ -12,7 +12,7 @@ other provider-specific parameter values.
The following sections provide API documentation that is specific to AWS KMS.
## Create/Update KMS Provider
## Create/Update KMS provider
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
does not exist, it will be created. If the KMS provider exists, it will be updated with

4
website/content/api-docs/secret/key-management/azurekeyvault.mdx
View File

@@ -4,7 +4,7 @@ page_title: Azure Key Vault - Key Management - Secrets Engines - HTTP API
description: The Azure Key Vault API documentation for the Key Management secrets engine.
---
# Azure Key Vault (API)
# Azure key Vault (API)
The Key Management secrets engine supports lifecycle management of keys in named
[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/) instances.
@@ -13,7 +13,7 @@ provider and other provider-specific parameter values.
The following sections provide API documentation that is specific to Azure Key Vault.
## Create/Update KMS Provider
## Create/Update KMS provider
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
does not exist, it will be created. If the KMS provider exists, it will be updated with

2
website/content/api-docs/secret/key-management/gcpkms.mdx
View File

@@ -13,7 +13,7 @@ values.
The following sections provide API documentation that is specific to GCP Cloud KMS.
## Create/Update KMS Provider
## Create/Update KMS provider
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
does not exist, it will be created. If the KMS provider exists, it will be updated with

86
website/content/api-docs/secret/key-management/index.mdx
View File

@@ -4,7 +4,7 @@ page_title: Key Management - Secrets Engines - HTTP API
description: The API documentation for the Key Management secrets engine.
---
# Key Management Secrets Engine (API)
# Key management secrets engine (API)
This is the API documentation for the Key Management secrets engine. For general
information about the usage and operation of the secrets engine, please see the
@@ -14,7 +14,7 @@ This documentation assumes the Key Management secrets engine is enabled at the
`/keymgmt` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Create Key
## Create key
This endpoint creates a named cryptographic key of a specified type. These parameters
set cannot be changed after key creation.
@@ -39,7 +39,7 @@ set cannot be changed after key creation.
- `ecdsa-p384` - ECDSA using the P-384 elliptic curve (asymmetric)
- `ecdsa-p521` - ECDSA using the P-521 elliptic curve (asymmetric)
### Sample Payload
### Sample payload
```json
{
@@ -47,7 +47,7 @@ set cannot be changed after key creation.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -57,7 +57,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key
```
## Read Key
## Read key
This endpoint returns information about a named key. The `keys` object will hold information
regarding each key version. Different information will be returned depending on the key type.
@@ -72,7 +72,7 @@ For example, an asymmetric key will return its public key in a PEM encoding.
- `name` `(string: <required>)` Specifies the name of the key to read.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -80,7 +80,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key
```
### Sample Response
### Sample response
```json
{
@@ -104,7 +104,7 @@ $ curl \
}
```
## List Keys
## List keys
This endpoint returns a list of all existing keys.
@@ -112,7 +112,7 @@ This endpoint returns a list of all existing keys.
| :----- | :------------- |
| `LIST` | `/keymgmt/key` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -121,7 +121,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key
```
### Sample Response
### Sample response
```json
{
@@ -131,7 +131,7 @@ $ curl \
}
```
## Update Key
## Update key
This endpoint updates a named key.
@@ -151,7 +151,7 @@ This endpoint updates a named key.
- `deletion_allowed` `(bool: false)` Specifies if the key is allowed to be deleted.
### Sample Payload
### Sample payload
```json
{
@@ -160,7 +160,7 @@ This endpoint updates a named key.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -170,7 +170,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key
```
## Rotate Key
## Rotate key
This endpoint rotates the version of a named key.
@@ -183,7 +183,7 @@ This endpoint rotates the version of a named key.
- `name` `(string: <required>)` Specifies the name of the key to rotate.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -192,7 +192,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key/rotate
```
## Delete Key
## Delete key
This endpoint deletes a named key. The key must be removed from all KMS providers that it's
been distributed to and have `deletion_allowed` set to `true` in order to be deleted.
@@ -206,7 +206,7 @@ been distributed to and have `deletion_allowed` set to `true` in order to be del
- `name` `(string: <required>)` Specifies the name of the key to delete.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -215,7 +215,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key
```
## List KMS Providers of Key
## List KMS providers of key
This endpoint returns a list of all KMS providers that the named key has been distributed to.
Currently, a key can only be distributed to a single KMS provider.
@@ -229,7 +229,7 @@ Currently, a key can only be distributed to a single KMS provider.
- `name` `(string: <required>)` Specifies the name of the key.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -238,7 +238,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/key/example-key/kms
```
### Sample Response
### Sample response
```json
{
@@ -248,7 +248,7 @@ $ curl \
}
```
## Create/Update KMS Provider
## Create/Update KMS provider
This endpoint creates or updates a KMS provider. If a KMS provider with the given `name`
does not exist, it will be created. If the KMS provider exists, it will be updated with
@@ -272,7 +272,7 @@ the given parameter values.
- `awskms`
- `gcpckms`
### Common Parameters
### Common parameters
There are common parameters that expect different values depending on the specified `provider`.
Please reference the API documentation for individual KMS providers to determine which values to
@@ -287,7 +287,7 @@ set for each of the parameters listed below.
also be specified as environment variables. The expected keys and values for this parameter
will differ depending on the specified `provider`.
### Sample Payload
### Sample payload
```json
{
@@ -301,7 +301,7 @@ set for each of the parameters listed below.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -311,7 +311,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms
```
## Read KMS Provider
## Read KMS provider
This endpoint returns information about a KMS provider.
@@ -324,7 +324,7 @@ This endpoint returns information about a KMS provider.
- `name` `(string: <required>)` Specifies the name of the KMS provider to read.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -333,7 +333,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms
```
### Sample Response
### Sample response
```json
{
@@ -344,7 +344,7 @@ $ curl \
}
```
## List KMS Providers
## List KMS providers
This endpoint returns a list of all existing KMS providers.
@@ -352,7 +352,7 @@ This endpoint returns a list of all existing KMS providers.
| :----- | :------------- |
| `LIST` | `/keymgmt/kms` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -361,7 +361,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms
```
### Sample Response
### Sample response
```json
{
@@ -371,7 +371,7 @@ $ curl \
}
```
## Delete KMS Provider
## Delete KMS provider
This endpoint deletes a KMS provider. A KMS provider cannot be deleted until all keys
that have been distributed to it are removed.
@@ -385,7 +385,7 @@ that have been distributed to it are removed.
- `name` `(string: <required>)` Specifies the name of the KMS provider to delete.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -394,7 +394,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms
```
## Distribute Key to KMS Provider
## Distribute key to KMS provider
This endpoint distributes a named key to the KMS provider. The key will be securely delivered
(i.e., wrapped for protection in transit) following the key import specification of the KMS
@@ -430,7 +430,7 @@ provider. The parameters set cannot be changed after the key has been distribute
- `hsm`
- `software`
### Sample Payload
### Sample payload
```json
{
@@ -439,7 +439,7 @@ provider. The parameters set cannot be changed after the key has been distribute
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -449,7 +449,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms/key/example-key
```
## Read Key in KMS Provider
## Read key in KMS provider
This endpoint returns information about a key that's been distributed to a KMS provider.
@@ -465,7 +465,7 @@ This endpoint returns information about a key that's been distributed to a KMS p
- `key_name` `(string: <required>)` Specifies the name of the key. This is provided as part
of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -474,7 +474,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms/key/example-key
```
### Sample Response
### Sample response
```json
{
@@ -490,7 +490,7 @@ $ curl \
}
```
## List Keys in KMS Provider
## List keys in KMS provider
This endpoint returns a list of all keys that have been distributed to the given KMS
provider. Many keys can be distributed to a single KMS provider.
@@ -504,7 +504,7 @@ provider. Many keys can be distributed to a single KMS provider.
- `name` `(string: <required>)` Specifies the name of the KMS provider.
This is provided as part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -513,7 +513,7 @@ $ curl \
http://127.0.0.1:8200/v1/keymgmt/kms/example-kms/key
```
### Sample Response
### Sample response
```json
{
@@ -523,7 +523,7 @@ $ curl \
}
```
## Remove Key from KMS Provider
## Remove key from KMS provider
This endpoint removes a named key from the KMS provider. This will only delete the key from
the KMS provider. The key will still exist in the secrets engine and can be redistributed to
@@ -542,7 +542,7 @@ a KMS provider at a later time. To permanently delete the key from the secrets e
- `key_name` `(string: <required>)` Specifies the name of the key. This is provided as part
of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \

