diff --git a/README.md b/README.md
index ff2b60901d..4879ad2f82 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@
- Documentation: [https://developer.hashicorp.com/vault/docs](https://developer.hashicorp.com/vault/docs)
- Tutorials: [https://developer.hashicorp.com/vault/tutorials](https://developer.hashicorp.com/vault/tutorials)
- Certification exam: [https://developer.hashicorp.com/certifications/security-automation](https://developer.hashicorp.com/certifications/security-automation)
+- Documentation source: [https://github.com/hashicorp/web-unified-docs](https://github.com/hashicorp/web-unified-docs)
diff --git a/website/.editorconfig b/website/.editorconfig
deleted file mode 100644
index 36bf83fdb5..0000000000
--- a/website/.editorconfig
+++ /dev/null
@@ -1,18 +0,0 @@
-# This file is for unifying the coding style for different editors and IDEs
-# editorconfig.org
-
-root = true
-
-[*]
-end_of_line = lf
-charset = utf-8
-insert_final_newline = true
-trim_trailing_whitespace = true
-indent_style = space
-indent_size = 2
-
-[Makefile]
-indent_style = tab
-
-[{*.md,*.json}]
-max_line_length = null
diff --git a/website/.env b/website/.env
deleted file mode 100644
index 6ba0ec1161..0000000000
--- a/website/.env
+++ /dev/null
@@ -1,3 +0,0 @@
-NEXT_PUBLIC_ALGOLIA_APP_ID=YY0FFNI7MF
-NEXT_PUBLIC_ALGOLIA_INDEX=product_VAULT
-NEXT_PUBLIC_ALGOLIA_SEARCH_ONLY_API_KEY=9c555e8fa951c1c53e726c0ce2eb3b73
diff --git a/website/.env.production b/website/.env.production
deleted file mode 100644
index 83825a896c..0000000000
--- a/website/.env.production
+++ /dev/null
@@ -1 +0,0 @@
-HASHI_ENV=production
diff --git a/website/.eslintrc.js b/website/.eslintrc.js
deleted file mode 100644
index 4b17f084b3..0000000000
--- a/website/.eslintrc.js
+++ /dev/null
@@ -1,10 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-module.exports = {
- ...require('@hashicorp/platform-cli/config/.eslintrc'),
- /* Specify overrides here */
- ignorePatterns: ['public/']
-}
diff --git a/website/.gitignore b/website/.gitignore
deleted file mode 100644
index adaccf90db..0000000000
--- a/website/.gitignore
+++ /dev/null
@@ -1,11 +0,0 @@
-node_modules
-.DS_Store
-.next
-out
-.mdx-data
-
-# As per Next.js conventions (https://nextjs.org/docs/basic-features/environment-variables#default-environment-variables)
-.env*.local
-!.env*
-
-website-preview
diff --git a/website/.nvmrc b/website/.nvmrc
deleted file mode 100644
index 3f430af82b..0000000000
--- a/website/.nvmrc
+++ /dev/null
@@ -1 +0,0 @@
-v18
diff --git a/website/.stylelintrc.js b/website/.stylelintrc.js
deleted file mode 100644
index b651a84609..0000000000
--- a/website/.stylelintrc.js
+++ /dev/null
@@ -1,9 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-module.exports = {
- ...require('@hashicorp/platform-cli/config/stylelint.config'),
- /* Specify overrides here */
-}
diff --git a/website/Dockerfile b/website/Dockerfile
deleted file mode 100644
index d97a50cd73..0000000000
--- a/website/Dockerfile
+++ /dev/null
@@ -1,11 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
-FROM docker.mirror.hashicorp.services/node:18.18.2-alpine
-RUN apk add --update --no-cache git make g++ automake autoconf libtool nasm libpng-dev
-
-COPY ./package.json /website/package.json
-COPY ./package-lock.json /website/package-lock.json
-WORKDIR /website
-RUN npm install -g npm@latest
-RUN npm install
diff --git a/website/Makefile b/website/Makefile
deleted file mode 100644
index eeaa9157f5..0000000000
--- a/website/Makefile
+++ /dev/null
@@ -1,58 +0,0 @@
-######################################################
-# NOTE: This file is managed by the Digital Team's #
-# Terraform configuration @ hashicorp/mktg-terraform #
-######################################################
-
-.DEFAULT_GOAL := website
-
-# Set the preview mode for the website shell to "developer" or "io"
-PREVIEW_MODE ?= developer
-REPO ?= vault
-
-# Enable setting alternate docker tool, e.g. 'make DOCKER_CMD=podman'
-DOCKER_CMD ?= docker
-
-CURRENT_GIT_BRANCH=$$(git rev-parse --abbrev-ref HEAD)
-LOCAL_CONTENT_DIR=
-PWD=$$(pwd)
-
-DOCKER_IMAGE="hashicorp/dev-portal"
-DOCKER_IMAGE_LOCAL="dev-portal-local"
-DOCKER_RUN_FLAGS=-it \
- --publish "3000:3000" \
- --rm \
- --tty \
- --volume "$(PWD)/content:/app/content" \
- --volume "$(PWD)/public:/app/public" \
- --volume "$(PWD)/data:/app/data" \
- --volume "$(PWD)/redirects.js:/app/redirects.js" \
- --volume "next-dir:/app/website-preview/.next" \
- --volume "$(PWD)/.env:/app/.env" \
- -e "REPO=$(REPO)" \
- -e "PREVIEW_FROM_REPO=$(REPO)" \
- -e "IS_CONTENT_PREVIEW=true" \
- -e "LOCAL_CONTENT_DIR=$(LOCAL_CONTENT_DIR)" \
- -e "CURRENT_GIT_BRANCH=$(CURRENT_GIT_BRANCH)" \
- -e "PREVIEW_MODE=$(PREVIEW_MODE)"
-
-# Default: run this if working on the website locally to run in watch mode.
-.PHONY: website
-website:
- @echo "==> Downloading latest Docker image..."
- @$(DOCKER_CMD) pull $(DOCKER_IMAGE)
- @echo "==> Starting website..."
- @$(DOCKER_CMD) run $(DOCKER_RUN_FLAGS) $(DOCKER_IMAGE)
-
-# Use this if you have run `website/build-local` to use the locally built image.
-.PHONY: website/local
-website/local:
- @echo "==> Starting website from local image..."
- @$(DOCKER_CMD) run $(DOCKER_RUN_FLAGS) $(DOCKER_IMAGE_LOCAL)
-
-# Run this to generate a new local Docker image.
-.PHONY: website/build-local
-website/build-local:
- @echo "==> Building local Docker image"
- @$(DOCKER_CMD) build https://github.com/hashicorp/dev-portal.git\#main \
- -t $(DOCKER_IMAGE_LOCAL)
-
diff --git a/website/README.md b/website/README.md
index 7670137596..4b067adebc 100644
--- a/website/README.md
+++ b/website/README.md
@@ -1,538 +1,23 @@
-# Vault Website
+# Vault product documentation website
> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
+>
+> **Vault documentation change**
+>
+> Vault product documentation no longer publishes from the `/website` directory.
-This subdirectory contains the content for the [Vault Website](https://vaultproject.io/).
+The Vault docs now live in the
+[`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs)
+repo under `/content/vault/`.
-
+- For content changes related to the monthly Vault update, submit PRs against
+ the monthly update branch (e.g., `vault/202509`).
-## Table of Contents
+- For content changes related to an upcoming Vault release, submit PRs against
+ the RC release branch (e.g., `vault/1.21.x`).
-- [Contributions](#contributions-welcome)
-- [Running the Site Locally](#running-the-site-locally)
-- [Editing Markdown Content](#editing-markdown-content)
-- [Editing Navigation Sidebars](#editing-navigation-sidebars)
-- [Changing the Release Version](#changing-the-release-version)
-- [Redirects](#redirects)
-- [Browser Support](#browser-support)
-- [Deployment](#deployment)
-
-
-
-
-## Contributions Welcome!
-
-If you find a typo or you feel like you can improve the HTML, CSS, or JavaScript, we welcome contributions. Feel free to open issues or pull requests like any normal GitHub project, and we'll merge it in 🚀
-
-
-
-
-
-
-## Running the Site Locally
-
-The website can be run locally through node.js or [Docker](https://www.docker.com/get-started). If you choose to run through Docker, everything will be a little bit slower due to the additional overhead, so for frequent contributors it may be worth it to use node.
-
-> **Note:** If you are using a text editor that uses a "safe write" save style such as **vim** or **goland**, this can cause issues with the live reload in development. If you turn off safe write, this should solve the problem. In vim, this can be done by running `:set backupcopy=yes`. In goland, search the settings for "safe write" and turn that setting off.
-
-### With Docker
-
-Running the site locally is simple. Provided you have Docker installed, clone this repo, run `make`, and then visit `http://localhost:3000`.
-
-The docker image is pre-built with all the website dependencies installed, which is what makes it so quick and simple, but also means if you need to change dependencies and test the changes within Docker, you'll need a new image. If this is something you need to do, you can run `make build-image` to generate a local Docker image with updated dependencies, then `make website-local` to use that image and preview.
-
-### With Node
-
-If your local development environment has a supported version (v10.0.0+) of [node installed](https://nodejs.org/en/) you can run:
-
-- `npm install`
-- `npm start`
-
-...and then visit `http://localhost:3000`.
-
-If you pull down new code from github, you should run `npm install` again. Otherwise, there's no need to re-run `npm install` each time the site is run, you can just run `npm start` to get it going.
-
-
-
-
-
-
-## Editing Markdown Content
-
-Documentation content is written in [Markdown](https://www.markdownguide.org/cheat-sheet/) and you'll find all files listed under the `/content` directory.
-
-To create a new page with Markdown, create a file ending in `.mdx` in a `content/`. The path in the content directory will be the URL route. For example, `content/docs/hello.mdx` will be served from the `/docs/hello` URL.
-
-> **Important**: Files and directories will only be rendered and published to the website if they are [included in sidebar data](#editing-navigation-sidebars). Any file not included in sidebar data will not be rendered or published.
-
-This file can be standard Markdown and also supports [YAML frontmatter](https://middlemanapp.com/basics/frontmatter/). YAML frontmatter is optional, there are defaults for all keys.
-
-```yaml
----
-title: 'My Title'
-description: "A thorough, yet succinct description of the page's contents"
----
-```
-
-The significant keys in the YAML frontmatter are:
-
-- `title` `(string)` - This is the title of the page that will be set in the HTML title.
-- `description` `(string)` - This is a description of the page that will be set in the HTML description.
-
-> ⚠️ If there is a need for a `/api/*` url on this website, the url will be changed to `/api-docs/*`, as the `api` folder is reserved by next.js.
-
-### Validating Content
-
-Content changes are automatically validated against a set of rules as part of the pull request process. If you want to run these checks locally to validate your content before committing your changes, you can run the following command:
-
-```
-npm run content-check
-```
-
-If the validation fails, actionable error messages will be displayed to help you address detected issues.
-
-### Creating New Pages
-
-There is currently a small bug with new page creation - if you create a new page and link it up via subnav data while the server is running, it will report an error saying the page was not found. This can be resolved by restarting the server.
-
-### Markdown Enhancements
-
-There are several custom markdown plugins that are available by default that enhance [standard markdown](https://commonmark.org/) to fit our use cases. This set of plugins introduces a couple instances of custom syntax, and a couple specific pitfalls that are not present by default with markdown, detailed below:
-
-- > **Warning**: We are deprecating the current [paragraph alerts](https://github.com/hashicorp/remark-plugins/tree/master/plugins/paragraph-custom-alerts#paragraph-custom-alerts), in favor of the newer [MDX Inline Alert](#inline-alerts) components. The legacy paragraph alerts are represented by the symbols `~>`, `->`, `=>`, or `!>`.
-- If you see `@include '/some/path.mdx'`, this is a [markdown include](https://github.com/hashicorp/remark-plugins/tree/master/plugins/include-markdown#include-markdown-plugin). It's worth noting as well that all includes resolve from `website/content/partials` by default, and that changes to partials will not live-reload the website.
-- If you see `# Headline ((#slug))`, this is an example of an [anchor link alias](https://github.com/hashicorp/remark-plugins/tree/je.anchor-link-adjustments/plugins/anchor-links#anchor-link-aliases). It adds an extra permalink to a headline for compatibility and is removed from the output.
-- Due to [automatically generated permalinks](https://github.com/hashicorp/remark-plugins/tree/je.anchor-link-adjustments/plugins/anchor-links#anchor-links), any text changes to _headlines_ or _list items that begin with inline code_ can and will break existing permalinks. Be very cautious when changing either of these two text items.
-
- Headlines are fairly self-explanatory, but here's an example of how to list items that begin with inline code look.
-
- ```markdown
- - this is a normal list item
- - `this` is a list item that begins with inline code
- ```
-
- Its worth noting that _only the inline code at the beginning of the list item_ will cause problems if changed. So if you changed the above markup to...
-
- ```markdown
- - lsdhfhksdjf
- - `this` jsdhfkdsjhkdsfjh
- ```
-
- ...while it perhaps would not be an improved user experience, no links would break because of it. The best approach is to **avoid changing headlines and inline code at the start of a list item**. If you must change one of these items, make sure to tag someone from the digital marketing development team on your pull request, they will help to ensure as much compatibility as possible.
-
-### Custom Components
-
-A number of custom [mdx components](https://mdxjs.com/) are available for use within any `.mdx` file. Each one is documented below:
-
-#### Inline Alerts
-
-There are custom MDX components available to author alert data. [See the full documentation here](https://developer.hashicorp.com/swingset/components/mdxinlinealert). They render as colored boxes to draw the user's attention to some type of aside.
-
-```mdx
-## Alert types
-
-### Tip
-
-
- To provide general information to the user regarding the current context or
- relevant actions.
-
-
-### Highlight
-
-
- To provide general or promotional information to the user prominently.
-
-
-### Note
-
-
- To help users avoid an issue. Provide guidance and actions if possible.
-
-
-### Warning
-
-
- To indicate critical issues that need immediate action or help users
- understand something critical.
-
-
-## Title override prop
-
-To provide general information.
-```
-
-#### Tabs
-
-The `Tabs` component creates tabbed content of any type, but is often used for code examples given in different languages. Here's an example of how it looks from the Vagrant documentation website:
-
-
-
-> Please refer to the [Swingset](https://react-components.vercel.app/?component=Tabs) documentation for the latest examples and API reference.
-
-It can be used as such within a markdown file:
-
-````mdx
-Normal **markdown** content.
-
-
-
-
-```shell-session
-$ command ...
-```
-
-
-
-
-```shell-session
-$ curl ...
-```
-
-
-
-
-Continued normal markdown content
-````
-
-The intentionally skipped line is a limitation of the mdx parser which is being actively worked on. All tabs must have a heading, and there is no limit to the number of tabs, though it is recommended to go for a maximum of three or four.
-
-#### Enterprise Alert
-
-This component provides a standard way to call out functionality as being present only in the enterprise version of the software. It can be presented in two contexts, inline or standalone. Here's an example of standalone usage from the Consul docs website:
-
-
-
-The standalone component can be used as such in markdown files:
-
-```mdx
-# Page Headline
-
-
-
-Continued markdown content...
-```
-
-It can also receive custom text contents if you need to change the messaging but wish to retain the style. This will replace the text `This feature is available in all versions of Consul Enterprise.` with whatever you add. For example:
-
-```mdx
-# Page Headline
-
-
- My custom text here, and a link!
-
-
-Continued markdown content...
-```
-
-It's important to note that once you are adding custom content, it must be html and can not be markdown, as demonstrated above with the link.
-
-Now let's look at inline usage, here's an example:
-
-
-
-And here's how it could be used in your markdown document:
-
-```mdx
-### Some Enterprise Feature
-
-Continued markdown content...
-```
-
-It's also worth noting that this component will automatically adjust to the correct product colors depending on the context.
-
-#### Other Components
-
-Other custom components can be made available on a per-site basis, the above are the standards. If you have questions about custom components that are not documented here, or have a request for a new custom component, please reach out to @hashicorp/digital-marketing.
-
-### Syntax Highlighting
-
-When using fenced code blocks, the recommendation is to tag the code block with a language so that it can be syntax highlighted. For example:
-
-````
-```
-// BAD: Code block with no language tag
-```
-
-```javascript
-// GOOD: Code block with a language tag
-```
-````
-
-Check out the [supported languages list](https://prismjs.com/#supported-languages) for the syntax highlighter we use if you want to double check the language name.
-
-It is also worth noting specifically that if you are using a code block that is an example of a terminal command, the correct language tag is `shell-session`. For example:
-
-🚫**BAD**: Using `shell`, `sh`, `bash`, or `plaintext` to represent a terminal command
-
-````
-```shell
-$ terraform apply
-```
-````
-
-✅**GOOD**: Using `shell-session` to represent a terminal command
-
-````
-```shell-session
-$ terraform apply
-```
-````
-
-
-
-
-
-
-## Editing Navigation Sidebars
-
-The structure of the sidebars are controlled by files in the [`/data` directory](data). For example, [data/docs-nav-data.json](data/docs-nav-data.json) controls the **docs** sidebar. Within the `data` folder, any file with `-nav-data` after it controls the navigation for the given section.
-
-The sidebar uses a simple recursive data structure to represent _files_ and _directories_. The sidebar is meant to reflect the structure of the docs within the filesystem while also allowing custom ordering. Let's look at an example. First, here's our example folder structure:
-
-```text
-.
-├── docs
-│ └── directory
-│ ├── index.mdx
-│ ├── file.mdx
-│ ├── another-file.mdx
-│ └── nested-directory
-│ ├── index.mdx
-│ └── nested-file.mdx
-```
-
-Here's how this folder structure could be represented as a sidebar navigation, in this example it would be the file `website/data/docs-nav-data.json`:
-
-```json
-[
- {
- "title": "Directory",
- "routes": [
- {
- "title": "Overview",
- "path": "directory"
- },
- {
- "title": "File",
- "path": "directory/file"
- },
- {
- "title": "Another File",
- "path": "directory/another-file"
- },
- {
- "title": "Nested Directory",
- "routes": [
- {
- "title": "Overview",
- "path": "directory/nested-directory"
- },
- {
- "title": "Nested File",
- "path": "directory/nested-directory/nested-file"
- }
- ]
- }
- ]
- }
-]
-```
-
-A couple more important notes:
-
-- Within this data structure, ordering is flexible, but hierarchy is not. The structure of the sidebar must correspond to the structure of the content directory. So while you could put `file` and `another-file` in any order in the sidebar, or even leave one or both of them out, you could not decide to un-nest the `nested-directory` object without also un-nesting it in the filesystem.
-- The `title` property on each node in the `nav-data` tree is the human-readable name in the navigation.
-- The `path` property on each leaf node in the `nav-data` tree is the URL path where the `.mdx` document will be rendered, and the
-- Note that "index" files must be explicitly added. These will be automatically resolved, so the `path` value should be, as above, `directory` rather than `directory/index`. A common convention is to set the `title` of an "index" node to be `"Overview"`.
-
-Below we will discuss a couple of more unusual but still helpful patterns.
-
-### Index-less Categories
-
-Sometimes you may want to include a category but not have a need for an index page for the category. This can be accomplished, but as with other branch and leaf nodes, a human-readable `title` needs to be set manually. Here's an example of how an index-less category might look:
-
-```text
-.
-├── docs
-│ └── indexless-category
-│ └── file.mdx
-```
-
-```json
-// website/data/docs-nav-data.json
-[
- {
- "title": "Indexless Category",
- "routes": [
- {
- "title": "File",
- "path": "indexless-category/file"
- }
- ]
- }
-]
-```
-
-### Custom or External Links
-
-Sometimes you may have a need to include a link that is not directly to a file within the docs hierarchy. This can also be supported using a different pattern. For example:
-
-```json
-[
- {
- "name": "Directory",
- "routes": [
- {
- "title": "File",
- "path": "directory/file"
- },
- {
- "title": "Another File",
- "path": "directory/another-file"
- },
- {
- "title": "Tao of HashiCorp",
- "href": "https://www.hashicorp.com/tao-of-hashicorp"
- }
- ]
- }
-]
-```
-
-If the link provided in the `href` property is external, it will display a small icon indicating this. If it's internal, it will appear the same way as any other direct file link.
-
-
-
-
-
-
-## Changing the Release Version
-
-To change the version displayed for download on the website, head over to `data/version.js` and change the number there. It's important to note that the version number must match a version that has been released and is live on `releases.hashicorp.com` -- if it does not, the website will be unable to fetch links to the binaries and will not compile. So this version number should be changed _only after a release_.
-
-### Displaying a Prerelease
-
-If there is a prerelease of any type that should be displayed on the downloads page, this can be done by editing `pages/downloads/index.jsx`. By default, the download component might look something like this:
-
-```jsx
-
-```
-
-To add a prerelease, an extra `prerelease` property can be added to the component as such:
-
-```jsx
-
-```
-
-This configuration would display something like the following text on the website, emphasis added to the configurable parameters:
-
-```
-A {{ release candidate }} for {{ v1.0.0 }} is available! The release can be downloaded here.
-```
-
-You may customize the parameters in any way you'd like. To remove a prerelease from the website, simply delete the `prerelease` parameter from the above component.
-
-
-
-
-
-
-## Redirects
-
-This website structures URLs based on the filesystem layout. This means that if a file is moved, removed, or a folder is re-organized, links will break. If a path change is necessary, it can be mitigated using redirects. It's important to note that redirects should only be used to cover for external links -- if you are moving a path which internal links point to, the internal links should also be adjusted to point to the correct page, rather than relying on a redirect.
-
-To add a redirect, head over to the `redirects.js` file - the format is fairly simple - there's a `source` and a `destination` - fill them both in, indicate that it's a permanent redirect or not using the `permanent` key, and that's it. Let's look at an example:
-
-```
-{
- source: '/foo',
- destination: '/bar',
- permanent: true
-}
-```
-
-This redirect rule will send all incoming links to `/foo` to `/bar`. For more details on the redirects file format, [check out the docs on vercel](https://vercel.com/docs/configuration#project/redirects). All redirects will work both locally and in production exactly the same way, so feel free to test and verify your redirects locally. In the past testing redirects has required a preview deployment -- this is no longer the case. Please note however that if you add a redirect while the local server is running, you will need to restart it in order to see the effects of the redirect.
-
-There is still one caveat though: redirects do not apply to client-side navigation. By default, all links in the navigation and docs sidebar will navigate purely on the client side, which makes navigation through the docs significantly faster, especially for those with low-end devices and/or weak internet connections. In the future, we plan to convert all internal links within docs pages to behave this way as well. This means that if there is a link on this website to a given piece of content that has changed locations in some way, we need to also _directly change existing links to the content_. This way, if a user clicks a link that navigates on the client side, or if they hit the url directly and the page renders from the server side, either one will work perfectly.
-
-Let's look at an example. Say you have a page called `/docs/foo` which needs to be moved to `/docs/nested/foo`. Additionally, this is a page that has been around for a while and we know there are links into `/docs/foo.html` left over from our previous website structure. First, we move the page, then adjust the docs sidenav, in `data/docs-navigation.js`. Find the category the page is in, and move it into the appropriate subcategory. Next, we add to `_redirects` as such. The `.html` version is covered automatically.
-
-```js
-{ source: '/foo', destination: '/nested/foo', permanent: true }
-```
-
-Next, we run a global search for internal links to `/foo`, and make sure to adjust them to be `/nested/foo` - this is to ensure that client-side navigation still works correctly. _Adding a redirect alone is not enough_.
-
-One more example - let's say that content is being moved to an external website. A common example is guides moving to `learn.hashicorp.com`. In this case, we take all the same steps, except that we need to make a different type of change to the `docs-navigation` file. If previously the structure looked like:
-
-```js
-{
- category: 'docs',
- content: [
- 'foo'
- ]
-}
-```
-
-If we no longer want the link to be in the side nav, we can simply remove it. If we do still want the link in the side nav, but pointing to an external destination, we need to slightly change the structure as such:
-
-```js
-{
- category: 'docs',
- content: [
- { title: 'Foo Title', href: 'https://learn.hashicorp.com//foo' }
- ]
-}
-```
-
-As the majority of items in the side nav are internal links, the structure makes it as easy as possible to represent these links. This alternate syntax is the most concise manner than an external link can be represented. External links can be used anywhere within the docs sidenav.
-
-It's also worth noting that it is possible to do glob-based redirects, for example matching `/docs/*`, and you may see this pattern in the redirects file. This type of redirect is much higher risk and the behavior is a bit more nuanced, so if you need to add a glob redirect, please reach out to the website maintainers and ask about it first.
-
-
-
-
-
-
-## Browser Support
-
-We support the following browsers targeting roughly the versions specified.
-
-|  |  |  |  |  |
-| ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
-| **Latest** | **Latest** | **Latest** | **Latest** | **Latest** |
-
-
-
-
-
-
-## Deployment
-
-This website is hosted on Vercel and configured to automatically deploy anytime you push code to the `stable-website` branch. Any time a pull request is submitted that changes files within the `website` folder, a deployment preview will appear in the github checks which can be used to validate the way docs changes will look live. Deployments from `stable-website` will look and behave the same way as deployment previews.
-
-
+- For version-agnostic updates like typos, corrections, and broken links, submit
+ PRs against the `main` branch.
diff --git a/website/content/api-docs/auth/alicloud.mdx b/website/content/api-docs/auth/alicloud.mdx
deleted file mode 100644
index d208aa79b0..0000000000
--- a/website/content/api-docs/auth/alicloud.mdx
+++ /dev/null
@@ -1,203 +0,0 @@
----
-layout: api
-page_title: AliCloud - Auth Methods - HTTP API
-description: This is the API documentation for the Vault AliCloud auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# AliCloud auth method (API)
-
-This is the API documentation for the Vault AliCloud auth method. For
-general information about the usage and operation of the AliCloud method, please
-see the [Vault AliCloud auth method documentation](/vault/docs/auth/alicloud).
-
-This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create/Update role
-
-Registers a role. Only entities using the role registered using this endpoint
-will be able to perform the login operation.
-
-| Method | Path |
-| :----- | :-------------------------- |
-| `POST` | `/auth/alicloud/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role. Must correspond with the name of the role reflected in the arn.
-- `arn` `(string: )` - The role's arn.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "arn": "acs:ram::5138828231865461:role/dev-role",
- "policies": ["dev", "prod"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :-------------------------- |
-| `GET` | `/auth/alicloud/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "arn": "acs:ram::5138828231865461:role/dev-role",
- "policies": ["default", "dev", "prod"],
- "ttl": 1800000,
- "max_ttl": 1800000,
- "period": 0
- }
-}
-```
-
-## List roles
-
-Lists all the roles that are registered with the method.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `LIST` | `/auth/alicloud/roles` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/alicloud/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["dev-role", "prod-role"]
- }
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :-------------------------- |
-| `DELETE` | `/auth/alicloud/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/alicloud/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint verifies the signature of the signed
-GetCallerIdentity request.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/alicloud/login` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-- `identity_request_url` `(string: )` - Base64-encoded HTTP URL used in
- the signed request.
-- `identity_request_headers` `(string: )` - Base64-encoded,
- JSON-serialized representation of the sts:GetCallerIdentity HTTP request
- headers. The JSON serialization assumes that each header key maps to either a
- string value or an array of string values (though the length of that array
- will probably only be one).
-
-### Sample payload
-
-```json
-{
- "role": "dev-role",
- "identity_request_url": "aWRlbnRpdHlabrVxdWVzdF91cmw=",
- "identity_request_headers": "aWRlimRpdHlfcmVxdWVzdF9oZWFkZXJz"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/alicloud/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "renewable": true,
- "lease_duration": 1800000,
- "metadata": {
- "role_tag_max_ttl": "0",
- "instance_id": "i-de0f1344",
- "ami_id": "ami-fce36983",
- "role": "dev-role",
- "auth_type": "ec2",
- "account_id": "5138828231865461",
- "user_id": "216959339000654321",
- "role_id": "4657-abcd",
- "arn": "acs:ram::5138828231865461:assumed-role/dev-role/vm-ram-i-rj978rorvlg76urhqh7q",
- "identity_type": "assumed-role",
- "principal_id": "vm-ram-i-rj978rorvlg76urhqh7q",
- "request_id": "D6E46F10-F26C-4AA0-BB69-FE2743D9AE62",
- "role_name": "dev-role"
- },
- "policies": ["default", "dev"],
- "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
- "client_token": "d9368254-3f21-aded-8a6f-7c818e81b17a"
- }
-}
-```
diff --git a/website/content/api-docs/auth/approle.mdx b/website/content/api-docs/auth/approle.mdx
deleted file mode 100644
index 053709281e..0000000000
--- a/website/content/api-docs/auth/approle.mdx
+++ /dev/null
@@ -1,719 +0,0 @@
----
-layout: api
-page_title: AppRole - Auth Methods - HTTP API
-description: This is the API documentation for the Vault AppRole auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# AppRole auth method (API)
-
-This is the API documentation for the Vault AppRole auth method. For
-general information about the usage and operation of the AppRole method, please
-see the [Vault AppRole method documentation](/vault/docs/auth/approle).
-
-This documentation assumes the AppRole method is mounted at the `/auth/approle`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## List roles
-
-This endpoint returns a list the existing AppRoles in the method.
-
-| Method | Path |
-| :----- | :------------------- |
-| `LIST` | `/auth/approle/role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/approle/role
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["dev", "prod", "test"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Create/Update AppRole
-
-Creates a new AppRole or updates an existing AppRole. This endpoint
-supports both `create` and `update` capabilities. There can be one or more
-constraints enabled on the role. It is required to have at least one of them
-enabled while creating or updating a role.
-
-| Method | Path |
-| :----- | :------------------------------ |
-| `POST` | `/auth/approle/role/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes, accepted characters
-include a-Z, 0-9, space, hyphen, underscore and periods.
-- `bind_secret_id` `(bool: true)` - Require `secret_id` to be presented when
- logging in using this AppRole.
-- `secret_id_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
- blocks; if set, specifies blocks of IP addresses which can perform the login
- operation.
-- `secret_id_num_uses` `(integer: 0)` - Number of times any particular SecretID
- can be used to fetch a token from this AppRole, after which the SecretID by default
- will expire. A value of zero will allow unlimited uses.