60
website/content/api-docs/secret/kmip.mdx
View File

@@ -4,7 +4,7 @@ page_title: KMIP - Secrets Engines - HTTP API
description: This is the API documentation for the Vault KMIP secrets engine.
---
# KMIP Secrets Engine (API)
# KMIP secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the KMIP secrets engine is enabled at the `/kmip` pat
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Write Config
## Write config
| Method | Path |
| :----- | :------------- |
@@ -61,7 +61,7 @@ is enabled.
- `default_tls_client_ttl` (`int: 86400 || string:"24h"`) Client certificate
TTL in either an integer number of seconds (10) or an integer time unit (10s).
### Sample Payload
### Sample payload
```json
{
@@ -78,7 +78,7 @@ is enabled.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -88,13 +88,13 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/config
```
## Read Config
## Read config
| Method | Path |
| :----- | :------------- |
| `GET` | `/kmip/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -103,7 +103,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/config
```
### Sample Response
### Sample response
```json
{
@@ -131,7 +131,7 @@ $ curl \
Returns the CA certificates in PEM format. Returns an error if config has never
been written.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -140,7 +140,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/ca
```
### Sample Response
### Sample response
```json
{
@@ -162,7 +162,7 @@ Creates a new scope with the given name.
- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -179,7 +179,7 @@ $ curl \
List existing scopes.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -188,7 +188,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope
```
### Sample Response
### Sample response
```json
{
@@ -214,7 +214,7 @@ Delete a scope by name.
fail. This value should be supplied as a query parameter, or as an argument in
the CLI.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -282,7 +282,7 @@ Creates or updates a role.
- `operation_revoke` (`bool: false`) - Grant permission to use the KMIP
`Revoke` operation.
### Sample Payload
### Sample payload
```json
{
@@ -305,7 +305,7 @@ Creates or updates a role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -328,7 +328,7 @@ Read a role.
- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
- `role` (`string: <required>`) - Name of role. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -337,7 +337,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole
```
### Sample Response
### Sample response
```json
{
@@ -374,7 +374,7 @@ List roles with a scope.
- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -383,7 +383,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role
```
### Sample Response
### Sample response
```json
{
@@ -406,7 +406,7 @@ Delete a role by name.
- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
- `role` (`string: <required>`) - Name of role. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -432,7 +432,7 @@ if entropy augmentation is enabled.
- `format` (`string: "pem"`) - Format to return the certificate, private key,
and CA chain in. One of `pem`, `pem_bundle`, or `der`.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -441,7 +441,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/generate
```
### Sample Response
### Sample response
```json
{
@@ -475,7 +475,7 @@ The key type and key bits used in the CSR must match those of the role.
and CA chain in. One of `pem`, `pem_bundle`, or `der`.
- `csr` (`string`) - CSR in PEM format.
### Sample Request
### Sample request
```
$ curl \
@@ -485,7 +485,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/sign
```
### Sample Response
### Sample response
```json
{
@@ -517,7 +517,7 @@ at generation time.
- `format` (`string: "pem"`) - Format to return the certificate, private key,
and CA chain in. One of `pem`, `pem_bundle`, or `der`.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -526,7 +526,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/lookup?serial_number=728181095563584845125173905844944137943705466376
```
### Sample Response
### Sample response
```json
{
@@ -554,7 +554,7 @@ List the serial numbers of all certificates within a role.
- `scope` (`string: <required>`) - Name of scope. This is part of the request URL.
- `role` (`string: <required>`) - Name of role. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -563,7 +563,7 @@ $ curl \
https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential
```
### Sample Response
### Sample response
```json
{
@@ -590,7 +590,7 @@ Delete a certificate, thereby revoking it.
- `certificate` (`string: """`) - Certificate to revoke, in PEM format.
Exactly one of `serial_number` or `certificate` must be provided.
### Sample Payload
### Sample payload
```json
{
@@ -598,7 +598,7 @@ Delete a certificate, thereby revoking it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

56
website/content/api-docs/secret/kubernetes.mdx
View File

@@ -4,7 +4,7 @@ page_title: Kubernetes - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Kubernetes secrets engine.
---
# Kubernetes Secrets Engine (API)
# Kubernetes secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the Kubernetes secrets engine is mounted at the
`/kubernetes` path in Vault. Since it is possible to enable secrets engines at
any location, please update your API calls accordingly.
## Write Configuration
## Write configuration
This endpoint configures the plugin with the necessary information to reach the
Kubernetes API and authenticate with it.
@@ -40,7 +40,7 @@ Kubernetes API and authenticate with it.
- `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA
certificate and service account JWT when running in a Kubernetes pod.
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ Kubernetes API and authenticate with it.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -59,7 +59,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/config
```
## Read Configuration
## Read configuration
Returns the config previously set, excluding credentials.
@@ -67,7 +67,7 @@ Returns the config previously set, excluding credentials.
| :----- | :------------------------ |
| `GET` | `/kubernetes/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -75,7 +75,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/config
```
### Sample Response
### Sample response
```json
{
@@ -87,7 +87,7 @@ $ curl \
}
```
## Delete Configuration
## Delete configuration
Deletes the config previously set.
@@ -95,7 +95,7 @@ Deletes the config previously set.
| :------- | :------------------------ |
| `DELETE` | `/kubernetes/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -104,7 +104,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/config
```
## Create Role
## Create role
A role configures what service account tokens can be generated, and what
permissions will be attached to them. The permissions attached to a service
@@ -181,7 +181,7 @@ Only one of `service_account_name`, `kubernetes_role_name` or
[Kubernetes labels documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
for more details on labels.
### Sample Payload 1
### Sample payload 1
To generate tokens for a pre-existing service account:
@@ -193,7 +193,7 @@ To generate tokens for a pre-existing service account:
}
```
### Sample Payload 2
### Sample payload 2
To generate tokens for a pre-existing ClusterRole:
@@ -205,7 +205,7 @@ To generate tokens for a pre-existing ClusterRole:
}
```
### Sample Payload 3
### Sample payload 3
To generate tokens for a defined set of Kubernetes role rules:
@@ -225,7 +225,7 @@ Or to define the same rules as JSON:
}
```
### Sample Payload 4
### Sample payload 4
To generate tokens in namespaces based on a label selector for the namespaces:
@@ -245,7 +245,7 @@ Or to define the same selector as JSON:
}
```
### Sample Payload 5
### Sample payload 5
To generate tokens in namespaces based on a label selector for the namespaces and via a normal
namespace array:
@@ -261,7 +261,7 @@ namespace array:
In the payload above, the token can be generated for any namespace that either contains the labels
defined in the selector, or is named `vault-system` or `testing`.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -271,7 +271,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/roles/default-role
```
## Read Role
## Read role
Returns the previously configured role.
@@ -283,7 +283,7 @@ Returns the previously configured role.
- `name` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -291,7 +291,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/role/default-role
```
### Sample Response
### Sample response
```json
{
@@ -312,7 +312,7 @@ $ curl \
}
```
## List Roles
## List roles
Lists all the roles that are configured.
@@ -321,7 +321,7 @@ Lists all the roles that are configured.
| `LIST` | `/kubernetes/roles` |
| `GET` | `/kubernetes/roles?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -330,7 +330,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/roles
```
### Sample Response
### Sample response
```json
{
@@ -340,7 +340,7 @@ $ curl \
}
```
## Delete Role
## Delete role
Deletes the previously configured role.
@@ -352,7 +352,7 @@ Deletes the previously configured role.
- `role` `(string: <required>)` - Name of the role.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -361,7 +361,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/role/default-role
```
## Generate Credentials
## Generate credentials
Generate a service account token.
@@ -387,7 +387,7 @@ Generate a service account token.
If not set or set to `""`,
the [token_default_audiences](/vault/api-docs/secret/kubernetes#token_default_audiences) will be used.
### Sample Payload
### Sample payload
```json
{
@@ -396,7 +396,7 @@ Generate a service account token.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -405,7 +405,7 @@ $ curl \
http://127.0.0.1:8200/v1/kubernetes/creds/default-role
```
### Sample Response
### Sample response
```json
{

2
website/content/api-docs/secret/kv/index.mdx
View File

@@ -4,7 +4,7 @@ page_title: KV - Secrets Engines - HTTP API
description: This is the API documentation for the Vault KV secrets engine.
---
# KV Secrets Engine (API)
# KV secrets engine (API)
This backend can be run in one of two versions. Each of which have a distinct API.
Choose the version below you are running. For more information on the KV secrets

24
website/content/api-docs/secret/kv/kv-v1.mdx
View File

@@ -4,7 +4,7 @@ page_title: KV - Secrets Engines - HTTP API
description: This is the API documentation for the Vault KV secrets engine, version 1.
---
# KV Secrets Engine - Version 1 (API)
# KV secrets engine - version 1 (API)
This is the API documentation for the Vault KV secrets engine. For general
information about the usage and operation of the version 1 KV secrets engine, please
@@ -16,7 +16,7 @@ documentation](/vault/docs/secrets/kv).
`/secret` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Read Secret
## Read secret
This endpoint retrieves the secret at the specified location.
@@ -29,7 +29,7 @@ This endpoint retrieves the secret at the specified location.
- `path` `(string: <required>)` Specifies the path of the secret to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -37,7 +37,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/my-secret
```
### Sample Response
### Sample response
```json
{
@@ -58,7 +58,7 @@ writers to indicate how often a given value should be re-read by the client.
See the [Vault KV secrets engine documentation](/vault/docs/secrets/kv/kv-v1#ttls)
for more details.
## List Secrets
## List secrets
This endpoint returns a list of key names at the specified location. Folders are
suffixed with `/`. The input must be a folder; list on a file will not return a
@@ -75,7 +75,7 @@ this API.
- `path` `(string: <required>)` Specifies the path of the secrets to list.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -84,7 +84,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/my-secret
```
### Sample Response
### Sample response
The example below shows output for a query path of `secret/` when there are
secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
@@ -102,7 +102,7 @@ entries.
}
```
## Create/Update Secret
## Create/Update secret
This endpoint stores a secret at the specified location. If the value does not
yet exist, the calling token must have an ACL policy granting the `create`
@@ -124,7 +124,7 @@ policy granting the `update` capability.
some special behavior. See the [Vault KV secrets engine
documentation](/vault/docs/secrets/kv/kv-v1#ttls) for details.
### Sample Payload
### Sample payload
```json
{
@@ -133,7 +133,7 @@ policy granting the `update` capability.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -143,7 +143,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/my-secret
```
## Delete Secret
## Delete secret
This endpoint deletes the secret at the specified location.
@@ -156,7 +156,7 @@ This endpoint deletes the secret at the specified location.
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \

94
website/content/api-docs/secret/kv/kv-v2.mdx
View File

@@ -4,7 +4,7 @@ page_title: KV - Secrets Engines - HTTP API
description: This is the API documentation for the Vault KV secrets engine, version 2.
---
# KV Secrets Engine - Version 2 (API)
# KV secrets engine - version 2 (API)
This is the API documentation for the Vault KV secrets engine while running in
versioned mode. For general information about the usage and operation of the version 2
@@ -12,7 +12,7 @@ KV secrets engine, please see the [Vault KV documentation](/vault/docs/secrets/k
For information about the differences between KV version 1 and version 2, please [see the KV overview
documentation](/vault/docs/secrets/kv).
## Configure the KV Engine
## Configure the KV engine
This path configures backend level settings that are applied to every key in the
key-value store.
@@ -39,7 +39,7 @@ key-value store.
of time before a version is deleted.
Accepts [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -49,7 +49,7 @@ key-value store.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -59,7 +59,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/config
```
## Read KV Engine configuration
## Read KV engine configuration
This path retrieves the current configuration for the secrets backend at the