- However, this option may be overridden by the request's 'num_uses' field when generating a SecretID.
-- `secret_id_ttl` `(string: "")` - Duration in either an integer number of
- seconds (`3600`) or an integer time unit (`60m`) after which by default any SecretID
- expires. A value of zero will allow the SecretID to not expire.
- However, this option may be overridden by the request's 'ttl' field when generating a SecretID.
-- `local_secret_ids` `(bool: false)` - If set, the secret IDs generated
- using this role will be cluster local. This can only be set during role
- creation and once set, it can't be reset later.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "token_type": "batch",
- "token_ttl": "10m",
- "token_max_ttl": "15m",
- "token_policies": ["default"],
- "period": 0,
- "bind_secret_id": true
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-## Read AppRole
-
-Reads the properties of an existing AppRole.
-
-| Method | Path |
-| :----- | :------------------------------ |
-| `GET` | `/auth/approle/role/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "token_ttl": 1200,
- "token_max_ttl": 1800,
- "secret_id_ttl": 600,
- "secret_id_num_uses": 40,
- "token_policies": ["default"],
- "period": 0,
- "bind_secret_id": true,
- "secret_id_bound_cidrs": []
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Delete AppRole
-
-Deletes an existing AppRole from the method.
-
-| Method | Path |
-| :------- | :------------------------------ |
-| `DELETE` | `/auth/approle/role/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/approle/role/application1
-```
-
-## Read AppRole role ID
-
-Reads the RoleID of an existing AppRole.
-
-| Method | Path |
-| :----- | :-------------------------------------- |
-| `GET` | `/auth/approle/role/:role_name/role-id` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "role_id": "e5a7b66e-5d08-da9c-7075-71984634b882"
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Update AppRole role ID
-
-Updates the RoleID of an existing AppRole to a custom value.
-
-| Method | Path |
-| :----- | :-------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/role-id` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `role_id` `(string: )` - Value to be set as RoleID.
-
-### Sample payload
-
-```json
-{
- "role_id": "custom-role-id"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
-```
-
-## Generate new secret ID
-
-Generates and issues a new SecretID on an existing AppRole. Similar to
-tokens, the response will also contain a `secret_id_accessor` value which can
-be used to read the properties of the SecretID without divulging the SecretID
-itself, and also to delete the SecretID from the AppRole.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/secret-id` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `metadata` `(string: "")` - Metadata to be tied to the SecretID. This should be
- a JSON-formatted string containing the metadata in key-value pairs. This
- metadata will be set on tokens issued with this SecretID, and is logged in
- audit logs _in plaintext_.
-- `cidr_list` `(array: [])` - Comma separated string or list of CIDR blocks
- enforcing secret IDs to be used from specific set of IP addresses. If
- `secret_id_bound_cidrs` is set on the role, then the list of CIDR blocks listed
- here should be a subset of the CIDR blocks listed on the role.
-- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
- blocks; if set, specifies blocks of IP addresses which can use the auth tokens
- generated by this SecretID. Overrides any role-set value but must be a subset.
-- `num_uses` `(integer: 0)` - Number of times this SecretID can be used, after which
- the SecretID expires. A value of zero will allow unlimited uses.
- Overrides secret_id_num_uses role option when supplied.
- May not be higher than role's secret_id_num_uses.
-- `ttl` `(string: "")` - Duration in seconds (`3600`) or an integer time unit (`60m`)
- after which this SecretID expires. A value of zero will allow the SecretID to not expire.
- Overrides secret_id_ttl role option when supplied.
- May not be longer than role's secret_id_ttl.
-
-### Sample payload
-
-```json
-{
- "metadata": "{ \"tag1\": \"production\" }",
- "ttl": 600,
- "num_uses": 50
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
- "secret_id": "841771dc-11c9-bbc7-bcac-6a3945a69cd9",
- "secret_id_ttl": 600,
- "secret_id_num_uses": 50
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## List secret ID accessors
-
-Lists the accessors of all the SecretIDs issued against the AppRole.
-This includes the accessors for "custom" SecretIDs as well.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `LIST` | `/auth/approle/role/:role_name/secret-id` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": [
- "ce102d2a-8253-c437-bf9a-aceed4241491",
- "a1c8dee4-b869-e68d-3520-2040c1a0849a",
- "be83b7e2-044c-7244-07e1-47560ca1c787",
- "84896a0c-1347-aa90-a4f6-aca8b7558780",
- "239b1328-6523-15e7-403a-a48038cdc45a"
- ]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Read AppRole secret ID
-
-Reads out the properties of a SecretID.
-
-| Method | Path |
-| :----- | :----------------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/secret-id/lookup` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `secret_id` `(string: )` - Secret ID attached to the role.
-
-### Sample payload
-
-```json
-{
- "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/lookup
-```
-
-### Sample Response
-
-```json
-{
- "request_id": "74752925-f309-6859-3d2d-0fcded95150e",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "cidr_list": [],
- "creation_time": "2023-02-10T18:17:27.089757383Z",
- "expiration_time": "0001-01-01T00:00:00Z",
- "last_updated_time": "2023-02-10T18:17:27.089757383Z",
- "metadata": {
- "tag1": "production"
- },
- "secret_id_accessor": "2be760a4-86bb-2fa9-1637-1b7fa9ba2896",
- "secret_id_num_uses": 0,
- "secret_id_ttl": 0,
- "token_bound_cidrs": []
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-## Destroy AppRole Secret ID
-
-Destroy an AppRole secret ID.
-
-| Method | Path |
-| :----- | :------------------------------------------------ |
-| `POST` | `/auth/approle/role/:role_name/secret-id/destroy` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `secret_id` `(string: )` - Secret ID attached to the role.
-
-### Sample payload
-
-```json
-{
- "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id/destroy
-```
-
-## Read AppRole secret ID accessor
-
-Reads out the properties of a SecretID.
-
-| Method | Path |
-| :----- | :-------------------------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/secret-id-accessor/lookup` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `secret_id_accessor` `(string: )` - Secret ID accessor attached to the role.
-
-### Sample payload
-
-```json
-{
- "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/lookup
-```
-
-### Sample Response
-
-```json
-{
- "request_id": "72836cd1-139c-fe66-1402-8bb5ca4044b8",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "cidr_list": [],
- "creation_time": "2023-02-10T18:17:27.089757383Z",
- "expiration_time": "0001-01-01T00:00:00Z",
- "last_updated_time": "2023-02-10T18:17:27.089757383Z",
- "metadata": {
- "tag1": "production"
- },
- "secret_id_accessor": "2be760a4-86bb-2fa9-1637-1b7fa9ba2896",
- "secret_id_num_uses": 0,
- "secret_id_ttl": 0,
- "token_bound_cidrs": []
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-## Destroy AppRole Secret ID Accessor
-
-Destroy an AppRole secret ID by its accessor.
-
-| Method | Path |
-| :----- | :--------------------------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/secret-id-accessor/destroy` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `secret_id_accessor` `(string: )` - Secret ID accessor attached to the role.
-
-### Sample payload
-
-```json
-{
- "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/secret-id-accessor/destroy
-```
-
-## Create custom AppRole secret ID
-
-Assigns a "custom" SecretID against an existing AppRole. This is used in the
-"Push" model of operation.
-
-| Method | Path |
-| :----- | :----------------------------------------------- |
-| `POST` | `/auth/approle/role/:role_name/custom-secret-id` |
-
-### Parameters
-
-- `role_name` `(string: )` - Name of the AppRole. Must be less than 4096 bytes.
-- `secret_id` `(string: )` - SecretID to be attached to the Role.
-- `metadata` `(string: "")` - Metadata to be tied to the SecretID. This should be
- a JSON-formatted string containing the metadata in key-value pairs. This
- metadata will be set on tokens issued with this SecretID, and is logged in
- audit logs _in plaintext_.
-- `cidr_list` `(array: [])` - Comma separated string or list of CIDR blocks
- enforcing secret IDs to be used from specific set of IP addresses. If
- `secret_id_bound_cidrs` is set on the role, then the list of CIDR blocks listed
- here should be a subset of the CIDR blocks listed on the role.
-- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
- blocks; if set, specifies blocks of IP addresses which can use the auth tokens
- generated by this SecretID. Overrides any role-set value but must be a subset.
-- `num_uses` `(integer: 0)` - Number of times this SecretID can be used, after which
- the SecretID expires. A value of zero will allow unlimited uses.
- Overrides secret_id_num_uses role option when supplied.
- May not be higher than role's secret_id_num_uses.
-- `ttl` `(string: "")` - Duration in seconds (`3600`) or an integer time unit (`60m`)
- after which this SecretID expires. A value of zero will allow the SecretID to not expire.
- Overrides secret_id_ttl role option when supplied.
- May not be longer than role's secret_id_ttl.
-
-### Sample payload
-
-```json
-{
- "secret_id": "testsecretid",
- "ttl": 600,
- "num_uses": 50
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/role/application1/custom-secret-id
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "secret_id": "testsecretid",
- "secret_id_accessor": "84896a0c-1347-aa90-a4f6-aca8b7558780",
- "secret_id_ttl": 600,
- "secret_id_num_uses": 50
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Login with AppRole
-
-Issues a Vault token based on the presented credentials. `role_id` is always
-required; if `bind_secret_id` is enabled (the default) on the AppRole,
-`secret_id` is required too. Any other bound authentication values on the
-AppRole (such as client IP CIDR) are also evaluated.
-
-| Method | Path |
-| :----- | :-------------------- |
-| `POST` | `/auth/approle/login` |
-
-### Parameters
-
-- `role_id` `(string: )` - RoleID of the AppRole.
-- `secret_id` `(string: )` - SecretID belonging to AppRole.
-
-### Sample payload
-
-```json
-{
- "role_id": "59d6d1ca-47bb-4e7e-a40b-8be3bc5a0ba8",
- "secret_id": "84896a0c-1347-aa90-a4f6-aca8b7558780"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/approle/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "renewable": true,
- "lease_duration": 1200,
- "metadata": null,
- "token_policies": ["default"],
- "accessor": "fd6c9a00-d2dc-3b11-0be5-af7ae0e1d374",
- "client_token": "5b1a0318-679c-9c45-e5c6-d1b9a9035d49"
- },
- "warnings": null,
- "wrap_info": null,
- "data": null,
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Read, update, or delete AppRole properties
-
-Updates the respective property in the existing AppRole. All of these
-parameters of the AppRole can be updated using the `/auth/approle/role/:role_name`
-endpoint directly. The endpoints for each field is provided separately
-to be able to delegate specific endpoints using Vault's ACL system.
-
-| Method | Path |
-| :---------------- | :---------------------------------------------------- | --------- |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/policies` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-num-uses` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-ttl` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-ttl` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-max-ttl` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/bind-secret-id` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/secret-id-bound-cidrs` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/token-bound-cidrs` | `200/204` |
-| `GET/POST/DELETE` | `/auth/approle/role/:role_name/period` | `200/204` |
-
-Refer to `/auth/approle/role/:role_name` endpoint.
-
-## Tidy tokens
-
-Performs some maintenance tasks to clean up invalid entries that may remain
-in the token store. Generally, running this is not needed unless upgrade
-notes or support personnel suggest it. This may perform a lot of I/O to the
-storage method so should be used sparingly.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/approle/tidy/secret-id` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/approle/tidy/secret-id
-```
-
-### Sample response
-
-```json
-{
- "request_id": "b20b56e3-4699-5b19-cc6b-e74f7b787bbf",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": [
- "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
- ],
- "auth": null
-}
-```
diff --git a/website/content/api-docs/auth/aws.mdx b/website/content/api-docs/auth/aws.mdx
deleted file mode 100644
index b140c9f65f..0000000000
--- a/website/content/api-docs/auth/aws.mdx
+++ /dev/null
@@ -1,1422 +0,0 @@
----
-layout: api
-page_title: AWS - Auth Methods - HTTP API
-description: This is the API documentation for the Vault AWS auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# AWS auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault AWS auth method. For
-general information about the usage and operation of the AWS method, please
-see the [Vault AWS method documentation](/vault/docs/auth/aws).
-
-This documentation assumes the AWS method is mounted at the `/auth/aws`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-~> **Vault 1.7** deprecated several AWS Auth URLs. The full
-[list of affected endpoints](#deprecations-effective-in-vault-1-7) and their
-replacements is provided at the end of this document.
-
-## Configure client
-
-Configures the credentials required to perform API calls to AWS as well as
-custom endpoints to talk to AWS APIs. The instance identity document
-fetched from the PKCS#7 signature will provide the EC2 instance ID. The
-credentials configured using this endpoint will be used to query the status
-of the instances via DescribeInstances API. If static credentials are not
-provided using this endpoint, or [plugin workload identity federation](/vault/docs/auth/aws#plugin-workload-identity-federation-wif)
-credentials are also not provided, then the credentials will be retrieved from
-the environment variables `AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and
-`AWS_REGION` respectively. If the credentials are still not found and if the
-method is configured on an EC2 instance with metadata querying
-capabilities, the credentials are fetched automatically.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/aws/config/client` |
-
-### Parameters
-
-- `max_retries` `(int: -1)` - Number of max retries the client should use for
- recoverable errors. The default (`-1`) falls back to the AWS SDK's default
- behavior.
-- `access_key` `(string: "")` - AWS Access key with permissions to query AWS
- APIs. The permissions required depend on the specific configurations. If using
- the `iam` auth method without inferencing, then no credentials are necessary.
- If using the `ec2` auth method or using the `iam` auth method with
- inferencing, then these credentials need access to `ec2:DescribeInstances`. If
- additionally a `bound_iam_role` is specified, then these credentials also need
- access to `iam:GetInstanceProfile`. If, however, an alternate sts
- configuration is set for the target account, then the credentials must be
- permissioned to call `sts:AssumeRole` on the configured role, and that role
- must have the permissions described here. Mutually exclusive with `identity_token_audience`.
-- `secret_key` `(string: "")` - AWS Secret key with permissions to query AWS
- APIs.
-- `role_arn` `(string: "")` – Role ARN to assume
- for plugin workload identity federation. Required with `identity_token_audience`.
-- `identity_token_audience` `(string: "")` - The
- audience claim value for plugin identity tokens. Must match an allowed audience configured
- for the target [IAM OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console).
- Mutually exclusive with `access_key`.
-- `identity_token_ttl` `(string/int: 3600)` - The
- TTL of generated tokens. Defaults to 1 hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
-- `endpoint` `(string: "")` - URL to override the default generated endpoint for
- making AWS EC2 API calls.
-- `iam_endpoint` `(string: "")` - URL to override the default generated endpoint
- for making AWS IAM API calls.
-- `sts_endpoint` `(string: "")` - URL to override the default generated endpoint
- for making AWS STS API calls. If set, `sts_region` should also be set.
-- `sts_region` `(string: "")` - Region to override the default region for making
- AWS STS API calls. Should only be set if `sts_endpoint` is set. If so, should
- be set to the region in which the custom `sts_endpoint` resides.
-- `use_sts_region_from_client` `(boolean: false)` - If set, overrides both `sts_endpoint`
- and `sts_region` to instead use the region specified in the client request headers for
- IAM-based authentication . This can be useful when you have client requests coming from
- different regions and want flexibility in which regional STS API is used.
-- `iam_server_id_header_value` `(string: "")` - The value to require in the
- `X-Vault-AWS-IAM-Server-ID` header as part of GetCallerIdentity requests that
- are used in the iam auth method. If not set, then no value is required or
- validated. If set, clients must include an X-Vault-AWS-IAM-Server-ID header in
- the headers of login requests, and further this header must be among the
- signed headers validated by AWS. This is to protect against different types of
- replay attacks, for example a signed request sent to a dev server being resent
- to a production server. Consider setting this to the Vault server's DNS name.
-- `allowed_sts_header_values` `(string: "")` A comma separated list of
- additional request headers permitted when providing the iam_request_headers for
- an IAM based login call. In any case, a default list of headers AWS STS
- expects for a GetCallerIdentity are allowed.
-
-@include 'rotationfields.mdx'
-
-### Sample payload
-
-```json
-{
- "access_key": "VKIAJBRHKH6EVTTNXDHA",
- "secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-## Read config
-
-Returns the previously configured AWS access credentials.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/aws/config/client` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "VKIAJBRHKH6EVTTNXDHA",
- "endpoint": "",
- "iam_endpoint": "",
- "sts_endpoint": "",
- "sts_region": "",
- "use_sts_region_from_client": false,
- "iam_server_id_header_value": ""
- }
-}
-```
-
-## Delete config
-
-Deletes the previously configured AWS access credentials.
-
-| Method | Path |
-| :------- | :------------------------ |
-| `DELETE` | `/auth/aws/config/client` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/config/client
-```
-
-## Rotate root credentials
-
-When you have configured Vault with static credentials, you can use this
-endpoint to have Vault rotate the access key it used. Note that, due to AWS
-eventual consistency, after calling this endpoint, subsequent calls from Vault
-to AWS may fail for a few seconds until AWS becomes consistent again.
-
-In order to call this endpoint, Vault's AWS access key MUST be the only access
-key on the IAM user; otherwise, generation of a new access key will fail. Once
-this method is called, Vault will now be the only entity that knows the AWS
-secret key is used to access AWS.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/aws/config/rotate-root` |
-
-### Parameters
-
-There are no parameters to this operation.
-
-### Sample request
-
-```$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/aws/config/rotate-root
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "AKIA..."
- }
-}
-```
-
-The new access key Vault uses is returned by this operation.
-
-## Configure identity integration
-
-This configures the way that Vault interacts with the
-[Identity](/vault/docs/secrets/identity) store. The default (as of Vault
-1.0.3) is `role_id` for both values.
-
-| Method | Path |
-| :----- | :-------------------------- |
-| `POST` | `/auth/aws/config/identity` |
-
-### Parameters
-
-- `iam_alias` `(string: "role_id")` - How to generate the identity alias when
- using the `iam` auth method. Valid choices are `role_id`, `unique_id`, `canonical_arn` and
- `full_arn`. When `role_id` is selected, the randomly generated ID of the Vault role
- is used. When `unique_id` is selected, the [IAM Unique
- ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
- of the IAM principal (either the user or role) is used as the identity alias
- name. When `canonical_arn` is selected, the role ARN returned by the `sts:GetCallerIdentity`call
- will be used. This will be `arn:aws:iam:::role/`. When `full_arn` is selected,
- the ARN returned by the `sts:GetCallerIdentity` call is used as the alias name. This is either
- `arn:aws:iam:::user/` or
- `arn:aws:sts:::assumed-role//`.
- **Note**: if you select `canonical_arn` or `full_arn` and then delete and recreate the IAM role,
- Vault won't be aware and any identity aliases set up for the role name will
- still be valid.
-
-- `iam_metadata` `(string: "default")` - The metadata to include on the token
- returned by the `login` endpoint. This metadata will be added to both audit logs,
- and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
- Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
- `inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
- set to `""` via the CLI or `[]` via the API. To use only particular fields, select
- the explicit fields. To restore to defaults, send only a field of `default`.
- **Only select fields that will have a low rate of change** for your `iam_alias` because
- each change triggers a storage write and can have a performance impact at scale.
-
-- `ec2_alias` `(string: "role_id")` - Configures how to generate the identity
- alias when using the `ec2` auth method. Valid choices are `role_id`,
- `instance_id`, and `image_id`. When `role_id` is selected, the randomly
- generated ID of the Vault role is used. When `instance_id` is selected, the
- instance identifier is used as the identity alias name. When `image_id` is
- selected, AMI ID of the instance is used as the identity alias name.
-
-- `ec2_metadata` `(string: "default")` - The metadata to include on the token
- returned by the `login` endpoint. This metadata will be added to both audit logs,
- and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
- Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
- set to `""` via the CLI or `[]` via the API. To use only particular fields, select
- the explicit fields. To restore to defaults, send only a field of `default`.
- **Only select fields that will have a low rate of change** for your `ec2_alias` because
- each change triggers a storage write and can have a performance impact at scale.
-
-### Sample payload
-
-```json
-{
- "iam_alias": "unique_id"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- -- header "X-Vault-Token:..." \
- --request POST
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/identity
-```
-
-## Read identity integration configuration
-
-Returns the previously configured Identity integration configuration
-
-| Method | Path |
-| :----- | :-------------------------- |
-| `GET` | `/auth/aws/config/identity` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token:..." \
- http://127.0.0.1:8200/v1/auth/aws/config/identity
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "iam_alias": "full_arn"
- }
-}
-```
-
-## Create certificate configuration
-
-Registers an AWS public key to be used to verify the instance identity
-documents. Indicate the type of the public key using the `type` parameter.
-Vault has the default
-[documented](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
-set of AWS certificates built-in.
-
-The `pkcs7` type is used to verify PKCS#7 signatures from the AWS
-`http://169.254.169.254/latest/dynamic/instance-identity/pkcs7` and
-`http://169.254.169.254/latest/dynamic/instance-identity/rsa2048` endpoints.
-Vault does not support X.509 certificates with SHA-1 signatures. If you use AWS
-[`/rsa2048` signature endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html)
-credentials, you must use the `pkcs7` login flow.
-
-The `identity` type is used to verify signatures from the
-`http://169.254.169.254/latest/dynamic/instance-identity/document` and
-`http://169.254.169.254/latest/dynamic/instance-identity/signature` endpoints.
-
-See the [AWS docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
-for more information on the signature types and the corresponding certificates.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `POST` | `/auth/aws/config/certificate/:cert_name` |
-
-### Parameters
-
-- `cert_name` `(string: )` - Name of the certificate.
-- `aws_public_cert` `(string: )` - Base64-encoded AWS Public key required to verify
- PKCS#7 signature of the EC2 instance metadata.
-- `type` `(string: "pkcs7")` - Takes the value of either "pkcs7" or "identity",
- indicating the type of document which can be verified using the given
- certificate. The PKCS#7 document can be a DSA digest from the
- [/pkcs7](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-pkcs7.html)
- endpoint or an RSA-2048 signature from the
- [/rsa2048](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html)
- endpoint.
- The identity signature is used to validate RSA signatures from the
- [/signature](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html)
- endpoint. Defaults to "pkcs7".
-
-### Sample payload
-
-```json
-{
- "aws_public_cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQXEwQ0NRQ1d1a2paNVY0YVp6QUpCZ2NxaGtqT09BUURNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3cKRndZRFZRUUlFeEJYWVhOb2FXNW5kRzl1SUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRApWUVFLRXhkQmJXRjZiMjRnVjJWaUlGTmxjblpwWTJWeklFeE1RekFlRncweE1qQXhNRFV4TWpVMk1USmFGdzB6Ck9EQXhNRFV4TWpVMk1USmFNRnd4Q3pBSkJnTlZCQVlUQWxWVE1Sa3dGd1lEVlFRSUV4QlhZWE5vYVc1bmRHOXUKSUZOMFlYUmxNUkF3RGdZRFZRUUhFd2RUWldGMGRHeGxNU0F3SGdZRFZRUUtFeGRCYldGNmIyNGdWMlZpSUZObApjblpwWTJWeklFeE1RekNDQWJjd2dnRXNCZ2NxaGtqT09BUUJNSUlCSHdLQmdRQ2prdmNTMmJiMVZRNHl0LzVlCmloNU9PNmtLL24xTHpsbHI3RDhad3RRUDhmT0VwcDVFMm5nK0Q2VWQxWjFnWWlwcjU4S2ozbnNzU05wSTZiWDMKVnlJUXpLN3dMY2xuZC9Zb3pxTk5tZ0l5WmVjTjdFZ2xLOUlUSEpMUCt4OEZ0VXB0M1FieVlYSmRtVk1lZ042UApodmlZdDVKSC9uWWw0aGgzUGExSEpkc2tnUUlWQUxWSjNFUjExK0tvNHRQNm53dkh3aDYrRVJZUkFvR0JBSTFqCmsrdGtxTVZIdUFGY3ZBR0tvY1Rnc2pKZW02LzVxb216SnVLRG1iSk51OVF4dzNyQW90WGF1OFFlK01CY0psL1UKaGh5MUtIVnBDR2w5ZnVlUTJzNklMMENhTy9idXljVTFDaVlRazQwS05IQ2NIZk5pWmJkbHgxRTlycFVwN2JuRgpsUmEydjFudE1YM2NhUlZEZGJ0UEVXbWR4U0NZc1lGRGs0bVpyT0xCQTRHRUFBS0JnRWJtZXZlNWY4TElFL0dmCk1ObVA5Q001ZW92UU9HeDVobzhXcUQrYVRlYnMrazJ0bjkyQkJQcWVacXBXUmE1UC8ranJkS21sMXF4NGxsSFcKTVhyczNJZ0liNitoVUlCK1M4ZHo4L21tTzBicHI3NlJvWlZDWFlhYjJDWmVkRnV0N3FjM1dVSDkrRVVBSDVtdwp2U2VEQ09VTVlRUjdSOUxJTll3b3VISXppcVFZTUFrR0J5cUdTTTQ0QkFNREx3QXdMQUlVV1hCbGs0MHhUd1N3CjdIWDMyTXhYWXJ1c2U5QUNGQk5HbWRYMlpCclZOR3JOOU4yZjZST2swazlLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-## Read certificate configuration
-
-Returns the previously configured AWS public key.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `GET` | `/auth/aws/config/certificate/:cert_name` |
-
-### Parameters
-
-- `cert_name` `(string: )` - Name of the certificate.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "aws_public_cert": "-----BEGIN CERTIFICATE-----\nMIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw\nFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD\nVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z\nODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u\nIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl\ncnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e\nih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3\nVyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P\nhviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j\nk+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U\nhhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF\nlRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf\nMNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW\nMXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw\nvSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw\n7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K\n-----END CERTIFICATE-----\n",
- "type": "pkcs7"
- }
-}
-```
-
-## Delete certificate configuration
-
-Removes the previously configured AWS public key.
-
-| Method | Path |
-| :------- | :---------------------------------------- |
-| `DELETE` | `/auth/aws/config/certificate/:cert_name` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/config/certificate/test-cert
-```
-
-## List certificate configurations
-
-Lists all the AWS public certificates that are registered with the method.
-
-| Method | Path |
-| :----- | :------------------------------ |
-| `LIST` | `/auth/aws/config/certificates` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/aws/config/certificates
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["cert1"]
- }
-}
-```
-
-## Create STS role
-
-Allows the explicit association of STS roles to satellite AWS accounts
-(i.e. those which are not the account in which the Vault server is
-running.) Vault will use credentials obtained by assuming these STS roles
-when validating IAM principals or EC2 instances in the particular AWS account.
-
-| Method | Path |
-| :----- | :--------------------------------- |
-| `POST` | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: )` - AWS account ID to be associated with
- STS role. If set, Vault will use assumed credentials to verify any login
- attempts from EC2 instances in this account.
-- `sts_role` `(string: )` - AWS ARN for STS role to be assumed when
- interacting with the account specified. The Vault server must have
- permissions to assume this role.
-- `external_id` `(string: "")` - The external ID expected by the STS role. The
- associated STS role **must** be configured to require the external ID.
-
-### Sample payload
-
-```json
-{
- "sts_role": "arn:aws:iam:111122223333:role/myRole"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-## Read STS role
-
-Returns the previously configured STS role.
-
-| Method | Path |
-| :----- | :--------------------------------- |
-| `GET` | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: )` - AWS account ID that has been
- previously associated with STS role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "sts_role ": "arn:aws:iam:111122223333:role/myRole"
- }
-}
-```
-
-## List STS roles
-
-Lists all the AWS Account IDs for which an STS role is registered.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `LIST` | `/auth/aws/config/sts` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/aws/config/sts
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["111122223333", "999988887777"]
- }
-}
-```
-
-## Delete STS role
-
-Deletes a previously configured AWS account/STS role association.
-
-| Method | Path |
-| :------- | :--------------------------------- |
-| `DELETE` | `/auth/aws/config/sts/:account_id` |
-
-### Parameters
-
-- `account_id` `(string: )` - AWS account ID that has been
- previously associated with STS role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/config/sts/111122223333
-```
-
-## Configure identity access list tidy operation
-
-Configures the periodic tidying operation of the access listed identity entries.
-
-| Method | Path |
-| :----- | :------------------------------------------ |
-| `POST` | `/auth/aws/config/tidy/identity-accesslist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
- passed beyond the `roletag` expiration, before it is removed from the method
- storage. Defaults to 72h.
-- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
- periodic tidying of the `identity-accesslist/` entries.
-
-### Sample payload
-
-```json
-{
- "safety_buffer": "48h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
-```
-
-## Read identity access list tidy settings
-
-Returns the previously configured periodic access list tidying settings.
-
-| Method | Path |
-| :----- | :------------------------------------------ |
-| `GET` | `/auth/aws/config/tidy/identity-accesslist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "safety_buffer": 600,
- "disable_periodic_tidy": false
- }
-}
-```
-
-## Delete identity access list tidy settings
-
-Deletes the previously configured periodic access list tidying settings.
-
-| Method | Path |
-| :------- | :------------------------------------------ |
-| `DELETE` | `/auth/aws/config/tidy/identity-accesslist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/identity-accesslist
-```
-
-## Configure role tag deny list tidy operation
-
-Configures the periodic tidying operation of the deny listed role tag entries.
-
-| Method | Path |
-| :----- | :--------------------------------------- |
-| `POST` | `/auth/aws/config/tidy/roletag-denylist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
- passed beyond the `roletag` expiration, before it is removed from the method
- storage. Defaults to 72h.
-- `disable_periodic_tidy` `(bool: false)` - If set to 'true', disables the
- periodic tidying of the `roletag-denylist/` entries.
-
-### Sample payload
-
-```json
-{
- "safety_buffer": "48h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
-```
-
-## Read role tag deny list tidy settings
-
-Returns the previously configured periodic deny list tidying settings.
-
-| Method | Path |
-| :----- | :--------------------------------------- |
-| `GET` | `/auth/aws/config/tidy/roletag-denylist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "safety_buffer": 600,
- "disable_periodic_tidy": false
- }
-}
-```
-
-## Delete role tag deny list tidy settings
-
-Deletes the previously configured periodic deny list tidying settings.