given path.
@@ -73,7 +73,7 @@ given path.
- `secret-mount-path` `(string: <required>)` - The path to the KV mount to read the config,
of, such as `secret`. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -81,7 +81,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/config
```
### Sample Response
### Sample response
```json
{
@@ -93,7 +93,7 @@ $ curl \
}
```
## Read Secret Version
## Read secret version
This endpoint retrieves the secret at the specified location. The metadata
fields `created_time`, `deletion_time`, `destroyed`, and `version` are version
@@ -114,7 +114,7 @@ the associated [metadata endpoint](/vault/api-docs/secret/kv/kv-v2#read-secret-m
- `version` `(int: 0)` - Specifies the version to return. If not set the latest
version is returned.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -122,7 +122,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/data/my-secret?version=2
```
### Sample Response
### Sample response
```json
{
@@ -144,7 +144,7 @@ $ curl \
}
```
## Create/Update Secret
## Create/Update secret
This endpoint creates a new version of a secret at the specified location. If
the value does not yet exist, the calling token must have an ACL policy granting
@@ -177,7 +177,7 @@ have an ACL policy granting the `update` capability.
- `data` `(Map: <required>)`  The contents of the data map will be stored and
returned on read.
### Sample Payload
### Sample payload
```json
{
@@ -191,7 +191,7 @@ have an ACL policy granting the `update` capability.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -201,7 +201,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/data/my-secret
```
### Sample Response
### Sample response
```json
{
@@ -218,7 +218,7 @@ $ curl \
}
```
## Patch Secret
## Patch secret
This endpoint provides the ability to patch an _existing_ secret at the specified
location. The secret must neither be deleted nor destroyed. The calling token must
@@ -250,7 +250,7 @@ applying a patch with the provided data.
- `data` `(Map: <required>)` The contents of the data map will be applied as a partial
update to the existing entry via a JSON merge patch to the existing entry.
### Sample Payload
### Sample payload
```json
{
@@ -266,7 +266,7 @@ applying a patch with the provided data.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -277,7 +277,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/data/my-secret
```
### Sample Response
### Sample response
```json
{
@@ -294,7 +294,7 @@ $ curl \
}
```
## Read Secret Subkeys
## Read secret subkeys
This endpoint provides the subkeys within a secret entry that exists
at the requested path. The secret entry at this path will be retrieved
@@ -318,7 +318,7 @@ and stripped of all data by replacing underlying values of leaf keys
specified `depth` value will be artificially treated as leaves and will thus be `null`
even if further underlying subkeys exist.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -326,7 +326,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/subkeys/my-secret?version=1
```
### Sample Secret Data
### Sample secret data
```json
{
@@ -338,7 +338,7 @@ $ curl \
}
```
### Sample Response
### Sample response
```json
{
@@ -359,7 +359,7 @@ $ curl \
}
```
## Delete Latest Version of Secret
## Delete latest version of secret
This endpoint issues a soft delete of the secret's latest version at the
specified location. This marks the version as deleted and will stop it from
@@ -377,7 +377,7 @@ delete can be undone using the `undelete` path.
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -386,7 +386,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/data/my-secret
```
## Delete Secret Versions
## Delete secret versions
This endpoint issues a soft delete of the specified versions of the secret. This
marks the versions as deleted and will stop them from being returned from reads,
@@ -407,7 +407,7 @@ but the underlying data will not be removed. A delete can be undone using the
data will not be deleted, but it will no longer be returned in normal get
requests.
### Sample Payload
### Sample payload
```json
{
@@ -415,7 +415,7 @@ but the underlying data will not be removed. A delete can be undone using the
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -425,7 +425,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/delete/my-secret
```
## Undelete Secret Versions
## Undelete secret versions
Undeletes the data for the provided version and path in the key-value store.
This restores the data, allowing it to be returned on get requests.
@@ -445,7 +445,7 @@ This restores the data, allowing it to be returned on get requests.
- `versions` `([]int: <required>)` - The versions to undelete. The versions will
be restored and their data will be returned on normal get requests.
### Sample Payload
### Sample payload
```json
{
@@ -453,7 +453,7 @@ This restores the data, allowing it to be returned on get requests.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -463,7 +463,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/undelete/my-secret
```
## Destroy Secret Versions
## Destroy secret versions
Permanently removes the specified version data for the provided key and version
numbers from the key-value store.
@@ -483,7 +483,7 @@ numbers from the key-value store.
- `versions` `([]int: <required>)` - The versions to destroy. Their data will be
permanently deleted.
### Sample Payload
### Sample payload
```json
{
@@ -491,7 +491,7 @@ numbers from the key-value store.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -501,7 +501,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/destroy/my-secret
```
## List Secrets
## List secrets
This endpoint returns a list of key names at the specified location. Folders are
suffixed with `/`. The input must be a folder; list on a file will not return a
@@ -521,7 +521,7 @@ the secret to list, such as `secret`. This is specified as part of the URL.
- `path` `(string: <required>)` Specifies the path of the secrets to list.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -530,7 +530,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/metadata/my-secret
```
### Sample Response
### Sample response
The example below shows output for a query path of `secret/` when there are
secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
@@ -544,7 +544,7 @@ entries.
}
```
## Read Secret Metadata
## Read secret metadata
This endpoint retrieves the metadata and versions for the secret at the
specified path. Metadata is version-agnostic.
@@ -561,7 +561,7 @@ specified path. Metadata is version-agnostic.
- `path` `(string: <required>)` Specifies the path of the secret to read.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -569,7 +569,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/metadata/my-secret
```
### Sample Response
### Sample response
```json
{
@@ -607,7 +607,7 @@ $ curl \
}
```
## Create/Update Metadata
## Create/Update metadata
This endpoint creates or updates the metadata of a secret at the specified location.
It does not create a new version.
@@ -643,7 +643,7 @@ It does not create a new version.
- `custom_metadata` `(map<string|string>: nil)` - A map of arbitrary string to string valued user-provided metadata meant
to describe the secret.
### Sample Payload
### Sample payload
```json
{
@@ -658,7 +658,7 @@ It does not create a new version.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -668,7 +668,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/metadata/my-secret
```
## Patch Metadata
## Patch metadata
This endpoint patches an existing metadata entry of a secret at the specified
location. The calling token must have an ACL policy granting the `patch`
@@ -707,7 +707,7 @@ not create a new version.
- `custom_metadata` `(map<string|string>: nil)` - A map of arbitrary string to string valued user-provided metadata meant
to describe the secret.
### Sample Payload
### Sample payload
```json
{
@@ -718,7 +718,7 @@ not create a new version.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -729,7 +729,7 @@ $ curl \
https://127.0.0.1:8200/v1/secret/metadata/my-secret
```
## Delete Metadata and All Versions
## Delete metadata and all versions
This endpoint permanently deletes the key metadata and all version data for the
specified key. All version history will be removed.
@@ -746,7 +746,7 @@ specified key. All version history will be removed.
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \

94
website/content/api-docs/secret/ldap.mdx
View File

@@ -4,7 +4,7 @@ page_title: LDAP - Secrets Engines - HTTP API
description: This is the API documentation for the Vault LDAP secrets engine.
---
# LDAP Secrets Engine (API)
# LDAP secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the LDAP secrets engine is enabled at the `/ldap` pat
in Vault. Since it is possible to mount secrets engines at any path, please
update your API calls accordingly.
## Configuration Management
## Configuration management
This endpoint configures the LDAP secret engine to manage user entries.
@@ -87,7 +87,7 @@ configuration if both are specified.
See [LDAP secrets engine docs](/vault/docs/secrets/ldap) for additional information.
### Sample Payload
### Sample payload
```json
{
@@ -97,7 +97,7 @@ See [LDAP secrets engine docs](/vault/docs/secrets/ldap) for additional informat
}
```
### Sample POST Request
### Sample POST request
```shell-session
$ curl \
@@ -107,7 +107,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/config
```
### Sample GET Request
### Sample GET request
```shell-session
$ curl \
@@ -116,7 +116,7 @@ $ curl \
https://127.0.0.1:8200/v1/ldap/config
```
### Sample Response
### Sample response
```json
{
@@ -135,7 +135,7 @@ $ curl \
}
```
## Rotate Root Password
## Rotate root password
The `rotate-root` endpoint offers password rotation for the `binddn` entry used to manage LDAP.
This generated password will only be known to Vault and will not be retrievable once rotated.
@@ -144,7 +144,7 @@ This generated password will only be known to Vault and will not be retrievable
| :----- | :---------------------- |
| `POST` | `/ldap/rotate-root` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -153,7 +153,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/rotate-root
```
## Static Roles
## Static roles
The `static-role` endpoint configures Vault to manage the passwords of existing individual LDAP entries.
@@ -180,7 +180,7 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
[duration format strings](/vault/docs/concepts/duration-format). The minimum rotation period is 5 seconds.<br />
**Example:** `"3600", "5s", "1h"`
### Sample Payload
### Sample payload
```json
{
@@ -190,7 +190,7 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
}
```
### Sample POST Request
### Sample POST request
```shell-session
$ curl \
@@ -200,7 +200,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/static-role/hashicorp
```
### Sample GET Request
### Sample GET request
```shell-session
$ curl \
@@ -209,7 +209,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/static-role/hashicorp
```
### Sample GET Response
### Sample GET response
```json
{
@@ -222,13 +222,13 @@ $ curl \
}
```
### Sample LIST Response
### Sample LIST response
```json
["hashicorp", "bob"]
```
## Static Role Passwords
## Static role passwords
The `static-cred` endpoint offers the credential information for a given static-role.
@@ -236,7 +236,7 @@ The `static-cred` endpoint offers the credential information for a given static-
| :----- | :--------------------------------- |
| `GET` | `/ldap/static-cred/:role_name` |
#### Sample Get Request
#### Sample get request
```shell-session
$ curl \
@@ -245,7 +245,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/static-cred/hashicorp
```
#### Sample Get Response
#### Sample get response
```json
{
@@ -259,7 +259,7 @@ $ curl \
}
```
## Manually Rotate Static Role Password
## Manually rotate static role password
The `rotate-role` endpoint rotates the password of an existing static role.
@@ -267,7 +267,7 @@ The `rotate-role` endpoint rotates the password of an existing static role.
| :----- | :--------------------------------- |
| `POST` | `/ldap/rotate-role/:role_name` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -276,12 +276,12 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/rotate-role/:role_name
```
## Dynamic Roles
## Dynamic roles
Create or update a dynamic role configuration. This provides instructions to Vault on how to create an
LDAP domain user account.
### Create/Delete Dynamic Role Configuration
### Create/Delete dynamic role configuration
Creates, updates, or deletes a dynamic role.
@@ -351,7 +351,7 @@ The `creation_ldif`, `deletion_ldif`, `rollback_ldif`, and `username_template` f
[Username Templating](/vault/docs/concepts/username-templating) for details on how to use templating. Also see
[Templates](#templates) for specifics on what data is available for each template.
#### Sample Payload
#### Sample payload
Sample LDIF files:
@@ -390,7 +390,7 @@ Full Payload:
-> Note: The LDIF statements may optionally be base64 encoded. If they are base64 encoded when creating/updating the
role configuration, the decoded version will be returned from the `GET` endpoint.
#### Sample POST Request
#### Sample POST request
```shell-session
$ curl \
@@ -400,7 +400,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/role/dynamic-role
```
### Read Dynamic Role Configuration
### Read dynamic role configuration
Retrieves a dynamic role's configuration.
@@ -438,7 +438,7 @@ If a field needs to be modified (such as SHA256 hashing, base64 encoding, etc.)
[built-in functions](#template-functions). This uses a "pipe" syntax: `{{.Username | base64}}`. Values may be "piped"
to multiple functions: `{{.Username | lowercase | base64}}`
#### LDIF Template Fields
#### LDIF template fields
The following parameters are available within the LDIF templates:
@@ -470,7 +470,7 @@ time may be slightly earlier than the associated lease due to where this value i
calculates details of the lease.<br />
**Format:** Integer indicating the number of seconds elapsed since January 1, 1970.
#### Username Template Fields
#### Username template fields
The following parameters are available within the username template:
@@ -487,7 +487,7 @@ the dashes with underscores. See [Template Functions](#template-functions) for m