-
-| Method | Path |
-| :------- | :--------------------------------------- |
-| `DELETE` | `/auth/aws/config/tidy/roletag-denylist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/config/tidy/roletag-denylist
-```
-
-## Create/Update role
-
-Registers a role in the method. Only those instances or principals which
-are using the role registered using this endpoint, will be able to perform
-the login operation. Constraints can be specified on the role, that are
-applied on the instances or principals attempting to login. At least one
-constraint must be specified on the role. The available constraints you
-can choose are dependent on the `auth_type` of the role and, if the
-`auth_type` is `iam`, then whether inferencing is enabled. A role will not
-let you configure a constraint if it is not checked by the `auth_type` and
-inferencing configuration of that role. For the constraints which accept a list
-of values, the authenticating instance/principal must match any one value in the
-list in order to satisfy that constraint.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/aws/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role. Vault normalizes all role
- names to lower case. If you create two roles, "Web-Workers" and "WEB-WORKERS",
- they will both be normalized to "web-workers" and will be regarded as the same role.
- This is to prevent unexpected behavior due to casing differences. At all points,
- Vault can be provided the role in any casing, and it will internally handle
- sending it to lower case and seeking it inside its storage engine.
-- `auth_type` `(string: "iam")` - The auth type permitted for this role. Valid
- choices are "ec2" or "iam". If no value is specified, then it will default to
- "iam" (except for legacy `aws-ec2` auth types, for which it will default to
- "ec2"). Only those bindings applicable to the auth type chosen will be allowed
- to be configured on the role.
-- `bound_ami_id` `(list: [])` - If set, defines a constraint on the EC2
- instances that they should be using one of the AMI ID specified by this parameter.
- This constraint is checked during ec2 auth as well as the iam auth method only
- when inferring an EC2 instance. This is a comma-separated string or JSON
- array.
-- `bound_account_id` `(list: [])` - If set, defines a constraint on the EC2
- instances that the account ID in its identity document to match one of the ones
- specified by this parameter. This constraint is checked during ec2 auth as
- well as the iam auth method only when inferring an EC2 instance. This is a
- comma-separated string or JSON array.
-- `bound_region` `(list: [])` - If set, defines a constraint on the EC2
- instances that the region in its identity document must match one of the
- regions specified by this parameter. This constraint is only checked by the ec2 auth
- method as well as the iam auth method only when inferring an ec2 instance.
- This is a comma-separated string or JSON array.
-- `bound_vpc_id` `(list: [])` - If set, defines a constraint on the EC2
- instance to be associated with a VPC ID that matches one of the values specified by
- this parameter. This constraint is only checked by the ec2 auth method as well
- as the iam auth method only when inferring an ec2 instance. This is a
- comma-separated string or JSON array.
-- `bound_subnet_id` `(list: [])` - If set, defines a constraint on the EC2
- instance to be associated with a subnet ID that matches one of the values specified
- by this parameter. This constraint is only checked by the ec2 auth method as
- well as the iam auth method only when inferring an ec2 instance. This is a
- comma-separated string or a JSON array.
-- `bound_iam_role_arn` `(list: [])` - If set, defines a constraint on the
- authenticating EC2 instance that it must match one of the IAM role ARNs specified by
- this parameter. Wildcards are supported at the end of the ARN to allow for
- prefix matching. The configured IAM user or EC2 instance role must be allowed to
- execute the `iam:GetInstanceProfile` action if this is specified. This
- constraint is checked by the ec2 auth method as well as the iam auth method
- only when inferring an EC2 instance. This is a comma-separated string or a
- JSON array.
-- `bound_iam_instance_profile_arn` `(list: [])` - If set, defines a constraint
- on the EC2 instances to be associated with an IAM instance profile ARN.
- Wildcards are supported at the end of the ARN to allow for prefix matching.
- This constraint is
- checked by the ec2 auth method as well as the iam auth method only when
- inferring an ec2 instance. This is a comma-separated string or a JSON array.
-- `bound_ec2_instance_id` `(list: [])` - If set, defines a constraint on the
- EC2 instances to have one of these instance IDs. This constraint is checked by
- the ec2 auth method as well as the iam auth method only when inferring an ec2
- instance. This is a comma-separated string or a JSON array.
-- `role_tag` `(string: "")` - If set, enables the role tags for this role. The
- value set for this field should be the 'key' of the tag on the EC2 instance.
- The 'value' of the tag should be generated using `role//tag` endpoint.
- Defaults to an empty string, meaning that role tags are disabled. This
- constraint is valid only with the ec2 auth method and is not allowed when
- `auth_type` is iam.
-- `bound_iam_principal_arn` `(list: [])` - Defines the list of IAM principals
- that are permitted to login to the role using the iam auth method. Individual
- values should look like "arn:aws:iam::123456789012:user/MyUserName" or
- "arn:aws:iam::123456789012:role/MyRoleName". Wildcards are supported at the
- end of the ARN, e.g., "arn:aws:iam::123456789012:\*" will match any IAM
- principal in the AWS account 123456789012. When `resolve_aws_unique_ids` is
- `false` and you are binding to IAM roles (as opposed to users) and you are not
- using a wildcard at the end, then you must specify the ARN by omitting any
- path component; see the documentation for `resolve_aws_unique_ids` below.
- This constraint is only checked by
- the iam auth method. Wildcards are supported at the end of the ARN, e.g.,
- "arn:aws:iam::123456789012:role/\*" will match all roles in the AWS account.
- This is a comma-separated string or JSON array.
-- `inferred_entity_type` `(string: "")` - When set, instructs Vault to turn on
- inferencing. The only current valid value is "ec2_instance" instructing Vault
- to infer that the role comes from an EC2 instance in an IAM instance profile.
- This only applies to the iam auth method. If you set this on an existing role
- where it had not previously been set, tokens that had been created prior will
- not be renewable; clients will need to get a new token.
-- `inferred_aws_region` `(string: "")` - When role inferencing is activated, the
- region to search for the inferred entities (e.g., EC2 instances). Required if
- role inferencing is activated. This only applies to the iam auth method.
-- `resolve_aws_unique_ids` `(bool: true)` - When set, resolves the
- `bound_iam_principal_arn` to the
- [AWS Unique ID](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
- for the bound principal ARN. This field is ignored when
- `bound_iam_principal_arn` ends with a wildcard character.
- This requires Vault to be able to call `iam:GetUser` or `iam:GetRole` on the
- `bound_iam_principal_arn` that is being bound. Resolving to internal AWS IDs
- more closely mimics the behavior of AWS services in that if an IAM user or
- role is deleted and a new one is recreated with the same name, those new users
- or roles won't get access to roles in Vault that were permissioned to the
- prior principals of the same name. The default value for new roles is true,
- while the default value for roles that existed prior to this option existing
- is false (you can check the value for a given role using the GET method on the
- role). Any authentication tokens created prior to this being supported won't
- verify the unique ID upon token renewal. When this is changed from false to
- true on an existing role, Vault will attempt to resolve the role's bound IAM
- ARN to the unique ID and, if unable to do so, will fail to enable this option.
- Changing this from `true` to `false` is not supported; if absolutely
- necessary, you would need to delete the role and recreate it explicitly
- setting it to `false`. However; the instances in which you would want to do
- this should be rare. If the role creation (or upgrading to use this) succeed,
- then Vault has already been able to resolve internal IDs, and it doesn't need
- any further IAM permissions to authenticate users. If a role has been deleted
- and recreated, and Vault has cached the old unique ID, you should just call
- this endpoint specifying the same `bound_iam_principal_arn` and, as long as
- Vault still has the necessary IAM permissions to resolve the unique ID, Vault
- will update the unique ID. (If it does not have the necessary permissions to
- resolve the unique ID, then it will fail to update.) If this option is set to
- false, then you MUST leave out the path component in `bound_iam_principal_arn`
- for **roles** that do not specify a wildcard at the end, but not IAM users or
- role bindings that have a wildcard. That is, if your IAM role ARN is of the
- form `arn:aws:iam::123456789012:role/some/path/to/MyRoleName`, and
- `resolve_aws_unique_ids` is `false`, you **must** specify a
- `bound_iam_principal_arn` of `arn:aws:iam::123456789012:role/MyRoleName` for
- authentication to work.
-- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
- underlying instance where the client resides. This keys off of pendingTime in
- the metadata document, so essentially, this disables the client nonce check
- whenever the instance is migrated to a new host and pendingTime is newer than
- the previously-remembered time. Use with caution. This only applies to
- authentications via the ec2 auth method. This is mutually exclusive with
- `disallow_reauthentication`.
-- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
- token to be granted per instance ID. In order to perform a fresh login, the
- entry in the access list for the instance ID needs to be cleared using
- `auth/aws/identity-accesslist/` endpoint. Defaults to 'false'.
- This only applies to authentications via the ec2 auth method. This is mutually
- exclusive with `allow_instance_migration`.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "bound_ami_id": ["ami-fce36987"],
- "bound_ec2_instance_id": ["i-12345678901234567"],
- "role_tag": "",
- "policies": ["default", "dev", "prod"],
- "max_ttl": 1800000,
- "disallow_reauthentication": false,
- "allow_instance_migration": false
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `GET` | `/auth/aws/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "bound_ami_id": ["ami-fce36987"],
- "role_tag": "",
- "policies": ["default", "dev", "prod"],
- "max_ttl": 1800000,
- "disallow_reauthentication": false,
- "allow_instance_migration": false
- }
-}
-```
-
-## List roles
-
-Lists all the roles that are registered with the method.
-
-| Method | Path |
-| :----- | :---------------- |
-| `LIST` | `/auth/aws/roles` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/aws/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["dev-role", "prod-role"]
- }
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :--------------------- |
-| `DELETE` | `/auth/aws/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/role/dev-role
-```
-
-## Create role tags
-
-Creates a role tag on the role, which help in restricting the capabilities
-that are set on the role. Role tags are not tied to any specific ec2
-instance unless specified explicitly using the `instance_id` parameter. By
-default, role tags are designed to be used across all instances that
-satisfies the constraints on the role. Regardless of which instances have
-role tags on them, capabilities defined in a role tag must be a strict
-subset of the given role's capabilities. Note that, since adding and
-removing a tag is often a widely distributed privilege, care needs to be
-taken to ensure that the instances are attached with correct tags to not
-let them gain more privileges than what were intended. If a role tag is
-changed, the capabilities inherited by the instance will be those defined
-on the new role tag. Since those must be a subset of the role
-capabilities, the role should never provide more capabilities than any
-given instance can be allowed to gain in a worst-case scenario.
-
-| Method | Path |
-| :----- | :------------------------- |
-| `POST` | `/auth/aws/role/:role/tag` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-- `policies` `(array: [])` - Policies to be associated with the tag. If set,
- must be a subset of the role's policies. If set, but set to an empty value,
- only the 'default' policy will be given to issued tokens.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
- this role.
-- `instance_id` `(string: "")` - Instance ID for which this tag is intended for.
- If set, the created tag can only be used by the instance with the given ID.
-- `allow_instance_migration` `(bool: false)` - If set, allows migration of the
- underlying instance where the client resides. This keys off of pendingTime in
- the metadata document, so essentially, this disables the client nonce check
- whenever the instance is migrated to a new host and pendingTime is newer than
- the previously-remembered time. Use with caution. Defaults to 'false'.
- Mutually exclusive with `disallow_reauthentication`.
-- `disallow_reauthentication` `(bool: false)` - If set, only allows a single
- token to be granted per instance ID. This can be cleared with the
- auth/aws/identity-accesslist endpoint. Defaults to 'false'. Mutually exclusive
- with `allow_instance_migration`.
-
-### Sample payload
-
-```json
-{
- "policies": ["default", "dev-api"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/role/dev-api-and-web-role/tag
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "tag_value": "v1:09Vp0qGuyB8=:r=dev-role:p=default,dev-api:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/pJIdVyOI=",
- "tag_key": "VaultRole"
- }
-}
-```
-
-## Login
-
-Fetch a token. This endpoint verifies the PKCS#7 signature of the instance
-identity document or the signature of the signed GetCallerIdentity request.
-With the ec2 auth method, or when inferring an EC2 instance, verifies that
-the instance is actually in a running state. Cross checks the constraints
-defined on the role with which the login is being performed. With the ec2
-auth method, as an alternative to PKCS#7 signature, the identity document
-along with its RSA signature can be supplied to this endpoint.
-
-See the [AWS docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html)
-for more information on the signature types.
-
-| Method | Path |
-| :----- | :---------------- |
-| `POST` | `/auth/aws/login` |
-
-### Parameters
-
-- `role` `(string: "")` - Name of the role against which the login is being
- attempted. If `role` is not specified, then the login endpoint looks for a
- role bearing the name of the AMI ID of the EC2 instance that is trying to
- login if using the ec2 auth method, or the "friendly name" (i.e., role name or
- username) of the IAM principal authenticated. If a matching role is not found,
- login fails.
-- `identity` `(string: )` - Base64 encoded EC2 instance identity
- document, which can usually be obtained from the
- `http://169.254.169.254/latest/dynamic/instance-identity/document` endpoint.
- When using `curl` for fetching the identity document, consider using the option
- `-w 0` while piping the output to `base64` binary.
- Either both of this and `signature` must be set _OR_ `pkcs7` must be set
- when using the ec2 auth method.
-- `signature` `(string: )` - Base64-encoded SHA256 RSA signature of
- the instance identity document, which can usually be obtained from the
- `http://169.254.169.254/latest/dynamic/instance-identity/signature` endpoint.
- Either both this _AND_ `identity` must be set _OR_ `pkcs7` must be set
- when using the ec2 auth method.
-- `pkcs7` `(string: )` - PKCS#7 signature of the identity document
- with all `\n` characters removed. This supports signatures from the AWS
- `http://169.254.169.254/latest/dynamic/instance-identity/rsa2048`
- or `http://169.254.169.254/latest/dynamic/instance-identity/pkcs7` endpoints.
- Either this needs to be set _OR_ both `identity` and
- `signature` need to be set when using the ec2 auth method.
-- `nonce` `(string: "")` - The nonce to be used for subsequent login requests.
- If this parameter is not specified at all and if reauthentication is allowed,
- then the method will generate a random nonce, attaches it to the instance's
- identity-accesslist entry and returns the nonce back as part of auth metadata.
- This value should be used with further login requests, to establish client
- authenticity. Clients can choose to set a custom nonce if preferred, in which
- case, it is recommended that clients provide a strong nonce. If a nonce is
- provided but with an empty value, it indicates intent to disable
- reauthentication. Note that, when `disallow_reauthentication` option is
- enabled on either the role or the role tag, the `nonce` holds no significance.
- This is ignored unless using the ec2 auth method.
-- `iam_http_request_method` `(string: )` - HTTP method used in the
- signed request. This is required when using the iam auth method.
-- `iam_request_url` `(string: )` - Base64-encoded HTTP URL used in
- the signed request. Most likely just `aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=`
- (base64-encoding of `https://sts.amazonaws.com/`) as most requests will
- probably use POST with an empty URI. If using GET method this will contain
- the authentication headers that have been hoisted out of the message body.
- This is required when using the iam auth method.
-- `iam_request_body` `(string: )` - Base64-encoded body of the
- signed request. Most likely
- `QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==`, which is the
- base64 encoding of `Action=GetCallerIdentity&Version=2011-06-15`. This is
- required when using the iam auth method with POST signed requests.