`.DisplayName` - The display name associated with the user making the request against Value.
#### Template Functions
#### Template functions
Both the LDIF templates and the username template use the [Go template language](https://golang.org/pkg/text/template)
so all [functions](https://golang.org/pkg/text/template/#hdr-Functions) and capabilities from that language are
@@ -542,7 +542,7 @@ would be `v_myrealle6da86ec_1234567890` and the username for the second role wou
`uuid` - Generates a random UUID.<br />
**Example:** `{{uuid}}`
##### LDIF Template Functions
##### LDIF template functions
Additionally, the LDIF templates include an additional function to facilitate Active Directory password handling.
The username template cannot use this function.
@@ -550,7 +550,7 @@ The username template cannot use this function.
`utf16le` - Encodes the provided value into UTF16-LE.<br />
**Example:** `{{.FieldName | utf16le}}`
## Dynamic Role Passwords
## Dynamic role passwords
The `creds` endpoint offers the credential information for a given dynamic role.
@@ -558,7 +558,7 @@ The `creds` endpoint offers the credential information for a given dynamic role.
| :----- | :--------------------------------- |
| `GET` | `/ldap/creds/:role_name` |
#### Sample Get Request
#### Sample get request
```shell-session
$ curl \
@@ -567,7 +567,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/creds/dynamic-role
```
#### Sample Get Response
#### Sample get response
```json
{
@@ -579,7 +579,7 @@ $ curl \
}
```
## Library Set Management
## Library set management
The `library` endpoint configures the sets of service accounts that Vault will offer for check-out.
@@ -607,7 +607,7 @@ When adding a service account to the library, Vault verifies it already exists i
- `disable_check_in_enforcement` `(bool: false, optional)` - Disable enforcing that service accounts must be
checked in by the entity or client token that checked them out. Defaults to false.
### Sample POST Request
### Sample POST request
```shell-session
$ curl \
@@ -617,7 +617,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/library/accounting-team
```
### Sample POST Payload
### Sample POST payload
```json
{
@@ -628,7 +628,7 @@ $ curl \
}
```
### Sample GET Response
### Sample GET response
```json
{
@@ -639,7 +639,7 @@ $ curl \
}
```
### Sample LIST Response
### Sample LIST response
Performing a `LIST` on the `/ldap/library` endpoint will list the names of all the sets of service accounts Vault contains.
@@ -647,7 +647,7 @@ Performing a `LIST` on the `/ldap/library` endpoint will list the names of all t
["accounting-team"]
```
## Library Set Status Check
## Library set status check
This endpoint provides the check-out status of service accounts in a library set.
@@ -655,7 +655,7 @@ This endpoint provides the check-out status of service accounts in a library set
| :----- | :----------------------------- |
| `GET` | `/ldap/library/:set_name/status` |
### Sample GET Request
### Sample GET request
```shell-session
$ curl \
@@ -664,7 +664,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/library/accounting-team/status
```
### Sample GET Response
### Sample GET response
```json
{
@@ -688,7 +688,7 @@ $ curl \
}
```
## Check-Out Management
## Check-Out management
This endpoint provides service account check out for a library set.
@@ -706,7 +706,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample POST Request
### Sample POST request
```shell-session
$ curl \
@@ -716,7 +716,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/library/accounting-team/check-out
```
### Sample POST Payload
### Sample POST payload
```json
{
@@ -724,7 +724,7 @@ $ curl \
}
```
### Sample POST Response
### Sample POST response
```json
{
@@ -742,7 +742,7 @@ $ curl \
}
```
## Check-In Management
## Check-In management
By default, check-in must be called by the same entity or client token used for check-out.
To disable this behavior, use the `disable_check_in_enforcement` toggle on the library set. Or, use
@@ -766,7 +766,7 @@ in _by this particular call_.
- `service_account_names` `(string: "", or list: [] optional)` - The names of all the service accounts to be
checked in. May be omitted if only one is checked out.
### Sample POST Request
### Sample POST request
```shell-session
$ curl \
@@ -776,7 +776,7 @@ $ curl \
http://127.0.0.1:8200/v1/ldap/library/accounting-team/check-in
```
### Sample POST Payload
### Sample POST payload
```json
{
@@ -784,7 +784,7 @@ $ curl \
}
```
### Sample POST Response
### Sample POST response
```json
{

36
website/content/api-docs/secret/mongodbatlas.mdx
View File

@@ -5,7 +5,7 @@ description: |-
The MongoDB Atlas Secrets Engine for Vault generates MongoDB Atlas Programmatic API Keys dynamically.
---
# MongoDB Atlas Secrets Engine
# MongoDB atlas secrets engine
The MongoDB Atlas Secrets Engine generates Programmatic API keys for MongoDB Atlas. This allows one to manage the lifecycle of these MongoDB Atlas secrets through Vault. The created MongoDB Atlas secrets are
time-based and are automatically revoked when the Vault lease expires, unless renewed. Vault will create a Programmatic API key for each lease scoped to the MongoDB Atlas project or organization denoted with the included role(s). An IP Whitelist may also be configured for the Programmatic API key with desired IPs and/or CIDR blocks.
@@ -13,7 +13,7 @@ time-based and are automatically revoked when the Vault lease expires, unless re
The MongoDB Atlas Programmatic API Key Public and
Private Key is returned to the caller. To learn more about Programmatic API Keys visit the [Programmatic API Keys Doc](https://docs.atlas.mongodb.com/reference/api/apiKeys/).
## Configure Connection
## Configure connection
In addition to the parameters defined by the Secrets Engines Backend, this plugin has a number of parameters to further configure a connection.
@@ -26,7 +26,7 @@ In addition to the parameters defined by the Secrets Engines Backend, this plugi
- `public_key` `(string: <required>)` The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
- `private_key` `(string: <required>)` - The Private Programmatic API Key used to connect with MongoDB Atlas API.
### Sample Payload
### Sample payload
```json
{
@@ -35,7 +35,7 @@ In addition to the parameters defined by the Secrets Engines Backend, this plugi
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -45,7 +45,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/config
```
## Create/Update Programmatic API Key role
## Create/Update programmatic API key role
Programmatic API Key credential types create a Vault role to generate a Programmatic API Key at
either the MongoDB Atlas Organization or Project level with the designated role(s) for programmatic access. If a role with the name does not exist, it will be created. If the role exists, it will be updated with the new attributes.
@@ -95,7 +95,7 @@ either the MongoDB Atlas Organization or Project level with the designated role(
* `max_ttl` `(string <Optional>)` - The maximum allowed lifetime of credentials issued using this role.
### Sample Payload
### Sample payload
```json
{
@@ -114,7 +114,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/roles/test-programmatic-key
```
### Sample Response
### Sample response
```json
{
@@ -128,7 +128,7 @@ $ curl \
}
```
## Read Programmatic API Key role
## Read programmatic API key role
| Method | Path |
| :----- | :------------- |
@@ -138,7 +138,7 @@ $ curl \
- `name` `(string <required>)` - Unique identifier name of the role name
### Sample Payload
### Sample payload
```shell-session
$ curl \
@@ -148,7 +148,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/roles/test-programmatic-key
```
### Sample Response
### Sample response
```json
{
@@ -162,13 +162,13 @@ $ curl \
}
```
## List Programmatic API Key role
## List programmatic API key role
| Method | Path |
| :----- | :------- |
| `GET` | `/roles` |
### Sample Payload
### Sample payload
```shell-session
$ curl \
@@ -178,7 +178,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/roles
```
### Sample Response
### Sample response
```json
[
@@ -203,7 +203,7 @@ $ curl \
]
```
## Delete Programmatic API Key role
## Delete programmatic API key role
| Method | Path |
| :------- | :------------- |
@@ -213,7 +213,7 @@ $ curl \
- `name` `(string <required>)` - Unique identifier name of the role name
### Sample Payload
### Sample payload
```shell-session
$ curl \
@@ -223,7 +223,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/roles/test-programmatic-key
```
## Read Credential
## Read credential
| Method | Path |
| :----- | :------------- |
@@ -233,7 +233,7 @@ $ curl \
- `name` `(string <required>)` - Unique identifier name of the credential
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -241,7 +241,7 @@ $ curl \
http://127.0.0.1:8200/mongodbatlas/creds/0fLBv1c2YDzPlJB1PwsRRKHR
```
### Sample Response
### Sample response
```json
{

58
website/content/api-docs/secret/nomad.mdx
View File

@@ -4,7 +4,7 @@ page_title: Nomad Secrets Engine- HTTP API
description: This is the API documentation for the Vault Nomad secrets engine.
---
# Nomad Secrets Engine (API)
# Nomad secrets engine (API)
@include 'x509-sha1-deprecation.mdx'
@@ -16,7 +16,7 @@ This documentation assumes the Nomad secrets engine is mounted at the `/nomad` p
in Vault. Since it is possible to mount secrets engines at any location, please
update your API calls accordingly.
## Configure Access
## Configure access
This endpoint configures the access information for Nomad. This access
information is used so that Vault can communicate with Nomad and generate
@@ -53,7 +53,7 @@ Nomad tokens.
- `client_key` `(string: "")` - Client key used for Nomad's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.
### Sample Payload
### Sample payload
```json
{
@@ -63,7 +63,7 @@ Nomad tokens.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -73,7 +73,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/config/access
```
## Read Access Configuration
## Read access configuration
This endpoint queries for information about the Nomad connection.
@@ -81,7 +81,7 @@ This endpoint queries for information about the Nomad connection.
| :----- | :--------------------- |
| `GET` | `/nomad/config/access` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -89,7 +89,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/config/access
```
### Sample Response
### Sample response
```json
"data": {
@@ -97,7 +97,7 @@ $ curl \
}
```
## Configure Lease
## Configure lease
This endpoint configures the lease settings for generated tokens.
@@ -111,7 +111,7 @@ This endpoint configures the lease settings for generated tokens.
- `max_ttl` `(string: "")` Specifies the max ttl for the lease. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -120,7 +120,7 @@ This endpoint configures the lease settings for generated tokens.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -130,7 +130,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/config/lease
```
## Read Lease Configuration
## Read lease configuration
This endpoint queries for information about the Lease TTL for the specified mount.
@@ -138,7 +138,7 @@ This endpoint queries for information about the Lease TTL for the specified moun
| :----- | :-------------------- |
| `GET` | `/nomad/config/lease` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -146,7 +146,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/config/lease
```
### Sample Response
### Sample response
```json
"data": {
@@ -155,7 +155,7 @@ $ curl \
}
```
## Delete Lease Configuration
## Delete lease configuration
This endpoint deletes the lease configuration.
@@ -163,7 +163,7 @@ This endpoint deletes the lease configuration.
| :------- | :-------------------- |
| `DELETE` | `/nomad/config/lease` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -172,7 +172,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/config/lease
```
## Create/Update Role
## Create/Update role
This endpoint creates or updates the Nomad role definition in Vault. If the role does not exist, it will be created. If the role already exists, it will receive
updated attributes.
@@ -193,7 +193,7 @@ updated attributes.
- `type` `(string: "client")` - Specifies the type of token to create when
using this role. Valid values are `"client"` or `"management"`.
### Sample Payload
### Sample payload
To create a client token with a custom policy:
@@ -203,7 +203,7 @@ To create a client token with a custom policy:
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -213,7 +213,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/role/monitoring
```
## Read Role
## Read role
This endpoint queries for information about a Nomad role with the given name.
If no role exists with that name, a 404 is returned.
@@ -227,7 +227,7 @@ If no role exists with that name, a 404 is returned.
- `name` `(string: <required>)`  Specifies the name of the role to query. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -235,7 +235,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/role/monitoring
```
### Sample Response
### Sample response
```json
{
@@ -247,7 +247,7 @@ $ curl \
}
```
## List Roles
## List roles
This endpoint lists all existing roles in the secrets engine.
@@ -256,7 +256,7 @@ This endpoint lists all existing roles in the secrets engine.
| `LIST` | `/nomad/role` |
| `GET` | `/nomad/role?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -265,7 +265,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/role
```
### Sample Response
### Sample response
```json
{
@@ -275,7 +275,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes a Nomad role with the given name. Even if the role does
not exist, this endpoint will still return a successful response.
@@ -289,7 +289,7 @@ not exist, this endpoint will still return a successful response.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -298,7 +298,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/role/example-role
```
## Generate Credential
## Generate credential
This endpoint generates a dynamic Nomad token based on the given role
definition.
@@ -312,7 +312,7 @@ definition.
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Nomad token. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -320,7 +320,7 @@ $ curl \
http://127.0.0.1:8200/v1/nomad/creds/example
```
### Sample Response
### Sample response
```json
{