-- `iam_request_headers` `(string: )` - Key/value pairs of headers
- for use in the `sts:GetCallerIdentity` HTTP requests headers. Can be either a
- Base64-encoded, JSON-serialized string, or a JSON object of key/value pairs. The
- JSON serialization assumes that each header key maps to either a string value or
- an array of string values (though the length of that array will probably only be
- one). If the `iam_server_id_header_value` is configured in Vault for the aws
- auth mount, then the headers must include the X-Vault-AWS-IAM-Server-ID header,
- its value must match the value configured, and the header must be included in
- the signed headers. This is required when using the iam auth method.
-
-### Sample payload
-
-```json
-{
- "iam_http_request_method": "POST",
- "iam_request_body": "QWN0aW9uPUdldENhbG...",
- "iam_request_headers": "eyJBdXRob3JpemF0aW9uIj...",
- "iam_request_url": "aHR0cHM6L...",
- "role": "dev-role"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/aws/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "renewable": true,
- "lease_duration": 1800000,
- "metadata": {
- "role_tag_max_ttl": "0",
- "instance_id": "i-de0f1344",
- "ami_id": "ami-fce36983",
- "role": "dev-role",
- "auth_type": "ec2"
- },
- "policies": ["default", "dev"],
- "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
- "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
- }
-}
-```
-
-## Place role tags in deny list
-
-Places a valid role tag in a deny list. This ensures that the role tag
-cannot be used by any instance to perform a login operation again. Note
-that if the role tag was previously used to perform a successful login,
-placing the tag in the deny list does not invalidate the already issued
-token.
-
-| Method | Path |
-| :----- | :------------------------------------- |
-| `POST` | `/auth/aws/roletag-denylist/:role_tag` |
-
-### Parameters
-
-- `role_tag` `(string: )` - Role tag to be deny listed. This is the `tag_value` returned when the role tag is
- created. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64
- encoded.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-### Read role tag deny list information
-
-Returns the deny list entry of a previously deny listed role tag.
-
-| Method | Path |
-| :----- | :------------------------------------- |
-| `GET` | `/auth/aws/roletag-denylist/:role_tag` |
-
-### Parameters
-
-- `role_tag` `(string: )` - Role tag to be deny listed. The tag can be
- supplied as-is. In order to avoid any encoding problems, it can be base64
- encoded.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "expiration_time": "2016-04-25T10:35:20.127058773-04:00",
- "creation_time": "2016-04-12T22:35:01.178348124-04:00"
- }
-}
-```
-
-## List deny list tags
-
-Lists all the role tags that are deny listed.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `LIST` | `/auth/aws/roletag-denylist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/aws/roletag-denylist
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": [
- "v1:09Vp0qGuyB8=:a=ami-fce3c696:p=default,prod:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/"
- ]
- }
-}
-```
-
-## Delete deny list tags
-
-Deletes a deny listed role tag.
-
-| Method | Path |
-| :------- | :------------------------------------- |
-| `DELETE` | `/auth/aws/roletag-denylist/:role_tag` |
-
-### Parameters
-
-- `role_tag` `(string: )` - Role tag to be deny listed. The tag can be
- supplied as-is. In order to avoid any encoding problems, it can be base64
- encoded.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/roletag-denylist/djE6MDlWcDBxR3V5Qjg9OmE9YW1pLWZjZTNjNjk2OnA9ZGVmYXVsdCxwcm9kOmQ9ZmFsc2U6dD0zMDBoMG0wczp1UExLQ1F4cXNlZlJocnAxcW1WYTF3c1FWVVhYSkc4VVpQLwo=
-```
-
-## Tidy deny list tags
-
-Cleans up the entries in the deny listed based on expiration time on the entry and
-`safety_buffer`.
-
-| Method | Path |
-| :----- | :-------------------------------- |
-| `POST` | `/auth/aws/tidy/roletag-denylist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
- passed beyond the `roletag` expiration, before it is removed from the method
- storage. Defaults to 72h.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/aws/tidy/roletag-denylist
-```
-
-### Read identity access list information
-
-Returns an entry in the identity access list. An entry will be created/updated by every
-successful login.
-
-| Method | Path |
-| :----- | :------------------------------------------- |
-| `GET` | `/auth/aws/identity-accesslist/:instance_id` |
-
-### Parameters
-
-- `instance_id` `(string: )` - EC2 instance ID. A successful login
- operation from an EC2 instance gets cached in th access list, keyed off of
- instance ID.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/aws/identity-accesslist/i-aab47d37
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "pending_time": "2016-04-14T01:01:41Z",
- "expiration_time": "2016-05-05 10:09:16.67077232 +0000 UTC",
- "creation_time": "2016-04-14 14:09:16.67077232 +0000 UTC",
- "client_nonce": "5defbf9e-a8f9-3063-bdfc-54b7a42a1f95",
- "role": "dev-role"
- }
-}
-```
-
-## List identity access list entries
-
-Lists all the instance IDs that are in the access list of successful logins.
-
-| Method | Path |
-| :----- | :------------------------------ |
-| `LIST` | `/auth/aws/identity-accesslist` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/aws/identity-accesslist
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["i-aab47d37"]
- }
-}
-```
-
-## Delete identity access list entries
-
-Deletes a cache of the successful login from an instance.
-
-| Method | Path |
-| :------- | :------------------------------------------- |
-| `DELETE` | `/auth/aws/identity-accesslist/:instance_id` |
-
-### Parameters
-
-- `instance_id` `(string: )` - EC2 instance ID. A successful login
- operation from an EC2 instance gets cached in this access list, keyed off of
- instance ID.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/aws/identity-accesslist/i-aab47d37
-```
-
-## Tidy identity access list entries
-
-Cleans up the entries in the access list based on expiration time and
-`safety_buffer`.
-
-| Method | Path |
-| :----- | :----------------------------------- |
-| `POST` | `/auth/aws/tidy/identity-accesslist` |
-
-### Parameters
-
-- `safety_buffer` `(string: "72h")` - The amount of extra time that must have
- passed beyond the `roletag` expiration, before it is removed from the method
- storage. Defaults to 72h.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/aws/tidy/identity-accesslist
-```
-
-## Deprecations effective in Vault 1.7
-
-Vault 1.7 introduced new URLs for a number of AWS Auth APIs. The previous
-URLs are deprecated. The affected APIs include:
-
-| Current | Deprecated in 1.7 |
-| :------------------------------------------ | :----------------------------------------- |
-| `/auth/aws/roletag-denylist` | `/auth/aws/roletag-blacklist` |
-| `/auth/aws/identity-accesslist` | `/auth/aws/identity-whitelist` |
-| `/auth/aws/tidy/identity-accesslist` | `/auth/aws/tidy/identity-whitelist` |
-| `/auth/aws/tidy/roletag-denylist` | `/auth/aws/tidy/roletag-blacklist` |
-| `/auth/aws/config/tidy/identity-accesslist` | `/auth/aws/config/tidy/identity-whitelist` |
-| `/auth/aws/config/tidy/roletag-denylist` | `/auth/aws/config/tidy/roletag-blacklist` |
diff --git a/website/content/api-docs/auth/azure.mdx b/website/content/api-docs/auth/azure.mdx
deleted file mode 100644
index 9aaecb6c3d..0000000000
--- a/website/content/api-docs/auth/azure.mdx
+++ /dev/null
@@ -1,371 +0,0 @@
----
-layout: api
-page_title: Azure - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault Azure authentication
- method plugin.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Azure auth method (API)
-
-This is the API documentation for the Vault Azure auth method
-plugin. To learn more about the usage and operation, see the
-[Vault Azure method documentation](/vault/docs/auth/azure).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/azure` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the credentials required for the plugin to perform API calls
-to Azure. These credentials will be used to query the metadata about the
-virtual machine.
-
-You can configure the auth engine with account credentials or plugin workload
-identity federation (WIF).
-
-| Method | Path |
-| :----- | :------------------- |
-| `POST` | `/auth/azure/config` |
-
-### Parameters
-
-- `tenant_id` `(string: )` - The tenant id for the Azure Active Directory organization.
- This value can also be provided with the `AZURE_TENANT_ID` environment variable.
-- `resource` `(string: )` - The resource URL for the application registered in Azure Active Directory.
- The value is expected to match the audience (`aud` claim) of the [JWT](/vault/api-docs/auth/azure#jwt)
- provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
- parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
- This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.
-- `environment` `(string: 'AzurePublicCloud')` - The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.
- This value can also be provided with the `AZURE_ENVIRONMENT` environment variable.
-- `client_id` `(string: '')` - The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.
- This value can also be provided with the `AZURE_CLIENT_ID` environment variable.
-- `client_secret` `(string: '')` - The client secret for credentials to query the Azure APIs.
- This value can also be provided with the `AZURE_CLIENT_SECRET` environment variable.
- Mutually exclusive with `identity_token_audience`.
-- `identity_token_audience` `(string: "")` - The
- audience claim value for plugin identity tokens. Must match the allowed audiences configured
- for the target [Federated Identity Credential](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#configure-a-federated-identity-credential-on-an-app).
- Mutually exclusive with `client_secret`.
-- `identity_token_ttl` `(string/int: 3600)` - The
- TTL of generated tokens. Defaults to 1 hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
-- `max_retries` `(int: 3)` - The maximum number of attempts a failed operation will be
- retried before producing an error.
-- `max_retry_delay` `(string: '60s')` - The maximum delay, in seconds, allowed before retrying an operation.
-- `retry_delay` `(string: '4s')` - The initial amount of delay, in seconds, to use before retrying an operation. Increases exponentially.
-
-@include 'rotationfields.mdx'
-
-### Sample payload
-
-```json
-{
- "tenant_id": "kd83...",
- "resource": "https://management.azure.com/",
- "client_id": "12ud...",
- "client_secret": "DUJDS3..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-# Read config
-
-Returns the previously configured config, including credentials.
-
-| Method | Path |
-| :----- | :------------------- |
-| `GET` | `/auth/azure/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-### Sample response
-
-```json
-{
- "data":{
- "tenant_id": "kd83...",
- "resource": "https://management.azure.com/",
- "client_id": "12ud...",
- "client_secret": "DUJDS3..."
- },
- ...
-}
-
-```
-
-## Delete config
-
-Deletes the previously configured Azure config and credentials.
-
-| Method | Path |
-| :------- | :------------------- |
-| `DELETE` | `/auth/azure/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- https://127.0.0.1:8200/v1/auth/azure/config
-```
-
-## Rotate root
-
-This endpoint generates a new client secret for the root account defined in the config. The
-value generated will only be known by Vault.
-
-| Method | Path |
-| :----- | :------------------- |
-| `POST` | `/azure/rotate-root` |
-
-### Parameters
-
-There are no parameters to this operation.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- https://127.0.0.1:8200/v1/auth/azure/rotate-root
-```
-
-## Create/Update role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `POST` | `/auth/azure/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-- `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs
- that login is restricted to. Either this parameter or `bound_group_ids` must be set.
-- `bound_group_ids` `(array: [])` - The list of group ids that login is restricted
- to. Either this parameter or `bound_service_principal_ids` must be set.
-- `bound_locations` `(array: [])` - The list of locations that login is restricted to.
-- `bound_subscription_ids` `(array: [])` - The list of subscription IDs that login
- is restricted to.
-- `bound_resource_groups` `(array: [])` - The list of resource groups that
- login is restricted to.
-- `bound_scale_sets` `(array: [])` - The list of scale set names that the
- login is restricted to.
-
-@include 'tokenfields.mdx'
-
-~> **Note:** When creating a role, you must specify either `bound_service_principal_ids` or `bound_group_ids`. These parameters are mutually exclusive - you cannot set both, but you must set one of them.
-
-### Sample payload
-
-```json
-{
- "token_policies": ["default", "dev", "prod"],
- "max_ttl": 1800000,
- "max_jwt_exp": 10000,
- "bound_resource_groups": ["vault-dev", "vault-staging", "vault-prod"],
- "bound_service_principal_ids": ["3cb88732-1356-4782-b671-4877166be01a"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `GET` | `/auth/azure/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-### Sample response
-
-```json
-{
- "data":{
- "token_policies": [
- "default",
- "dev",
- "prod"
- ],
- "max_ttl": 1800000,
- "max_jwt_exp": 10000,
- "bound_resource_groups": [
- "vault-dev",
- "vault-staging",
- "vault-prod"
- ]
- },
- ...
-}
-
-```
-
-## List roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method | Path |
-| :----- | :----------------- |
-| `LIST` | `/auth/azure/role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- https://127.0.0.1:8200/v1/auth/azure/role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": [
- "dev-role",
- "prod-role"
- ]
- },
- ...
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :----------------------- |
-| `DELETE` | `/auth/azure/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- https://127.0.0.1:8200/v1/auth/azure/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/auth/azure/login` |
-
-### Sample payload
-
-- `role` `(string: )` - Name of the role against which the login is being
- attempted.
-- `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
- from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
- for details on how to acquire a JWT access token through instance metadata.
-- `subscription_id` `(string: )` - The subscription ID for the machine that
- generated the MSI token. This information can be obtained through instance
- metadata.
-- `resource_group_name` `(string: )` - The resource group for the machine that
- generated the MSI token. This information can be obtained through instance
- metadata.
-- `vm_name` `(string: "")` - The virtual machine name for the machine that
- generated the MSI token. This information can be obtained through instance
- metadata. If `vmss_name` is provided, this value is ignored.
-- `vmss_name` `(string: "")` - The virtual machine scale set name for the machine
- that generated the MSI token. This information can be obtained through instance
- metadata.
-- `resource_id` `(string: "")` - The fully qualified ID of the Azure resource that
- generated the MSI token, including the resource name and resource type. Use
- the format /subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}.
- If `vm_name` or `vmss_name` is provided, this value is ignored.
-
-### Sample payload
-
-```json
-{
- "role": "dev-role",
- "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/azure/login
-```
-
-### Sample response
-
-```json
-{
- "auth":{
- "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
- "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
- "token_policies":[
- "default",
- "dev",
- "prod"
- ],
- "lease_duration":2764800,
- "renewable":true
- },
- ...
-}
-```
diff --git a/website/content/api-docs/auth/cert.mdx b/website/content/api-docs/auth/cert.mdx
deleted file mode 100644
index dd708819fb..0000000000
--- a/website/content/api-docs/auth/cert.mdx
+++ /dev/null
@@ -1,451 +0,0 @@
----
-layout: api
-page_title: TLS Certificate - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault TLS Certificate authentication
- method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# TLS certificate auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault TLS Certificate authentication
-method. For general information about the usage and operation of the TLS
-Certificate method, please see the [Vault TLS Certificate method documentation](/vault/docs/auth/cert).
-
-This documentation assumes the TLS Certificate method is mounted at the
-`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
-location, please update your API calls accordingly.
-
-## Create CA certificate role
-
-Sets a CA cert and associated parameters in a role name.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `POST` | `/auth/cert/certs/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the certificate role.
-- `certificate` `(string: )` - The PEM-format CA certificate.
-- `allowed_names` `(string: "")` - DEPRECATED: Please use the individual
- `allowed_X_sans` parameters instead. Constrain the Common and Alternative
- Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of patterns. Authentication requires at least one Name
- matching at least one pattern. If not set, defaults to allowing all names.
-- `allowed_common_names` `(string: "" or array: [])` - Constrain the Common
- Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of patterns. Authentication requires at least one Name
- matching at least one pattern. If not set, defaults to allowing all names.
-- `allowed_dns_sans` `(string: "" or array: [])` - Constrain the Alternative
- Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of patterns. Authentication requires at least one DNS
- matching at least one pattern. If not set, defaults to allowing all dns.
-- `allowed_email_sans` `(string: "" or array: [])` - Constrain the Alternative
- Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of patterns. Authentication requires at least one
- Email matching at least one pattern. If not set, defaults to allowing all
- emails.
-- `allowed_uri_sans` `(string: "" or array: [])` - Constrain the Alternative
- Names in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of URI patterns. Authentication requires at least one
- URI matching at least one pattern. If not set, defaults to allowing all URIs.
-- `allowed_organizational_units` `(string: "" or array: [])` - Constrain the
- Organizational Units (OU) in the client certificate with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
- a comma-separated list of OU patterns. Authentication requires at least one
- OU matching at least one pattern. If not set, defaults to allowing all OUs.
-- `required_extensions` `(string: "" or array: [])` - Require specific Custom
- Extension OIDs to exist and match the pattern. Value is a comma separated
- string or array of `oid:value`. Expects the extension value to be some type
- of ASN1 encoded string. All conditions _must_ be met. To match on the hex-encoded
- value of the extension, including non-string extensions, use the format
- `hex::`.Supports globbing on `value`.
-- `allowed_metadata_extensions` `(array:[])` - A comma separated string or
- array of oid extensions. Upon successful authentication, these extensions
- will be added as metadata if they are present in the certificate. The
- metadata key will be the string consisting of the oid numbers separated
- by a dash (-) instead of a dot (.) to allow usage in ACL templates.
-- `ocsp_enabled` `(bool: false)` - If enabled, validate certificates' revocation
- status using OCSP.
-- `ocsp_ca_certificates` `(string: "")` Any additional OCSP responder certificates needed to
- verify OCSP responses. Provided as base64 encoded PEM data.
-- `ocsp_servers_override` `(array: [])`: A comma-separated list of OCSP server
- addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess
- extension on the certificate being inspected.
-- `ocsp_fail_open` `(bool: false)` - If true and an OCSP response cannot be fetched
- or is of an unknown status, the login will proceed as if the certificate has not
- been revoked.
-- `ocsp_this_update_max_age` `(integer:0 or string: "")` - If greater than 0, specifies
- the maximum age of an OCSP thisUpdate field. This avoids accepting old responses
- without a nextUpdate field.
-- `ocsp_max_retries` `(integer: 4)` - The number of retries attempted before giving
- up on an OCSP request. 0 will disable retries
-- `ocsp_query_all_servers` `(bool: false)` - If set to true, rather than accepting
- the first successful OCSP response, query all servers and consider the certificate
- valid only if all servers agree.
-
- ~> **Note**: When using Vault's PKI engine with Performance Replication clusters
- as the OCSP provider, and without `unified_crls=true` set on the source mount
- or when using cluster-local OCSP resolvers, we recommend enabling this option.
-
-- `display_name` `(string: "")` - The `display_name` to set on tokens issued
- when authenticating against this CA certificate. If not set, defaults to the
- name of the role.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
- "display_name": "test",
- "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --cacert vault-ca.pem \
- --data @payload.json
- https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
-```
-
-## Read CA certificate role
-
-Gets information associated with the named role.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `GET` | `/auth/cert/certs/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the certificate role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
-```
-
-### Sample response
-
-```json
-{
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
- "display_name": "test",
- "policies": "",
- "allowed_names": "",
- "required_extensions": "",
- "ttl": 2764800,
- "max_ttl": 2764800,
- "period": 0
- },
- "warnings": null,
- "auth": null
-}
-```
-
-## List certificate roles
-
-Lists configured certificate names.
-
-| Method | Path |
-| :----- | :----------------- |
-| `LIST` | `/auth/cert/certs` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/certs
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["cert1", "cert2"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Delete certificate role
-
-Deletes the named role and CA cert from the method mount.
-
-| Method | Path |
-| :------- | :----------------------- |
-| `DELETE` | `/auth/cert/certs/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the certificate role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/certs/cert1
-```
-
-## List CRLs
-
-Lists configured certificate revocation lists.
-
-| Method | Path |
-| :----- | :---------------- |
-| `LIST` | `/auth/cert/crls` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/crls
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["crl1", "crl2"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Create CRL
-
-Sets a named CRL.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `POST` | `/auth/cert/crls/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the CRL.
-- `crl` `(string: "")` - The PEM format CRL.
-- `url` `(string: "")` - The URL of a CRL distribution point.
-
-**Note**: Either 'crl' or 'url' parameters must be provided, if both are provided, 'crl' is used.
-
-### Sample payload
-
-```json
-{
- "crl": "-----BEGIN X509 CRL-----\n...\n-----END X509 CRL-----"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --cacert vault-ca.pem \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
-```
-
-## Read CRL
-
-Gets information associated with the named CRL (currently, the serial
-numbers contained within). As the serials can be integers up to an
-arbitrary size, these are returned as strings.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `GET` | `/auth/cert/crls/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the CRL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "data": {
- "serials": {
- "13": {}
- }
- },
- "lease_duration": 0,
- "lease_id": "",
- "renewable": false,
- "warnings": null
-}
-```
-
-## Delete CRL
-
-Deletes the named CRL from the auth method mount.
-
-| Method | Path |
-| :------- | :---------------------- |
-| `DELETE` | `/auth/cert/crls/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the CRL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- --cacert vault-ca.pem \
- https://127.0.0.1:8200/v1/auth/cert/crls/cert1
-```
-
-## Configure TLS certificate method
-
-Configuration options for the method.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/auth/cert/config` |
-
-### Parameters
-
-- `disable_binding` `(boolean: false)` - If set, during renewal, skips the
- matching of presented client identity with the client identity used during
- login.
-- `enable_identity_alias_metadata` `(boolean: false)` - If set, metadata of
- the certificate including the metadata corresponding to
- `allowed_metadata_extensions` will be stored in the alias
-- `ocsp_cache_size` `(int: 100)` - The size of the OCSP response LRU cache. Note
- that this cache is used for all configured certificates.
-- `role_cache_size` `(int: 200)` - The size of the role cache. Use `-1` to disable
- role caching.
-- `enable_metadata_on_failures` `(boolean: false)` - If set, metadata of the client
- certificate such as common name, serial, subject key id and authority key id will
- be returned on authentication failures and appear in auditing records.
-
-### Sample payload
-
-```json
-{
- "disable_binding": true
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --cacert vault-ca.pem \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/cert/config
-```
-
-## Login with TLS certificate method
-
-Log in and fetch a token. If there is a valid chain to a CA configured in the
-method and all role constraints are matched, a token will be issued. If the
-certificate has DNS SANs in it, each of those will be verified. If Common Name
-is required to be verified, then it should be a fully qualified DNS domain name
-and must be duplicated as a DNS SAN (see
-https://tools.ietf.org/html/rfc6125#section-2.3)
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/auth/cert/login` |
-
-### Parameters
-
-- `name` `(string: "")` - Authenticate against only the named certificate role,
- returning its policy list if successful. If not set, defaults to trying all
- certificate roles and returning any one that matches.
-
-### Sample payload
-
-```json
-{
- "name": "cert1"
-}
-```
-
-### Sample request
-
-~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
-certificate, not the CA that issued the client authentication certificate. This
-can be omitted if the CA used to issue the Vault server certificate is trusted
-by the local system executing this command.
-
-```shell-session
-$ curl \
- --request POST \
- --cacert vault-ca.pem \
- --cert cert.pem \
- --key key.pem \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/cert/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",
- "policies": ["web", "stage"],
- "lease_duration": 3600,
- "renewable": true
- }
-}
-```
diff --git a/website/content/api-docs/auth/cf.mdx b/website/content/api-docs/auth/cf.mdx
deleted file mode 100644
index 86626f2dc8..0000000000
--- a/website/content/api-docs/auth/cf.mdx
+++ /dev/null
@@ -1,343 +0,0 @@
----
-layout: api
-page_title: Cloud Foundry - Auth Methods - HTTP API
-description: This is the API documentation for the Vault Cloud Foundry auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Pivotal Cloud Foundry (CF) auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault CF auth method. For
-general information about the usage and operation of the CF method, please
-see the [Vault CF method documentation](/vault/docs/auth/cf).
-
-This documentation assumes the CF method is mounted at the `/auth/cf`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create configuration
-
-Configure the root CA certificate to be used for verifying instance identity
-certificates, and configure access to the CF API. For detailed instructions
-on how to obtain these values, please see the [Vault CF method
-documentation](/vault/docs/auth/cf).
-
-| Method | Path |
-| :----- | ----------------- |
-| `POST` | `/auth/cf/config` |
-
-### Parameters
-
-- `identity_ca_certificates` `(array: [], required)` - The root CA certificate(s)
- to be used for verifying that the `CF_INSTANCE_CERT` presented for logging in was
- issued by the proper authority.
-- `cf_api_addr` `(string: required)`: CF's full API address, to be used for verifying
- that a given `CF_INSTANCE_CERT` shows an application ID, space ID, and organization ID
- that presently exist.
-- `cf_username` `(string: required)`: The username for authenticating to the CF API.
-- `cf_password` `(string: required)`: The password for authenticating to the CF API.
-- `cf_api_trusted_certificates` `(array: [])`: The certificate that's presented by the
- CF API. This configures Vault to trust this certificate when making API calls, resolving
- `x509: certificate signed by unknown authority` errors.
-- `login_max_seconds_not_before` `(int: 300)`: The maximum number of seconds in the past when a
- signature could have been created. The lower the value, the lower the risk of replay
- attacks.
-- `login_max_seconds_not_after` `(int: 60)`: In case of clock drift, the maximum number of
- seconds in the future when a signature could have been created. The lower the value,
- the lower the risk of replay attacks.
-- `cf_timeout` `(duration: 0s)`: The timeout for the CF API. If not set, the default
- timeout is 0, which means no timeout.
-
-### Sample payload
-
-```json
-{
- "identity_ca_certificates": [
- "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
- ],
- "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
- "cf_username": "vault",
- "cf_password": "pa55w0rd",
- "cf_api_trusted_certificates": [
- "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
- ],
- "login_max_seconds_not_before": 5,
- "login_max_seconds_not_after": 1
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-## Read config
-
-Returns the present CF configuration.
-
-| Method | Path |
-| :----- | ----------------- |
-| `GET` | `/auth/cf/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-### Sample response
-
-```json
-{
- "identity_ca_certificates": [
- "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
- ],
- "cf_api_addr": "https://api.sys.somewhere.cf-app.com",
- "cf_username": "vault",
- "cf_api_trusted_certificates": [
- "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----"
- ],
- "login_max_seconds_not_before": 5,
- "login_max_seconds_not_after": 1
-}
-```
-
-## Delete config
-
-Deletes the present CF configuration.
-
-| Method | Path |
-| :------- | ----------------- |
-| `DELETE` | `/auth/cf/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/cf/config
-```
-
-## Create/Update role
-
-Create a role in Vault granting a particular level of access to a particular group
-of CF instances. We recommend using the CF API or the CF CLI to gain the IDs you
-wish to target.
-
-If you list no `bound` parameters, then any entity with a valid
-`CF_INSTANCE_CERT` that's been issued by any configured `identity_ca_certificates`
-will be able to authenticate against this role.
-
-| Method | Path |
-| :----- | ---------------------- |
-| `POST` | `/auth/cf/roles/:role` |
-
-### Parameters
-
-- `role` `(string: required)` - The name of the role.
-- `bound_application_ids` `(array: [])` - An optional list of application IDs
- an instance must be a member of to qualify as a member of this role.
-- `bound_space_ids` `(array: [])` - An optional list of space IDs
- an instance must be a member of to qualify as a member of this role.
-- `bound_organization_ids` `(array: [])` - An optional list of organization IDs
- an instance must be a member of to qualify as a member of this role.
-- `bound_instance_ids` `(array: [])` - An optional list of instance IDs
- an instance must be a member of to qualify as a member of this role. Please note that
- every time you use `cf push` on an app, its instance ID changes. Also, instance IDs
- are not verifiable as being presently alive using the CF API. Thus, we recommend against
- using this setting for most use cases.
-- `disable_ip_matching` `(bool: false)` - If set to true, disables the default behavior
- that logging in must be performed from an acceptable IP address described by the
- certificate presented. Should only be set to true if required, generally when a proxy
- is used to perform logins.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
- "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
- "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
- "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
- "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
- "policies": ["default"],
- "ttl": "1h",
- "max_ttl": "1h",
- "period": "1h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-## Read role
-
-Returns a CF role.
-
-| Method | Path |
-| :----- | ---------------------- |
-| `GET` | `/auth/cf/roles/:role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-### Sample response
-
-```json
-{
- "bound_application_ids": ["09d7eb6a-afc2-49a0-bb32-858c22f2b346"],
- "bound_space_ids": ["21005ebb-8943-433e-84e6-d9d9d7338853"],
- "bound_organization_ids": ["9785a884-5e93-49bd-97ee-57bf7c2b20e0"],
- "bound_instance_ids": ["f3e0f176-3f83-4efb-5842-2ff4"],
- "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
- "policies": ["default"],
- "ttl": 2764790,
- "max_ttl": 2764790,
- "period": 2764790
-}
-```
-
-## Delete role
-
-Deletes a CF role.
-
-| Method | Path |
-| :------- | ---------------------- |
-| `DELETE` | `/auth/cf/roles/:role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/cf/roles/:role
-```
-
-## List roles
-
-Returns a CF role.
-
-| Method | Path |
-| :----- | ---------------- |
-| `LIST` | `/auth/cf/roles` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST
- http://127.0.0.1:8200/v1/auth/cf/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["role1", "role2"]
- }
-}
-```
-
-## Login
-
-Log in to CF.
-
-Vault provides both an agent and a CLI tool for logging in that
-eliminates the need to build a signature yourself. However, if you do wish to
-build the signature, its signing algorithm is viewable [here](https://github.com/hashicorp/vault-plugin-auth-cf/tree/master/signatures).
-The [plugin repo](https://github.com/hashicorp/vault-plugin-auth-cf) also contains
-a command-line tool (`generate-signature`) that can be compiled as a binary for generating a signature,
-and a test that outputs steps in generating the signature so they can be duplicated.
-
-However, at a high level, these are the steps for generating a signature:
-
-- Get and format the current time, ex. `2006-01-02T15:04:05Z`.
-- Get the full body of the file located at `CF_INSTANCE_CERT`.
-- Get the name of the role.
-- Concatenate them together in the above order, with no extra string used for joining them.
-- Create a SHA256 checksum of the resulting string (`checksum` below).
-- Sign the string using the key located at `CF_INSTANCE_KEY`. In Go, this is performed using
- the following line of code which you can more deeply inspect:
-
-```
-rsa.SignPSS(rand.Reader, rsaPrivateKey, crypto.SHA256, checksum, nil)
-```
-
-- Convert the signature to a string.
-
-| Method | Path |
-| :----- | ---------------- |
-| `POST` | `/auth/cf/login` |
-
-### Parameters
-
-- `role` `(string: required)` - The name of the role.