406
website/content/api-docs/secret/pki.mdx
View File

File diff suppressed because it is too large Load Diff

36
website/content/api-docs/secret/rabbitmq.mdx
View File

@@ -4,7 +4,7 @@ page_title: RabbitMQ - Secrets Engines - HTTP API
description: This is the API documentation for the Vault RabbitMQ secrets engine.
---
# RabbitMQ Secrets Engine (API)
# RabbitMQ secrets engine (API)
This is the API documentation for the Vault RabbitMQ secrets engine. For general
information about the usage and operation of the RabbitMQ secrets engine, please
@@ -14,7 +14,7 @@ This documentation assumes the RabbitMQ secrets engine is enabled at the
`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Configure Connection
## Configure connection
This endpoint configures the connection string used to communicate with
RabbitMQ.
@@ -39,7 +39,7 @@ RabbitMQ.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
### Sample Payload
### Sample payload
```json
{
@@ -50,7 +50,7 @@ RabbitMQ.
}
```
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -77,7 +77,7 @@ $ vault write rabbitmq/config/connection \
</Tab>
</Tabs>
## Configure Lease
## Configure lease
This endpoint configures the lease settings for generated credentials.
@@ -91,7 +91,7 @@ This endpoint configures the lease settings for generated credentials.
- `max_ttl` `(int: 0)` Specifies the maximum ttl provided in seconds.
### Sample Payload
### Sample payload
```json
{
@@ -100,7 +100,7 @@ This endpoint configures the lease settings for generated credentials.
}
```
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -125,7 +125,7 @@ $ vault write rabbitmq/config/lease \
</Tab>
</Tabs>
## Create Role
## Create role
This endpoint creates or updates the role definition.
@@ -146,7 +146,7 @@ This endpoint creates or updates the role definition.
- `vhost_topics` `(string: "")`  Specifies a map of virtual hosts and exchanges
to topic permissions. This option requires RabbitMQ 3.7.0 or later.
### Sample Payload
### Sample payload
```json
{
@@ -156,7 +156,7 @@ This endpoint creates or updates the role definition.
}
```
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -182,7 +182,7 @@ $ vault write rabbitmq/roles/my-role \
</Tab>
</Tabs>
## Read Role
## Read role
This endpoint queries the role definition.
@@ -195,7 +195,7 @@ This endpoint queries the role definition.
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -216,7 +216,7 @@ $ vault read rabbitmq/roles/my-role
</Tab>
</Tabs>
### Sample Response
### Sample response
```json
{
@@ -228,7 +228,7 @@ $ vault read rabbitmq/roles/my-role
}
```
## Delete Role
## Delete role
This endpoint deletes the role definition.
@@ -241,7 +241,7 @@ This endpoint deletes the role definition.
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -263,7 +263,7 @@ vault delete rabbitmq/roles/my-role
</Tab>
</Tabs>
## Generate Credentials
## Generate credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
@@ -277,7 +277,7 @@ role.
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
### Sample request
<Tabs>
<Tab heading="cURL">
@@ -298,7 +298,7 @@ $ vault read rabbitmq/creds/my-role
</Tab>
</Tabs>
### Sample Response
### Sample response
```json
{

108
website/content/api-docs/secret/ssh.mdx
View File

@@ -4,7 +4,7 @@ page_title: SSH - Secrets Engines - HTTP API
description: This is the API documentation for the Vault SSH secrets engine.
---
# SSH Secrets Engine (API)
# SSH secrets engine (API)
This is the API documentation for the Vault SSH secrets engine. For general
information about the usage and operation of the SSH secrets engine, please see
@@ -14,7 +14,7 @@ This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
in Vault. Since it is possible to enable secrets engines at any location, please
update your API calls accordingly.
## Create/Update Role
## Create/Update role
This endpoint creates or updates a named role.
@@ -187,7 +187,7 @@ This endpoint creates or updates a named role.
- `not_before_duration` `(duration: "30s")`  Specifies the duration by which to
backdate the `ValidAfter` property. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -195,7 +195,7 @@ This endpoint creates or updates a named role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -205,7 +205,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/roles/my-role
```
## Read Role
## Read role
This endpoint queries a named role.
@@ -218,7 +218,7 @@ This endpoint queries a named role.
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -226,7 +226,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/roles/my-role
```
### Sample Response
### Sample response
For an OTP role:
@@ -257,7 +257,7 @@ For a CA role:
}
```
## List Roles
## List roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
@@ -266,7 +266,7 @@ returned, not any values.
| :----- | :----------- |
| `LIST` | `/ssh/roles` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -275,7 +275,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/roles
```
### Sample Response
### Sample response
```json
{
@@ -294,7 +294,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes a named role.
@@ -307,7 +307,7 @@ This endpoint deletes a named role.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -317,7 +317,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/roles/my-role
```
## List Zero-Address Roles
## List Zero-Address roles
This endpoint returns the list of configured zero-address roles.
@@ -325,7 +325,7 @@ This endpoint returns the list of configured zero-address roles.
| :----- | :------------------------ |
| `GET` | `/ssh/config/zeroaddress` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -333,7 +333,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/zeroaddress
```
### Sample Response
### Sample response
```json
{
@@ -348,7 +348,7 @@ $ curl \
}
```
## Configure Zero-Address Roles
## Configure Zero-Address roles
This endpoint configures zero-address roles.
@@ -362,7 +362,7 @@ This endpoint configures zero-address roles.
list of role names which allows credentials to be requested for any IP
address. CIDR blocks previously registered under these roles will be ignored.
### Sample Payload
### Sample payload
```json
{
@@ -370,7 +370,7 @@ This endpoint configures zero-address roles.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -380,7 +380,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/zeroaddress
```
## Delete Zero-Address Role
## Delete Zero-Address role
This endpoint deletes the zero-address roles configuration.
@@ -388,7 +388,7 @@ This endpoint deletes the zero-address roles configuration.
| :------- | :------------------------ |
| `DELETE` | `/ssh/config/zeroaddress` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -397,7 +397,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/zeroaddress
```
## Generate SSH Credentials
## Generate SSH credentials
This endpoint creates credentials for a specific username and IP with the
parameters defined in the given role.
@@ -415,7 +415,7 @@ parameters defined in the given role.
- `ip` `(string: <required>)` Specifies the IP of the remote host.
### Sample Payload
### Sample payload
```json
{
@@ -423,7 +423,7 @@ parameters defined in the given role.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -433,7 +433,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/creds/my-role
```
### Sample Response
### Sample response
For an OTP role:
@@ -454,7 +454,7 @@ For an OTP role:
}
```
## List Roles by IP
## List roles by IP
This endpoint lists all of the roles with which the given IP is associated.
@@ -466,7 +466,7 @@ This endpoint lists all of the roles with which the given IP is associated.
- `ip` `(string: <required>)`  Specifies the IP of the remote host.
### Sample Payload
### Sample payload
```json
{
@@ -474,7 +474,7 @@ This endpoint lists all of the roles with which the given IP is associated.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -484,7 +484,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/lookup
```
### Sample Response
### Sample response
An array of roles as a secret structure.
@@ -518,7 +518,7 @@ endpoint.
- `otp` `(string: <required>)`  Specifies the One-Time-Key that needs to be
validated.
### Sample Payload
### Sample payload
```json
{
@@ -526,7 +526,7 @@ endpoint.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -536,7 +536,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/verify
```
### Sample Response
### Sample response
```json
{
@@ -552,7 +552,7 @@ $ curl \
}
```
## Submit CA Information
## Submit CA information
This endpoint allows submitting the CA information for the secrets engine via an SSH
key pair. _If you have already set a certificate and key, they will be
@@ -594,7 +594,7 @@ overridden._
to use; `256`, `384`, or `521`, with the default `0` value resulting in a
NIST P-256 key).
### Sample Payload
### Sample payload
```json
{
@@ -602,7 +602,7 @@ overridden._
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -612,7 +612,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/ca
```
### Sample Response
### Sample response
This will return a `204` response if `generate_signing_key` was unset or false.
@@ -630,7 +630,7 @@ This will return a `200` response if `generate_signing_key` was true:
}
```
## Delete CA Information
## Delete CA information
This endpoint deletes the CA information for the backend via an SSH key pair.
@@ -638,7 +638,7 @@ This endpoint deletes the CA information for the backend via an SSH key pair.
| :------- | :--------------- |
| `DELETE` | `/ssh/config/ca` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -647,7 +647,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/ca
```
## Read Public Key (Unauthenticated)
## Read public key (Unauthenticated)
This endpoint returns the configured/generated public key. This is an unauthenticated
endpoint.
@@ -660,19 +660,19 @@ endpoint.
| :----- | :---------------- | ---------------- |
| `GET` | `/ssh/public_key` | `200 text/plain` |
### Sample Request
### Sample request
```shell-session
$ curl http://127.0.0.1:8200/v1/ssh/public_key
```
### Sample Response
### Sample response
```text
ssh-rsa AAAAHHNzaC1y...
```
## Read Public Key (Authenticated)
## Read public key (Authenticated)
This endpoint reads the configured/generated public key.
@@ -680,7 +680,7 @@ This endpoint reads the configured/generated public key.
| :----- | :--------------- |
| `GET` | `/ssh/config/ca` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -688,7 +688,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/config/ca
```
### Sample Response
### Sample response
```json
{
@@ -702,7 +702,7 @@ $ curl \
}
```
## Sign SSH Key
## Sign SSH key
This endpoint signs an SSH public key based on the supplied parameters and
subject to the restrictions of the role named in the path. Both `create` and
@@ -755,7 +755,7 @@ parameters of the issued certificate can be further customized in this API call.
- `extensions` `(map<string|string>: "")`  Specifies a map of the extensions
that the certificate should be signed for. Defaults to none.
### Sample Payload
### Sample payload
```json
{
@@ -763,7 +763,7 @@ parameters of the issued certificate can be further customized in this API call.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -773,7 +773,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/sign/my-key
```
### Sample Response
### Sample response
```json
{
@@ -788,7 +788,7 @@ $ curl \
}
```
## Generate Certificate and Key
## Generate certificate and key
This endpoint issues a new set of SSH credentials (private key and certificate).
@@ -841,7 +841,7 @@ parameters of the issued certificate can be further customized in this API call.
- `extensions` `(map<string|string>: "")` Specifies a map of the extensions
that the certificate should be signed for. Defaults to none.
### Sample Payload
### Sample payload
```json
{
@@ -850,7 +850,7 @@ parameters of the issued certificate can be further customized in this API call.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -860,7 +860,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/issue/my-role
```
### Sample Response
### Sample response
```json
{
@@ -880,7 +880,7 @@ $ curl \
}
```
## Tidy Host Keys
## Tidy host keys
This endpoint removes all existing host keys from Vault, if any are present.
These keys were used with the Dynamic Keys functionality, which were removed
@@ -899,7 +899,7 @@ from this engine.
| :------- | :----------------------- |
| `DELETE` | `/ssh/tidy/dynamic-keys` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -908,7 +908,7 @@ $ curl \
http://127.0.0.1:8200/v1/ssh/issue/my-role
```
### Sample Response
### Sample response
```json
{

46
website/content/api-docs/secret/terraform.mdx
View File

@@ -4,7 +4,7 @@ page_title: Terraform Cloud Secret Backend - HTTP API
description: This is the API documentation for the Vault Terraform Cloud secret backend.
---
# Terraform Cloud Secret Backend HTTP API
# Terraform Cloud secret backend HTTP API
This is the API documentation for the Vault Terraform Cloud secret backend. For general
information about the usage and operation of the Terraform Cloud backend, please see the
@@ -14,7 +14,7 @@ This documentation assumes the Terraform Cloud backend is mounted at the `/terra
in Vault. Since it is possible to mount secret backends at any location, please
update your API calls accordingly.
## Configure Access
## Configure access
This endpoint configures the access information for Terraform Cloud. This access
information is used so that Vault can communicate with Terraform Cloud and generate
@@ -34,7 +34,7 @@ Terraform Cloud tokens.
use. This token must have the needed permissions to manage all Organization,
Team, and User tokens desired for this mount.
### Sample Payload
### Sample payload
```json
{
@@ -43,7 +43,7 @@ Terraform Cloud tokens.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -53,7 +53,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/config
```
## Read Access Configuration
## Read access configuration
This endpoint queries for information about the Terraform Cloud connection.
@@ -61,7 +61,7 @@ This endpoint queries for information about the Terraform Cloud connection.
| :----- | :------------------ |
| `GET` | `/terraform/config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -69,7 +69,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/config
```
### Sample Response
### Sample response
```json
"data": {
@@ -78,7 +78,7 @@ $ curl \
}
```
## Create/Update Role
## Create/Update role
This endpoint creates or updates the Terraform Cloud role definition in Vault.
If the role does not exist, it will be created. If the role already exists, it
@@ -132,7 +132,7 @@ information](/terraform/cloud-docs/users-teams-organizations/api-tokens).
provided, the default Vault Max TTL is used. Only applies to User API tokens.
Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
To create a Vault role to manage a Terraform Cloud User tokens
@@ -144,7 +144,7 @@ To create a Vault role to manage a Terraform Cloud User tokens
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -154,7 +154,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/role/tfuser
```
## Read Role
## Read role
This endpoint queries for information about a Terraform Cloud role with the given name.
If no role exists with that name, a 404 is returned.
@@ -168,7 +168,7 @@ If no role exists with that name, a 404 is returned.
- `name` `(string: <required>)`  Specifies the name of the role to query. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -176,7 +176,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/role/tfuser
```
### Sample Response
### Sample response
```json
{
@@ -189,7 +189,7 @@ $ curl \
}
```
## List Roles
## List roles
This endpoint lists all existing roles in the backend.
@@ -198,7 +198,7 @@ This endpoint lists all existing roles in the backend.
| `LIST` | `/terraform/role` |
| `GET` | `/terraform/role?list=true` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -207,7 +207,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/role
```
### Sample Response
### Sample response
```json
{
@@ -217,7 +217,7 @@ $ curl \
}
```
## Delete Role
## Delete role
This endpoint deletes a Terraform Cloud role with the given name. Even if the role does
not exist, this endpoint will still return a successful response.
@@ -231,7 +231,7 @@ not exist, this endpoint will still return a successful response.
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -240,7 +240,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/role/tfuser
```
## Rotate Role
## Rotate role
This endpoint rotates the credentials for a Terraform Cloud role that manages an
Organization or Team. This endpoint is only valid for those roles; attempting to
@@ -255,7 +255,7 @@ rotate a role that manages user tokens will result in an error.
- `name` `(string: <required>)`  Specifies the name of the role to rotate. This
is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -264,7 +264,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/rotate-role/testing
```
## Generate Credential
## Generate credential
This endpoint returns a Terraform Cloud token based on the given role
definition. For Organization and Team roles, the same API token is returned
@@ -280,7 +280,7 @@ generated with each request.
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Terraform Cloud token. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -288,7 +288,7 @@ $ curl \
http://127.0.0.1:8200/v1/terraform/creds/example
```
### Sample Response
### Sample response
```json
{

44
website/content/api-docs/secret/totp.mdx
View File

@@ -4,7 +4,7 @@ page_title: TOTP - Secrets Engines - HTTP API
description: This is the API documentation for the Vault TOTP secrets engine.
---
# TOTP Secrets Engine (API)
# TOTP secrets engine (API)
This is the API documentation for the Vault TOTP secrets engine. For general
information about the usage and operation of the TOTP secrets engine, please see
@@ -14,7 +14,7 @@ This documentation assumes the TOTP secrets engine is enabled at the `/totp`
path in Vault. Since it is possible to enable secrets engines at any location,
please update your API calls accordingly.
## Create Key
## Create key
This endpoint creates or updates a key definition.
@@ -50,7 +50,7 @@ This endpoint creates or updates a key definition.
- `qr_size` `(int: 200)`  Specifies the pixel size of the square QR code when generating a new key. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.
### Sample Payload
### Sample payload
```json
{
@@ -58,7 +58,7 @@ This endpoint creates or updates a key definition.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -68,7 +68,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/keys/my-key
```
### Sample Payload
### Sample payload
```json
{
@@ -78,7 +78,7 @@ $ curl \
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -88,7 +88,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/keys/my-key
```
### Sample Response
### Sample response
```json
{
@@ -105,7 +105,7 @@ If a QR code is returned, it consists of base64-formatted PNG bytes. You can emb
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUh.." />
```
## Read Key
## Read key
This endpoint queries the key definition.
@@ -117,7 +117,7 @@ This endpoint queries the key definition.
- `name` `(string: <required>)` Specifies the name of the key to read. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -125,7 +125,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/keys/my-key
```
### Sample Response
### Sample response
```json
{
@@ -139,7 +139,7 @@ $ curl \
}
```
## List Keys
## List keys
This endpoint returns a list of available keys. Only the key names are
returned, not any values.
@@ -148,7 +148,7 @@ returned, not any values.
| :----- | :----------- |
| `LIST` | `/totp/keys` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -157,7 +157,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/keys
```
### Sample Response
### Sample response
```json
{
@@ -171,7 +171,7 @@ $ curl \
}
```
## Delete Key
## Delete key
This endpoint deletes the key definition.
@@ -184,7 +184,7 @@ This endpoint deletes the key definition.
- `name` `(string: <required>)` Specifies the name of the key to delete. This
is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -193,7 +193,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/keys/my-key
```
## Generate Code
## Generate code
This endpoint generates a new time-based one-time use password based on the named
key.
@@ -207,7 +207,7 @@ key.
- `name` `(string: <required>)` Specifies the name of the key to create
credentials against. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -215,7 +215,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/code/my-key
```
### Sample Response
### Sample response
```json
{
@@ -225,7 +225,7 @@ $ curl \
}
```
## Validate Code
## Validate code
This endpoint validates a time-based one-time use password generated from the named
key.
@@ -240,7 +240,7 @@ key.
- `code` `(string: <required>)` Specifies the password you want to validate.
### Sample Payload
### Sample payload
```json
{
@@ -248,7 +248,7 @@ key.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -258,7 +258,7 @@ $ curl \
http://127.0.0.1:8200/v1/totp/code/my-key
```
### Sample Response
### Sample response
```json
{

270
website/content/api-docs/secret/transform.mdx
View File

File diff suppressed because it is too large Load Diff

192
website/content/api-docs/secret/transit.mdx
View File

@@ -4,7 +4,7 @@ page_title: Transit - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Transit secrets engine.
---
# Transit Secrets Engine (API)
# Transit secrets engine (API)
This is the API documentation for the Vault Transit secrets engine. For general
information about the usage and operation of the Transit secrets engine, please
@@ -14,7 +14,7 @@ This documentation assumes the transit secrets engine is enabled at the
`/transit` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Create Key
## Create key
This endpoint creates a new named encryption key of the specified type. The
values set here cannot be changed after key creation.
@@ -86,7 +86,7 @@ values set here cannot be changed after key creation.
hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `managed_key_name` `(string: "")` - The name of the managed key to use for this transit key.
- `managed_key_id` `(string: "")` - The UUID of the managed key to use for this transit key.
### Sample Payload
### Sample payload
```json
{
@@ -95,7 +95,7 @@ values set here cannot be changed after key creation.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -105,7 +105,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key
```
## Import Key
## Import key
This endpoint imports existing key material into a new transit-managed encryption key.
To import key material into an existing key, see the `import_version/` endpoint.
@@ -193,7 +193,7 @@ key derivation. Required if `derived` is set to `true`.
will disable automatic key rotation. This value cannot be shorter than one
hour.
### Sample Payload
### Sample payload
```json
{
@@ -202,7 +202,7 @@ key derivation. Required if `derived` is set to `true`.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -212,7 +212,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key/import
```
## Import Key Version
## Import key version
This endpoint imports new key material into an existing imported key.
@@ -257,7 +257,7 @@ is available.
a new version will be created unless a private key is specified and the
'Latest' key is missing a private key.
### Sample Payload
### Sample payload
```json
{
@@ -265,7 +265,7 @@ a new version will be created unless a private key is specified and the
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -275,7 +275,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key/import_version
```
## Get Wrapping Key
## Get wrapping key
This endpoint is used to retrieve the wrapping key to use for importing keys.
The returned key will be a 4096-bit RSA public key.
@@ -284,7 +284,7 @@ The returned key will be a 4096-bit RSA public key.
| :---- | :---------------------- |
| `GET` | `/transit/wrapping_key` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -293,7 +293,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/wrapping_key
```
### Sample Response
### Sample response
```json
{
@@ -303,7 +303,7 @@ $ curl \
}
```
## Read Key
## Read key
This endpoint returns information about a named encryption key. The `keys`
object shows the creation time of each key version; the values are not the keys
@@ -320,7 +320,7 @@ type.
- `name` `(string: <required>)` Specifies the name of the encryption key to
read. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -328,7 +328,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key
```
### Sample Response
### Sample response
```json
{
@@ -359,7 +359,7 @@ The sample response shows a key that was created on September 22, 2015 7:50:12 P
The fields `supports_encryption`, `supports_decryption`, `supports_derivation` and `supports_signing` are
derived from the type of the key, and indicate which operations may be performed with it.
## List Keys
## List keys
This endpoint returns a list of keys. Only the key names are returned (not the
actual keys themselves).
@@ -368,7 +368,7 @@ actual keys themselves).
| :----- | :-------------- |
| `LIST` | `/transit/keys` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -377,7 +377,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys
```
### Sample Response
### Sample response
```json
{
@@ -390,7 +390,7 @@ $ curl \
}
```
## Delete Key
## Delete key
This endpoint deletes a named encryption key. It will no longer be possible to
decrypt any data encrypted with the named key. Because this is a potentially
@@ -406,7 +406,7 @@ catastrophic operation, the `deletion_allowed` tunable must be set in the key's
- `name` `(string: <required>)` Specifies the name of the encryption key to
delete. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -415,7 +415,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key
```
## Update Key Configuration
## Update key configuration
This endpoint allows tuning configuration values for a given key. (These values
are returned during a read operation on the named key.)
@@ -453,7 +453,7 @@ are returned during a read operation on the named key.)
key rotation. This value cannot be shorter than one hour. When no value is
provided, the period remains unchanged. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
### Sample payload
```json
{
@@ -461,7 +461,7 @@ are returned during a read operation on the named key.)
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -471,7 +471,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key/config
```
## Rotate Key
## Rotate key
This endpoint rotates the version of the named key. After rotation, new
plaintext requests will be encrypted with the new version of the key. To upgrade
@@ -498,7 +498,7 @@ rotated within Vault, it will not support further import operations.
~> **Note**: If the key to be rotated is of type `managed_key`, either the `managed_key_name` or
the `managed_key_id` for the new key must be provided.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -507,7 +507,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key/rotate
```
## Securely Export Key
## Securely export key
This endpoint returns a wrapped copy of the `source` key, protected by the
`destination` key using BYOK method accepted by the
@@ -537,7 +537,7 @@ CLI helper utility.
specified as part of the URL. If the version is set to `latest`, the
current key will be returned.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -545,7 +545,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/byok-export/wrapping-key/to-be-shared-key/1
```
### Sample Response
### Sample response
```json
{
@@ -559,7 +559,7 @@ $ curl \
```
## Export Key
## Export key
This endpoint returns the named key. The `keys` object shows the value of the
key for each version. If `version` is specified, the specific version will be
@@ -590,7 +590,7 @@ be valid.
all versions of the key will be returned. This is specified as part of the
URL. If the version is set to `latest`, the current key will be returned.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -598,7 +598,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/export/encryption-key/my-key/1
```
### Sample Response
### Sample response
```json
{
@@ -612,7 +612,7 @@ $ curl \
}
```
## Write Keys Configuration
## Write keys configuration
This endpoint maintains global configuration across all keys. This
allows removing the upsert capability of the `/encrypt/:key` endpoint,
@@ -627,7 +627,7 @@ preventing new keys from being created if none exists.
- `disable_upsert` `(bool: false)` - Specifies whether to disable upserting on
encryption (automatic creation of unknown keys).
### Sample Payload
### Sample payload
```json
{
@@ -635,7 +635,7 @@ preventing new keys from being created if none exists.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -645,7 +645,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/config/keys
```
### Sample Response
### Sample response
```json
{
@@ -655,7 +655,7 @@ $ curl \
}
```
## Read Keys Configuration
## Read keys configuration
This endpoint maintains global configuration across all keys. This
allows removing the upsert capability of the `/encrypt/:key` endpoint,
@@ -665,7 +665,7 @@ preventing new keys from being created if none exists.
| :----- | :--------------------- |
| `GET` | `/transit/config/keys` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -673,7 +673,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/config/keys
```
### Sample Response
### Sample response
```json
{
@@ -683,7 +683,7 @@ $ curl \
}
```
## Encrypt Data
## Encrypt data
This endpoint encrypts the provided plaintext using the named key. This path
supports the `create` and `update` policy capabilities as follows: if the user
@@ -779,7 +779,7 @@ requirement is that Vault does not require that the plaintext is "text". It
could be a binary file such as a PDF or image. The easiest safe transport
mechanism for this data as part of a JSON payload is to base64-encode it.
### Sample Payload
### Sample payload
Fist, encode the plaintext with base64:
@@ -798,7 +798,7 @@ Use the base64-encoded plaintext in the payload:
!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/vault/docs/configuration/listener/tcp) in the Vault server configuration.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -808,7 +808,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/encrypt/my-key
```
### Sample Response
### Sample response
```json
{
@@ -818,7 +818,7 @@ $ curl \
}
```
## Decrypt Data
## Decrypt data
This endpoint decrypts the provided ciphertext using the named key.
@@ -878,7 +878,7 @@ This endpoint decrypts the provided ciphertext using the named key.
decrypt) could be indicative of a security breach and should not be
ignored.
### Sample Payload
### Sample payload
```json
{
@@ -886,7 +886,7 @@ This endpoint decrypts the provided ciphertext using the named key.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -896,7 +896,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/decrypt/my-key
```
### Sample Response
### Sample response
```json
{
@@ -906,7 +906,7 @@ $ curl \
}
```
## Rewrap Data
## Rewrap data
This endpoint rewraps the provided ciphertext using the latest version of the
named key. Because this never returns plaintext, it is possible to delegate this
@@ -960,7 +960,7 @@ functionality to untrusted users or scripts.
]
```
### Sample Payload
### Sample payload
```json
{
@@ -968,7 +968,7 @@ functionality to untrusted users or scripts.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -978,7 +978,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/rewrap/my-key
```
### Sample Response
### Sample response
```json
{
@@ -988,7 +988,7 @@ $ curl \
}
```
## Generate Data Key
## Generate data key
This endpoint generates a new high-entropy key and the value encrypted with the
named key. Optionally return the plaintext of the key as well. Whether plaintext
@@ -1024,7 +1024,7 @@ then made available to trusted users.
- `bits` `(int: 256)`  Specifies the number of bits in the desired key. Can be
128, 256, or 512.
### Sample Payload
### Sample payload
```json
{
@@ -1032,7 +1032,7 @@ then made available to trusted users.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1042,7 +1042,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key
```
### Sample Response
### Sample response
```json
{
@@ -1053,7 +1053,7 @@ $ curl \
}
```
## Generate Random Bytes
## Generate random bytes
This endpoint returns high-quality random bytes of the specified length.
@@ -1074,7 +1074,7 @@ This endpoint returns high-quality random bytes of the specified length.
`seal` sources from entropy augmentation (enterprise only).
`all` mixes bytes from all available sources.
### Sample Payload
### Sample payload
```json
{
@@ -1082,7 +1082,7 @@ This endpoint returns high-quality random bytes of the specified length.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1092,7 +1092,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/random/164
```
### Sample Response
### Sample response
```json
{
@@ -1102,7 +1102,7 @@ $ curl \
}
```
## Hash Data
## Hash data
This endpoint returns the cryptographic hash of given data using the specified
algorithm.
@@ -1134,7 +1134,7 @@ algorithm.
- `format` `(string: "hex")`  Specifies the output encoding. This can be either
`hex` or `base64`.
### Sample Payload
### Sample payload
```json
{
@@ -1142,7 +1142,7 @@ algorithm.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1152,7 +1152,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/hash/sha2-512
```
### Sample Response
### Sample response
```json
{
@@ -1229,7 +1229,7 @@ be used.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1239,7 +1239,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/hmac/my-key/sha2-512
```
### Sample Payload
### Sample payload
```json
{
@@ -1247,7 +1247,7 @@ $ curl \
}
```
### Sample Response
### Sample response
```json
{
@@ -1257,7 +1257,7 @@ $ curl \
}
```
### Sample Payload with batch_input
### Sample payload with batch_input
```json
{
@@ -1276,7 +1276,7 @@ $ curl \
}
```
### Sample Response for batch_input
### Sample response for batch_input
```json
{
@@ -1299,7 +1299,7 @@ $ curl \
}
```
## Sign Data
## Sign data
This endpoint returns the cryptographic signature of the given data using the
named key and the specified hash algorithm. The key must be of a type that
@@ -1416,7 +1416,7 @@ supports signing.
- `hash`: Causes the salt length to equal the length of the hash used in the signature
- An integer between the minimum and the maximum permissible salt lengths for the given RSA key size.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1426,7 +1426,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/sign/my-key/sha2-512
```
### Sample Payload
### Sample payload
```json
{
@@ -1434,7 +1434,7 @@ $ curl \
}
```
### Sample Response
### Sample response
```json
{
@@ -1444,7 +1444,7 @@ $ curl \
}
```
### Sample Payload with batch_input
### Sample payload with batch_input
Given an ed25519 key with derived keys set, the context parameter is expected for each batch_input item, and
the response will include the derived public key for each item.
@@ -1465,7 +1465,7 @@ the response will include the derived public key for each item.
}
```
### Sample Response for batch_input
### Sample response for batch_input
```
{
@@ -1487,7 +1487,7 @@ the response will include the derived public key for each item.
}
```
## Verify Signed Data
## Verify signed data
This endpoint returns whether the provided signature is valid for the given
data.
@@ -1606,7 +1606,7 @@ data.
- `hash`: Causes the salt length to equal the length of the hash used in the signature
- An integer between the minimum and the maximum permissible salt lengths for the given RSA key size.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1616,7 +1616,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/verify/my-key/sha2-512
```
### Sample Payload
### Sample payload
```json
{
@@ -1625,7 +1625,7 @@ $ curl \
}
```
### Sample Response
### Sample response
```json
{
@@ -1635,7 +1635,7 @@ $ curl \
}
```
### Sample Payload with batch_input
### Sample payload with batch_input
```
{
@@ -1659,7 +1659,7 @@ $ curl \
}
```
### Sample Response for batch_input
### Sample response for batch_input
```
{
@@ -1679,7 +1679,7 @@ $ curl \
}
```
## Backup Key
## Backup key
This endpoint returns a plaintext backup of a named key. The backup contains all
the configuration data and keys of all the versions along with the HMAC key.
@@ -1694,7 +1694,7 @@ restore the key.
- `name` `(string: <required>)` - Name of the key.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1702,7 +1702,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/backup/aes
```
### Sample Response
### Sample response
```json
{
@@ -1712,7 +1712,7 @@ $ curl \
}
```
## Restore Key
## Restore key
This endpoint restores the backup as a named key. This will restore the key
configurations and all the versions of the named key along with HMAC keys. The
@@ -1738,7 +1738,7 @@ name first to verify that the operation successfully completes.
- `force` `(bool: false)` - If set, force the restore to proceed even if a key
by this name already exists.
### Sample Payload
### Sample payload
```json
{
@@ -1746,7 +1746,7 @@ name first to verify that the operation successfully completes.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1756,7 +1756,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/restore
```
## Trim Key
## Trim key
This endpoint trims older key versions setting a minimum version for the
keyring. Once trimmed, previous versions of the key cannot be recovered.
@@ -1774,7 +1774,7 @@ keyring. Once trimmed, previous versions of the key cannot be recovered.
be set when either `min_encryption_version` or `min_decryption_version` is set
to zero.
### Sample Payload
### Sample payload
```json
{
@@ -1782,7 +1782,7 @@ keyring. Once trimmed, previous versions of the key cannot be recovered.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1792,7 +1792,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/keys/my-key/trim
```
## Configure Cache
## Configure cache
This endpoint is used to configure the transit engine's cache. Note that configuration
changes will not be applied until the transit plugin is reloaded which can be achieved
@@ -1808,7 +1808,7 @@ using the [`/sys/plugins/reload/backend`][sys-plugin-reload-backend] endpoint.
`0` means unlimited. A _Least Recently Used_ (LRU) caching strategy is used for a
non-zero cache size. Must be 0 (default) or a value greater or equal to 10 (minimum cache size).
### Sample Payload
### Sample payload
```json
{
@@ -1816,7 +1816,7 @@ using the [`/sys/plugins/reload/backend`][sys-plugin-reload-backend] endpoint.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1826,7 +1826,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/cache-config
```
## Read Transit Cache Configuration
## Read transit cache configuration
This endpoint retrieves configurations for the transit engine's cache.
@@ -1834,7 +1834,7 @@ This endpoint retrieves configurations for the transit engine's cache.
| :----- | :---------------------- |
| `GET` | `/transit/cache-config` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -1843,7 +1843,7 @@ $ curl \
http://127.0.0.1:8200/v1/transit/cache-config
```
### Sample Response
### Sample response
```json
"data": {
@@ -1851,7 +1851,7 @@ $ curl \
},
```
## Managed Keys
## Managed keys
~> **Note**: Managed keys are an Enterprise only feature.

8
website/content/api-docs/system/audit-hash.mdx
View File

@@ -12,7 +12,7 @@ The `/sys/audit-hash` endpoint is used to calculate the hash of the data used by
an audit device's hash function and salt. This can be used to search audit logs
for a hashed value when the original value is known.
## Calculate Hash
## Calculate hash
This endpoint hashes the given input data with the specified audit device's
hash function and salt. This endpoint can be used to discover whether a given
@@ -35,7 +35,7 @@ should also be base64-encoded to supply into the `input` parameter.
- `input` `(string: <required>)`  Specifies the input string to hash.
### Sample Payload
### Sample payload
```json
{
@@ -43,7 +43,7 @@ should also be base64-encoded to supply into the `input` parameter.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -53,7 +53,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/audit-hash/example-audit
```
### Sample Response
### Sample response
```json
{

16
website/content/api-docs/system/audit.mdx
View File

@@ -10,7 +10,7 @@ The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
Audit devices must be enabled before use, and more than one device may be
enabled at a time.
## List Enabled Audit Devices
## List enabled audit devices
This endpoint lists only the enabled audit devices (it does not list all
available audit devices).
@@ -22,7 +22,7 @@ available audit devices).
| :----- | :----------- |
| `GET` | `/sys/audit` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -30,7 +30,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/audit
```
### Sample Response
### Sample response
```javascript
{
@@ -44,7 +44,7 @@ $ curl \
}
```
## Enable Audit Device
## Enable audit device
This endpoint enables a new audit device at the supplied path. The path can be a
single word name or a more complex, nested path.
@@ -76,7 +76,7 @@ relevant functionality is only supported in Vault Enterprise:
- `local` `(bool: false)` Specifies if the audit device is local within the cluster only. Local
audit devices are not replicated nor (if a secondary) removed by replication.
### Sample Payload
### Sample payload
```json
{
@@ -87,7 +87,7 @@ relevant functionality is only supported in Vault Enterprise:
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -97,7 +97,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/audit/example-audit
```
## Disable Audit Device
## Disable audit device
This endpoint disables the audit device at the given path.
@@ -117,7 +117,7 @@ the audit device at the same path, as a new salt will be created for hashing.
- `path` `(string: <required>)`  Specifies the path of the audit device to
delete. This is part of the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \

34
website/content/api-docs/system/auth.mdx
View File

@@ -10,7 +10,7 @@ The `/sys/auth` endpoint is used to list, create, update, and delete auth
methods. Auth methods convert user or machine-supplied information into a
token which can be used for all future requests.
## List Auth Methods
## List auth methods
This endpoint lists all enabled auth methods.
@@ -18,7 +18,7 @@ This endpoint lists all enabled auth methods.
| :----- | :---------- |
| `GET` | `/sys/auth` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -26,7 +26,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/auth
```
### Sample Response
### Sample response
```json
{
@@ -79,7 +79,7 @@ $ curl \
}
```
## Enable Auth Method
## Enable auth method
This endpoint enables a new auth method. After enabling, the auth method can
be accessed and configured via the auth path specified as part of the URL. This
@@ -161,7 +161,7 @@ relevant functionality is only supported in Vault Enterprise:
- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
values stored by the mount to be wrapped by the seal's encryption capability.
### Sample Payload
### Sample payload
```json
{
@@ -170,7 +170,7 @@ relevant functionality is only supported in Vault Enterprise:
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -180,7 +180,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/auth/my-auth
```
## Read Auth Method configuration
## Read auth method configuration
This endpoints returns the configuration of the auth method at the given path.
@@ -188,7 +188,7 @@ This endpoints returns the configuration of the auth method at the given path.
| :----- | :---------------- |
| `GET` | `/sys/auth/:path` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -196,7 +196,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/auth/my-auth
```
### Sample Response
### Sample response
```json
{
@@ -229,7 +229,7 @@ $ curl \
```
## Disable Auth Method
## Disable auth method
This endpoint disables the auth method at the given auth path.
@@ -245,7 +245,7 @@ This endpoint disables the auth method at the given auth path.
- `path` `(string: <required>)`  Specifies the path to disable. This is part of
the request URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -254,7 +254,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/auth/my-auth
```
## Read Auth Method Tuning
## Read auth method tuning
This endpoint reads the given auth path's configuration. _This endpoint requires
`sudo` capability on the final path, but the same functionality can be achieved
@@ -271,7 +271,7 @@ without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
- `path` `(string: <required>)`  Specifies the path in which to tune.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -279,7 +279,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
```
### Sample Response
### Sample response
```json
{
@@ -291,7 +291,7 @@ $ curl \
}
```
## Tune Auth Method
## Tune auth method
Tune configuration parameters for a given auth path. _This endpoint
requires `sudo` capability on the final path, but the same functionality
@@ -361,7 +361,7 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
- `lockout_disable` `(bool: false)` - Disables the user lockout feature for this mount
if set to true.
### Sample Payload
### Sample payload
```json
{
@@ -376,7 +376,7 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

8
website/content/api-docs/system/capabilities-accessor.mdx
View File

@@ -13,7 +13,7 @@ the token associated with the given accessor. The capabilities returned will be
derived from the policies that are on the token, and from the policies to which
the token is entitled to through the entity and entity's group memberships.
## Query Token Accessor Capabilities
## Query token accessor capabilities
This endpoint returns the capabilities of the token associated with the given
accessor, for the given path. Multiple paths are taken in at once and the
@@ -33,7 +33,7 @@ returned. For backwards compatibility, if a single path is supplied, a
- `paths` `(list: <required>)` Paths on which capabilities are being
queried.
### Sample Payload
### Sample payload
```json
{
@@ -42,7 +42,7 @@ returned. For backwards compatibility, if a single path is supplied, a
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -52,7 +52,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/capabilities-accessor
```
### Sample Response
### Sample response
```json
{

8
website/content/api-docs/system/capabilities-self.mdx
View File

@@ -14,7 +14,7 @@ will be derived from the policies that are on the token, and from the policies
to which the token is entitled to through the entity and entity's group
memberships.
## Query Self Capabilities
## Query self capabilities
This endpoint returns the capabilities of client token on the given paths. The
client token is the Vault token with which this API call is made. Multiple
@@ -30,7 +30,7 @@ returned. For backwards compatibility, if a single path is supplied, a
- `paths` `(list: <required>)`  Paths on which capabilities are being queried.
### Sample Payload
### Sample payload
```json
{
@@ -38,7 +38,7 @@ returned. For backwards compatibility, if a single path is supplied, a
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -48,7 +48,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/capabilities-self
```
### Sample Response
### Sample response
```json
{

8
website/content/api-docs/system/capabilities.mdx
View File

@@ -13,7 +13,7 @@ on the given paths. The capabilities returned will be derived from the policies
that are on the token, and from the policies to which the token is entitled to
through the entity and entity's group memberships.
## Query Token Capabilities
## Query token capabilities
This endpoint returns the list of capabilities of a given token on the given
paths. Multiple paths are taken in at once and the capabilities of the token
@@ -31,7 +31,7 @@ supplied, a `capabilities` field will also be returned.
- `token` `(string: <required>)`  Token for which capabilities are being
queried.
### Sample Payload
### Sample payload
```json
{
@@ -40,7 +40,7 @@ supplied, a `capabilities` field will also be returned.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -50,7 +50,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/capabilities
```
### Sample Response
### Sample response
```json
{

22
website/content/api-docs/system/config-auditing.mdx
View File

@@ -8,7 +8,7 @@ description: The `/sys/config/auditing` endpoint is used to configure auditing s
The `/sys/config/auditing` endpoint is used to configure auditing settings.
## Read All Audited Request Headers
## Read all audited request headers
This endpoint lists the request headers that are configured to be audited.
@@ -19,7 +19,7 @@ This endpoint lists the request headers that are configured to be audited.
| :----- | :------------------------------------- |
| `GET` | `/sys/config/auditing/request-headers` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -27,7 +27,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/auditing/request-headers
```
### Sample Response
### Sample response
```json
{
@@ -39,7 +39,7 @@ $ curl \
}
```
## Read Single Audit Request Header
## Read single audit request header
This endpoint lists the information for the given request header.
@@ -55,7 +55,7 @@ This endpoint lists the information for the given request header.
- `name` `(string: <required>)` Specifies the name of the request header to
query. This is specified as part of the URL.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -63,7 +63,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
```
### Sample Response
### Sample response
```json
{
@@ -73,7 +73,7 @@ $ curl \
}
```
## Create/Update Audit Request Header
## Create/Update audit request header
This endpoint enables auditing of a header.
@@ -89,7 +89,7 @@ This endpoint enables auditing of a header.
- `hmac` `(bool: false)`  Specifies if this header's value should be HMAC'ed in
the audit logs.
### Sample Payload
### Sample payload
```json
{
@@ -97,7 +97,7 @@ This endpoint enables auditing of a header.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -107,7 +107,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/my-header
```
## Delete Audit Request Header
## Delete audit request header
This endpoint disables auditing of the given request header.
@@ -118,7 +118,7 @@ This endpoint disables auditing of the given request header.
| :------- | :------------------------------------------- |
| `DELETE` | `/sys/config/auditing/request-headers/:name` |
### Sample Request
### Sample request
```shell-session
$ curl \

16
website/content/api-docs/system/config-control-group.mdx
View File

@@ -11,7 +11,7 @@ description: The '/sys/config/control-group' endpoint configures control groups.
The `/sys/config/control-group` endpoint is used to configure Control Group
settings.
## Read Control Group Settings
## Read control group settings
This endpoint returns the current Control Group configuration.
@@ -19,7 +19,7 @@ This endpoint returns the current Control Group configuration.
| :----- | :-------------------------- |
| `GET` | `/sys/config/control-group` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -27,7 +27,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/control-group
```
### Sample Response
### Sample response
```json
{
@@ -35,7 +35,7 @@ $ curl \
}
```
## Configure Control Group Settings
## Configure control group settings
This endpoint allows configuring control groups.
@@ -47,7 +47,7 @@ This endpoint allows configuring control groups.
- `max_ttl` `int`  The maximum ttl for a control group wrapping token. This can be provided in seconds or duration (2h).
### Sample Payload
### Sample payload
```json
{
@@ -55,7 +55,7 @@ This endpoint allows configuring control groups.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -65,7 +65,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/control-group
```
## Delete Control Group Settings
## Delete control group settings
This endpoint removes any control group configuration.
@@ -73,7 +73,7 @@ This endpoint removes any control group configuration.
| :------- | :-------------------------- |
| `DELETE` | `/sys/config/control-group` |
### Sample Request
### Sample request
```shell-session
$ curl \

16
website/content/api-docs/system/config-cors.mdx
View File

@@ -13,7 +13,7 @@ The `/sys/config/cors` endpoint is used to configure CORS settings.
- **`sudo` required**  All CORS endpoints require `sudo` capability in
addition to any path-specific capabilities.
## Read CORS Settings
## Read CORS settings
This endpoint returns the current CORS configuration.
@@ -21,7 +21,7 @@ This endpoint returns the current CORS configuration.
| :----- | :----------------- |
| `GET` | `/sys/config/cors` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -29,7 +29,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/cors
```
### Sample Response
### Sample response
```json
{
@@ -48,7 +48,7 @@ $ curl \
}
```
## Configure CORS Settings
## Configure CORS settings
This endpoint allows configuring the origins that are permitted to make
cross-origin requests, as well as headers that are allowed on cross-origin requests.
@@ -63,7 +63,7 @@ cross-origin requests, as well as headers that are allowed on cross-origin reque
- `allowed_headers` `(string or string array: "" or [])`  A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.
### Sample Payload
### Sample payload
```json
{
@@ -72,7 +72,7 @@ cross-origin requests, as well as headers that are allowed on cross-origin reque
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -82,7 +82,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/cors
```
## Delete CORS Settings
## Delete CORS settings
This endpoint removes any CORS configuration.
@@ -90,7 +90,7 @@ This endpoint removes any CORS configuration.
| :------- | :----------------- |
| `DELETE` | `/sys/config/cors` |
### Sample Request
### Sample request
```shell-session
$ curl \

12
website/content/api-docs/system/config-group-policy-application.mdx
View File

@@ -23,7 +23,7 @@ regardless of what namespace the request token came from.
Note that this configuration will be replicated between primary and secondaries, that
is to say, primaries cannot have a different policy application mode to secondaries.
## Get Group Policy Application Information
## Get group policy application information
This endpoint returns the current group policy application mode, which will be
either `within_namespace_hierarchy` or `any`.
@@ -33,7 +33,7 @@ either `within_namespace_hierarchy` or `any`.
| :----- | :---------------------------- |
| `GET` | `/sys/config/group-policy-application` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -41,7 +41,7 @@ $ curl \
'http://127.0.0.1:8200/v1/sys/config/group-policy-application'
```
### Sample Response
### Sample response
```json
{
@@ -49,7 +49,7 @@ $ curl \
}
```
## Set Group Policy Application Information
## Set group policy application information
This endpoint allows you to modify the current group policy application mode, which can be
either `within_namespace_hierarchy` or `any`. `within_namespace_hierarchy`
@@ -62,7 +62,7 @@ irrespective of namespace hierarchy.
| :----- | :---------------------------- |
| `POST`, `PUT` | `/sys/config/group-policy-application` |
### Sample Payload
### Sample payload
```json
{
@@ -70,7 +70,7 @@ irrespective of namespace hierarchy.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \

4
website/content/api-docs/system/config-reload.mdx
View File

@@ -17,7 +17,7 @@ Currently, it only supports reloading license information from files on disk.
- `subsystem` `(string: <required>)` - Specifies the subsystem for Vault to reload. This is part of the request URL.
## Reload License File
## Reload license file
~> **Enterprise Only** This endpoint requires Vault Enterprise.
@@ -27,7 +27,7 @@ option or the `VAULT_LICENSE_PATH` environment variable. The updated license is
applied to Vault, and Vault will then enable/disable licensed features if the features
of the given license are different from those of the license Vault is currently using.
### Sample Request
### Sample request
```shell-session
$ curl \

6
website/content/api-docs/system/config-state.mdx
View File

@@ -9,7 +9,7 @@ description: The '/sys/config/state' endpoint is used to retrieve the configurat
The endpoints under `sys/config/state` return Vault's configuration state.
Currently, it only supports returning a sanitized version of the configuration.
## `Get Sanitized Configuration State`
## `Get sanitized configuration state`
This endpoint returns a sanitized version of the configuration state. The
configuration excludes certain fields and mappings in the configuration file
@@ -21,7 +21,7 @@ that can potentially contain sensitive information, which includes values from
| :----- | :---------------------------- |
| `GET` | `/sys/config/state/sanitized` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -29,7 +29,7 @@ $ curl \
'http://127.0.0.1:8200/v1/sys/config/state/sanitized'
```
### Sample Response
### Sample response
```json
{

26
website/content/api-docs/system/config-ui.mdx
View File

@@ -11,7 +11,7 @@ The `/sys/config/ui` endpoint is used to configure UI settings.
- **`sudo` required**  All UI endpoints require `sudo` capability in
addition to any path-specific capabilities.
## Read UI Settings
## Read UI settings
This endpoint returns the given UI header configuration.
@@ -25,7 +25,7 @@ This endpoint returns the given UI header configuration.
- `multivalue` `(bool: <optional>)` - Returns multiple values if true.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -33,7 +33,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
```
### Sample Response
### Sample response
```json
{
@@ -41,7 +41,7 @@ $ curl \
}
```
### Sample Request (Multi value)
### Sample request (Multi value)
```shell-session
$ curl \
@@ -49,7 +49,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header?multivalue=true
```
### Sample Response
### Sample response
```json
{
@@ -57,7 +57,7 @@ $ curl \
}
```
## Configure UI Headers
## Configure UI headers
This endpoint allows configuring the values to be returned for the UI header.
@@ -71,7 +71,7 @@ This endpoint allows configuring the values to be returned for the UI header.
- `values` `(list: <required>)` - The values to be returned from the header.
### Sample Payload
### Sample payload
```json
{
@@ -79,7 +79,7 @@ This endpoint allows configuring the values to be returned for the UI header.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -89,7 +89,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
```
## Delete a UI Header
## Delete a UI header
This endpoint removes a UI header.
@@ -97,7 +97,7 @@ This endpoint removes a UI header.
| :------- | :----------------------------- |
| `DELETE` | `/sys/config/ui/headers/:name` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -106,7 +106,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header
```
## List UI Headers
## List UI headers
This endpoint returns a list of configured UI headers.
@@ -114,7 +114,7 @@ This endpoint returns a list of configured UI headers.
| :----- | :----------------------- |
| `LIST` | `/sys/config/ui/headers` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -123,7 +123,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/config/ui/headers
```
### Sample Response
### Sample response
```json
{

16
website/content/api-docs/system/control-group.mdx
View File

@@ -4,7 +4,7 @@ page_title: /sys/control-group - HTTP API
description: The '/sys/control-group' endpoint handles the Control Group workflow.
---
## Authorize Control Group Request
## Authorize control group request
~> **Enterprise Only**  These endpoints require Vault Enterprise.
@@ -18,7 +18,7 @@ This endpoint authorizes a control group request.
- `accessor` `(string: <required>)` The accessor for the control group wrapping token.
### Sample Payload
### Sample payload
```json
{
@@ -26,7 +26,7 @@ This endpoint authorizes a control group request.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -36,7 +36,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/control-group/authorize
```
### Sample Response
### Sample response
```json
{
@@ -46,7 +46,7 @@ $ curl \
}
```
## Check Control Group Request Status
## Check control group request status
This endpoint checks the status of a control group request.
@@ -58,7 +58,7 @@ This endpoint checks the status of a control group request.
- `accessor` `(string: <required>)` The accessor for the control group wrapping token.
### Sample Payload
### Sample payload
```json
{
@@ -66,7 +66,7 @@ This endpoint checks the status of a control group request.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -76,7 +76,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/control-group/request
```
### Sample Response
### Sample response
```json
{

2
website/content/api-docs/system/decode-token.mdx
View File

@@ -14,7 +14,7 @@ The `/sys/decode-token` endpoint is used to decode the encoded token which is th
- `otp` `(string: <required>)` - Specifies the otp code for decode.
## Sample Response
## Sample response
```json
{

6
website/content/api-docs/system/experiments.mdx
View File

@@ -8,7 +8,7 @@ description: The `/sys/experiments` endpoint returns information about experimen
The `/sys/experiments` endpoint returns information about experiments on the Vault node.
## Read Experiments
## Read experiments
This endpoint returns the experiments available and enabled on the Vault node.
Experiments are per-node and cannot be changed while the node is running. See
@@ -20,14 +20,14 @@ details on enabling experiments.
| :----- | :----------------- |
| `GET` | `/sys/experiments` |
### Sample Request
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/sys/experiments
```
### Sample Response
### Sample response
```json
{

24
website/content/api-docs/system/generate-recovery-token.mdx
View File

@@ -11,7 +11,7 @@ description: |-
The `/sys/generate-recovery-token` endpoint is used to create a new recovery
token for Vault.
## Read Recovery Token Generation Progress
## Read recovery token generation progress
This endpoint reads the configuration and process of the current root generation
attempt.
@@ -20,14 +20,14 @@ attempt.
| :----- | :------------------------------------- |
| `GET` | `/sys/generate-recovery-token/attempt` |
### Sample Request
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
```
### Sample Response
### Sample response
```json
{
@@ -58,7 +58,7 @@ The raw bytes (char codes) of the token will be XOR'd with
this value before being returned as a response to the final unseal
key, encoded as base64.
## Start Recovery Token Generation
## Start recovery token generation
This endpoint initializes a new recovery token generation attempt. Only a single
recovery token generation attempt can take place at a time.
@@ -73,7 +73,7 @@ recovery token generation attempt can take place at a time.
The raw bytes of the token will be encrypted with this value before being
returned to the final unseal key provider.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -81,7 +81,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
```
### Sample Response
### Sample response
```json
{
@@ -96,7 +96,7 @@ $ curl \
}
```
## Cancel Recovery Token Generation
## Cancel recovery token generation
This endpoint cancels any in-progress recovery token generation attempt. This
clears any progress made. This must be called to change the OTP or PGP key being
@@ -106,7 +106,7 @@ used.
| :------- | :------------------------------------- |
| `DELETE` | `/sys/generate-recovery-token/attempt` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -114,7 +114,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-recovery-token/attempt
```
## Provide Key Share to Generate Recovery Token
## Provide key share to generate recovery token
This endpoint is used to enter a single root key share to progress the
recovery token generation attempt. If the threshold number of root key shares
@@ -135,7 +135,7 @@ only in memory and thus will only be valid until the next restart.
- `nonce` `(string: <required>)`  Specifies the nonce of the attempt.
### Sample Payload
### Sample payload
```json
{
@@ -144,7 +144,7 @@ only in memory and thus will only be valid until the next restart.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -153,7 +153,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-recovery-token/update
```
### Sample Response
### Sample response
This returns a JSON-encoded object indicating the attempt nonce, and completion
status, and the encoded recovery token, if the attempt is complete.

24
website/content/api-docs/system/generate-root.mdx
View File

@@ -10,7 +10,7 @@ description: |-
The `/sys/generate-root` endpoint is used to create a new root key for Vault.
## Read Root Generation Progress
## Read root generation progress
This endpoint reads the configuration and process of the current root generation
attempt.
@@ -19,14 +19,14 @@ attempt.
| :----- | :--------------------------- |
| `GET` | `/sys/generate-root/attempt` |
### Sample Request
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/sys/generate-root/attempt
```
### Sample Response
### Sample response
```json
{
@@ -57,7 +57,7 @@ The raw bytes (char codes) of the token will be XOR'd with
this value before being returned as a response to the final unseal
key, encoded as base64.
## Start Root Token Generation
## Start root token generation
This endpoint initializes a new root generation attempt. Only a single root
generation attempt can take place at a time.
@@ -72,7 +72,7 @@ generation attempt can take place at a time.
The raw bytes of the token will be encrypted with this value before being
returned to the final unseal key provider.
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -80,7 +80,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-root/attempt
```
### Sample Response
### Sample response
```json
{
@@ -95,7 +95,7 @@ $ curl \
}
```
## Cancel Root Generation
## Cancel root generation
This endpoint cancels any in-progress root generation attempt. This clears any
progress made. This must be called to change the OTP or PGP key being used.
@@ -104,7 +104,7 @@ progress made. This must be called to change the OTP or PGP key being used.
| :------- | :--------------------------- |
| `DELETE` | `/sys/generate-root/attempt` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -112,7 +112,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-root/attempt
```
## Provide Key Share to Generate Root
## Provide key share to generate root
This endpoint is used to enter a single root key share to progress the root
generation attempt. If the threshold number of root key shares is reached,
@@ -130,7 +130,7 @@ nonce must be provided with each call.
- `nonce` `(string: <required>)`  Specifies the nonce of the attempt.
### Sample Payload
### Sample payload
```json
{
@@ -139,7 +139,7 @@ nonce must be provided with each call.
}
```
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -148,7 +148,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/generate-root/update
```
### Sample Response
### Sample response
This returns a JSON-encoded object indicating the attempt nonce, and completion
status, and the encoded root token, if the attempt is complete.

6
website/content/api-docs/system/ha-status.mdx
View File

@@ -9,7 +9,7 @@ description: The `/sys/ha-status` endpoint is used to check the HA status of a V
The `/sys/ha-status` endpoint is used to check the HA status of a Vault cluster.
It lists the active node and the peers that it's heard from since it became active.
## HA Status
## HA status
This endpoint returns the HA status of the Vault cluster.
@@ -17,7 +17,7 @@ This endpoint returns the HA status of the Vault cluster.
| :----- | :----------------- |
| `GET` | `/sys/ha-status` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -25,7 +25,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/ha-status
```
### Sample Response
### Sample response
```json
{

10
website/content/api-docs/system/health.mdx
View File

@@ -8,7 +8,7 @@ description: The `/sys/health` endpoint is used to check the health status of Va
The `/sys/health` endpoint is used to check the health status of Vault.
## Read Health Information
## Read health information
This endpoint returns the health status of Vault. This matches the semantics of
a Consul HTTP health check and provides a simple way to monitor the health of a
@@ -58,14 +58,14 @@ The default status codes are:
- `uninitcode` `(int: 501)` Specifies the status code that should be returned
for a uninitialized node.
### Sample Request
### Sample request
```shell-session
$ curl \
http://127.0.0.1:8200/v1/sys/health
```
### Sample Response
### Sample response
This response is only returned for a `GET` request.
@@ -89,7 +89,7 @@ standby of its status.
}
```
### Sample Request to customize the status code being returned
### Sample request to customize the status code being returned
```shell-session
$ curl -i https://127.0.0.1:8200/v1/sys/health\?drsecondarycode\=200
@@ -102,7 +102,7 @@ content-length: 364
date: Wed, 26 Jan 2022 09:21:13 GMT
```
### Sample Response
### Sample response
This response is only returned for a `GET` request.

6
website/content/api-docs/system/host-info.mdx
View File

@@ -9,7 +9,7 @@ description: The '/sys/host-info' endpoint is used to retrieve host information
The `/sys/host-info` endpoint is used retrieve information about the
host instance that the Vault server is running on.
## Collect Host Information
## Collect host information
This endpoint returns information about the host instance that the Vault
server is running on. The data returned includes CPU information, CPU
@@ -19,7 +19,7 @@ times, disk usage, host info, and memory statistics.
| :----- | :--------------- |
| `GET` | `/sys/host-info` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -27,7 +27,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/host-info
```
### Sample Response
### Sample response
```json
{

6
website/content/api-docs/system/in-flight-req.mdx
View File

@@ -10,7 +10,7 @@ The `/sys/in-flight-req` endpoint is used to get information on in-flight reques
The returned information contains the `start_time`, `client_remote_address`, `request_path`,
`request_method`, and `client_id` of the in-flight requests.
## Collect In-Flight Request Information
## Collect In-Flight request information
This endpoint returns the information about the in-flight requests.
@@ -18,7 +18,7 @@ This endpoint returns the information about the in-flight requests.
| :----- | :---------- |
| `GET` | `/sys/in-flight-req` |
### Sample Request
### Sample request
```shell-session
$ curl \
@@ -26,7 +26,7 @@ $ curl \
http://127.0.0.1:8200/v1/sys/in-flight-req
```
### Sample Response
### Sample response
```json
{

Some files were not shown because too many files have changed in this diff Show More