-- `cf_instance_cert` `(string: required)` - The full body of the file available at
- the path denoted by `CF_INSTANCE_CERT`.
-- `signing_time` `(string: required)` - The date and time used to construct the signature.
-- `signature` `(string: required)` - The signature generated by the algorithm described
- above using the `CF_INSTANCE_KEY`.
-
-### Sample payload
-
-```json
-{
- "role": "test-role",
- "cf_instance_cert": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
- "signing_time": "2006-01-02T15:04:05Z",
- "signature": "MmyUjQ1OqxQmF0W6raVQDL-hlqqe1oG-7abA6Oi3NHwT-9lMfrYxsCwMnd2HKGMly2tCgetcoA2orfquoe6MkMuksx_KGH_KLObcAykt53z4rHceHKGvm7eGj60cjWFYtiNPic-lzUGERLbUeKLMi6NlThm9ueb7hhpyTUpEYtphV3gorbVxvlkrnuYSbgy2NGpOUY1N8dRzcxmHkYjh12XoWEw4Is5aFr6eFKbZ0vmLWBzhJ7_w20CFyTpRYB-6heGz1iR9qEG8mZk3_x4rZpT5mejJ5zmH2xlUjBJMndfcz47btEi2BO9pFVxK2wK-tKeUUFgx6RcomAopTskkmg=="
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/cf/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "renewable": true,
- "lease_duration": 1800000,
- "policies": ["default", "dev"],
- "accessor": "20b89871-e6f2-1160-fb29-31c2f6d4645e",
- "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
- }
-}
-```
diff --git a/website/content/api-docs/auth/gcp.mdx b/website/content/api-docs/auth/gcp.mdx
deleted file mode 100644
index e477dc7689..0000000000
--- a/website/content/api-docs/auth/gcp.mdx
+++ /dev/null
@@ -1,567 +0,0 @@
----
-layout: api
-page_title: Google Cloud - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault Google Cloud authentication
- method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Google Cloud auth method (API)
-
-This is the API documentation for the Vault Google Cloud auth method. To learn
-more about the usage and operation, see the
-[Vault Google Cloud method documentation](/vault/docs/auth/gcp).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/gcp` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the credentials required for the plugin to perform API calls
-to Google Cloud. These credentials will be used to query the status of IAM
-entities and get service account or other Google public certificates
-to confirm signed JWTs passed in during login. You can configure
-credentials either with Application Credentials for a privileged service account,
-or using Plugin Workload Identity Federation (WIF).
-
-### IAM
-Vault uses the official Google Cloud SDK to source credentials from environment variables and shared files.
-
-From the highest precedence to lowest, you can pass root credentials to the Vault server in the following ways:
-
-1. Provide static credentials to the API as a payload.
-
-1. Use [plugin workload identity federation](/vault/docs/auth/gcp#plugin-workload-identity-federation-wif) credentials.
-
-1. Set [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials)
-as environment variables on the Vault server.
-
-
- Passing Vault new root credentials overwrites any preexisting root credentials.
-
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/auth/gcp/config` |
-
-### Parameters
-
-- `credentials` `(string: "")` - A JSON string containing the contents of a GCP
- service account credentials file. The service account associated with the credentials
- file must have the following [permissions](/vault/docs/auth/gcp#required-gcp-permissions).
- If this value is empty, Vault will try to use [Application Default Credentials][gcp-adc]
- from the machine on which the Vault server is running. Mutually exclusive with `identity_token_audience`.
-
-@include 'rotationfields.mdx'
-
-- `service_account_email` `(string: "")` – Service Account
- to impersonate for plugin workload identity federation. Required with `identity_token_audience`.
-
-- `identity_token_audience` `(string: "")` - The
- audience claim value for plugin identity tokens. Must match an allowed audience configured
- for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
- Mutually exclusive with `credentials`.
-
-- `identity_token_ttl` `(string/int: 3600)` - The
- TTL of generated tokens. Defaults to 1 hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
-- `iam_alias` `(string: "role_id")` - Must be either `unique_id` or `role_id`.
- If `unique_id` is specified, the service account's unique ID will be used for
- alias names during login. If `role_id` is specified, the ID of the Vault role
- will be used. Only used if role `type` is `iam`.
-
-- `iam_metadata` `(string: "default")` - The metadata to include on the token
- returned by the `login` endpoint. This metadata will be added to both audit logs,
- and on the `iam_alias`. By default, it includes `project_id`, `role`,
- `service_account_id`, and `service_account_email`. To include no metadata,
- set to `""` via the CLI or `[]` via the API. To use only particular fields, select
- the explicit fields. To restore to defaults, send only a field of `default`.
- **Only select fields that will have a low rate of change** for your `iam_alias` because
- each change triggers a storage write and can have a performance impact at scale.
- Only used if role `type` is `iam`.
-
-- `gce_alias` `(string: "role_id")` - Must be either `instance_id` or `role_id`.
- If `instance_id` is specified, the GCE instance ID will be used for alias names
- during login. If `role_id` is specified, the ID of the Vault role will be used.
- Only used if role `type` is `gce`.
-
-- `gce_metadata` `(string: "default")` - The metadata to include on the token
- returned by the `login` endpoint. This metadata will be added to both audit logs,
- and on the `gce_alias`. By default, it includes `instance_creation_timestamp`,
- `instance_id`, `instance_name`, `project_id`, `project_number`, `role`,
- `service_account_id`, `service_account_email`, and `zone`. To include no metadata,
- set to `""` via the CLI or `[]` via the API. To use only particular fields, select
- the explicit fields. To restore to defaults, send only a field of `default`.
- **Only select fields that will have a low rate of change** for your `gce_alias` because
- each change triggers a storage write and can have a performance impact at scale.
- Only used if role `type` is `gce`.
-
-- `custom_endpoint` `(map: )` - Specifies overrides to
- [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
- used when making API requests. This allows specific requests made during authentication
- to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
- environments.
-
- Overrides are set at the subdomain level using the following keys:
- - `api` - Replaces the service endpoint used in API requests to `https://www.googleapis.com`.
- - `iam` - Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.
- - `crm` - Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.
- - `compute` - Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.
-
- The endpoint value provided for a given key has the form of `scheme://host:port`.
- The `scheme://` and `:port` portions of the endpoint value are optional.
-
-### Sample payload
-
-```json
-{
- "credentials": "{ \"type\": \"service_account\", \"project_id\": \"project-123456\", ...}"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/gcp/config
-```
-
-## Rotate root credentials
-
-Request to rotate the GCP service account credentials used by Vault
-for this mount. A new key will be generated for the service account,
-replacing the internal value, and then a deletion of the old service
-account key is scheduled. Note that this does not create a new service
-account, only a new version of the service account key.
-
-This path is only valid if Vault has been configured to use GCP credentials via
-the `config/` endpoint where "credentials" were specified. Additionally, the
-provided service account must have permissions to create and delete service
-account keys.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/gcp/config/rotate-root` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- https://127.0.0.1:8200/v1/auth/gcp/config/rotate-root
-```
-
-## Read config
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/auth/gcp/config` |
-
-Credentials will be omitted from returned data.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request GET \
- https://127.0.0.1:8200/v1/auth/gcp/config
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "ttl": "1h",
- "max_ttl": "4h"
- }
-}
-```
-
-## Read config
-
-Returns the configuration, if any, including credentials.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/auth/gcp/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/gcp/config
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "client_email": "service-account@project-123456.iam.gserviceaccount.com",
- "client_id": "123456789101112131415",
- "private_key_id": "97fd7ba59a96e1f3830296aedb4f50879e4d5382",
- "project_id": "project-123456"
- }
-}
-```
-
-## Create/Update role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/gcp/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the role.
-
-- `type` `(string: )` - The type of this role. Certain fields
- correspond to specific roles and will be rejected otherwise. Please see below
- for more information.
-
-- `bound_service_accounts` `(array: )` - An array of
- service account emails or IDs that login is restricted to,
- either directly or through an associated instance. If set to
- `*`, all service accounts are allowed (you can bind this further using
- `bound_projects`.)
-
-- `bound_projects` `(array: [])` - An array of GCP project IDs. Only entities
- belonging to this project can authenticate under the role.
-
-- `add_group_aliases` `(bool: false)` - If true, any auth token
- generated under this token will have associated group aliases, namely
- `project-$PROJECT_ID`, `folder-$PROJECT_ID`, and `organization-$ORG_ID`
- for the entities project and all its folder or organization ancestors. This
- requires Vault to have IAM permission `resourcemanager.projects.get`.
-
-@include 'tokenfields.mdx'
-
-#### `iam`-only parameters
-
-The following parameters are only valid when the role is of type `"iam"`:
-
-- `max_jwt_exp` `(string: "15m")` - The number of seconds past the time of
- authentication that the login param JWT must expire within. For example, if a
- user attempts to login with a token that expires within an hour and this is
- set to 15 minutes, Vault will return an error prompting the user to create a
- new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not
- allow the `exp` claim to be customized.
-
-- `allow_gce_inference` `(bool: true)` - A flag to determine if this role should
- allow GCE instances to authenticate by inferring service accounts from the
- GCE identity metadata token.
-
-#### `gce`-only parameters
-
-The following parameters are only valid when the role is of type `"gce"`:
-
-- `bound_zones` `(array: [])`: The list of zones that a GCE instance must belong
- to in order to be authenticated. If `bound_instance_groups` is provided, it is
- assumed to be a zonal group and the group must belong to this zone.
-
-- `bound_regions` `(array: [])`: The list of regions that a GCE instance must
- belong to in order to be authenticated. If `bound_instance_groups` is
- provided, it is assumed to be a regional group and the group must belong to
- this region. If `bound_zones` are provided, this attribute is ignored.
-
-- `bound_instance_groups` `(array: [])`: The instance groups that an authorized
- instance must belong to in order to be authenticated. If specified, either
- `bound_zones` or `bound_regions` must be set too.
-
-- `bound_labels` `(array: [])`: A comma-separated list of GCP labels formatted
- as "key:value" strings that must be set on authorized GCE instances. Because
- GCP labels are not currently ACL'd, we recommend that this be used in
- conjunction with other restrictions.
-
-### Sample payload
-
-Example `iam` role:
-
-```json
-{
- "type": "iam",
- "project_id": "project-123456",
- "policies": ["prod"],
- "ttl": "30m",
- "max_ttl": "24h",
- "max_jwt_exp": "5m",
- "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"]
-}
-```
-
-Example `gce` role:
-
-```json
-{
- "type": "gce",
- "project_id": "project-123456",
- "policies": ["prod"],
- "bound_zones": ["us-east1-b", "eu-west2-a"],
- "ttl": "30m",
- "max_ttl": "24h",
- "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Edit service accounts on IAM role
-
-Edit service accounts for an existing IAM role in the method.
-This allows you to add or remove service accounts from the list of
-service accounts on the role.
-
-| Method | Path |
-| :----- | :-------------------------------------- |
-| `POST` | `/auth/gcp/role/:name/service-accounts` |
-
-### Parameters
-
-- `name` `(string: )` - The name of an existing `iam` type role. This
- will return an error if role is not an `iam` type role.
-
-- `add` `(array: [])` - The list of service accounts to add to the role's
- service accounts.
-
-- `remove` `(array: [])` - The list of service accounts to remove from the
- role's service accounts.
-
-### Sample payload
-
-```json
-{
- "add": ["dev-1@project-123456.iam.gserviceaccount.com", "123456789"],
- "remove": ["dev-2@project-123456.iam.gserviceaccount.com"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Edit labels on GCE role
-
-Edit labels for an existing GCE role in the backend. This allows you to add or
-remove labels (keys, values, or both) from the list of keys on the role.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `POST` | `/auth/gcp/role/:name/labels` |
-
-### Parameters
-
-- `name` `(string: )` - The name of an existing `gce` role. This will
- return an error if role is not a `gce` type role.
-
-- `add` `(array: [])` - The list of `key:value` labels to add to the GCE role's
- bound labels.
-
-- `remove` `(array: [])` - The list of label _keys_ to remove from the role's
- bound labels. If any of the specified keys do not exist, no error is returned
- (idempotent).
-
-### Sample payload
-
-```json
-{
- "add": ["foo:bar", "env:dev", "key:value"],
- "remove": ["key1", "key2"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `GET` | `/auth/gcp/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the role to read.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "bound_labels": {
- "env": "dev",
- "foo": "bar",
- "key": "value"
- },
- "bound_service_accounts": ["dev-1@project-123456.iam.gserviceaccount.com"],
- "bound_zones": ["eu-west2-a", "us-east1-b"],
- "gce_alias": "instance_id",
- "max_ttl": 86400,
- "policies": ["prod"],
- "project_id": "project-123456",
- "role_id": "6bbfab2b-ca32-6044-4829-4515728d87b1",
- "type": "gce",
- "ttl": 1800
- }
-}
-```
-
-## List roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method | Path |
-| :----- | :---------------- |
-| `LIST` | `/auth/gcp/roles` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/gcp/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["my-role", "my-other-role"]
- }
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :--------------------- |
-| `DELETE` | `/auth/gcp/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - The name of the role to delete.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/gcp/role/my-role
-```
-
-## Login
-
-Login to retrieve a Vault token. This endpoint takes a signed JSON Web Token
-(JWT) and a role name for some entity. It verifies the JWT signature with Google
-Cloud to authenticate that entity and then authorizes the entity for the given
-role.
-
-| Method | Path |
-| :----- | :---------------- |
-| `POST` | `/auth/gcp/login` |
-
-### Sample payload
-
-- `role` `(string: )` - The name of the role against which the login
- is being attempted.
-
-- `jwt` `(string: )` - A Signed [JSON Web Token][jwt].
-
- - For `iam` type roles, this is a JWT signed with the
- [`signJwt` method][signjwt-method] or a self-signed JWT.
-
- - For `gce` type roles, this is an [identity metadata token][instance-token].
-
-### Sample payload
-
-```json
-{
- "role": "my-role",
- "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/gcp/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
- "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
- "policies": ["default", "dev", "prod"],
- "metadata": {
- "project_id": "my-project",
- "role": "my-role",
- "service_account_email": "dev1@project-123456.iam.gserviceaccount.com",
- "service_account_id": "111111111111111111111"
- },
- "lease_duration": 2764800,
- "renewable": true
- }
-}
-```
-
-[gcp-adc]: https://developers.google.com/identity/protocols/application-default-credentials
-[jwt]: https://tools.ietf.org/html/rfc7519
-[signjwt-method]: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
-[instance-token]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature
diff --git a/website/content/api-docs/auth/github.mdx b/website/content/api-docs/auth/github.mdx
deleted file mode 100644
index aa15015cec..0000000000
--- a/website/content/api-docs/auth/github.mdx
+++ /dev/null
@@ -1,281 +0,0 @@
----
-layout: api
-page_title: GitHub - Auth Methods - HTTP API
-description: This is the API documentation for the Vault GitHub auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# GitHub auth method (API)
-
-This is the API documentation for the Vault GitHub auth method. For
-general information about the usage and operation of the GitHub method, please
-see the [Vault GitHub method documentation](/vault/docs/auth/github).
-
-This documentation assumes the GitHub method is enabled at the `/auth/github`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure method
-
-Configures the connection parameters for GitHub. This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method | Path |
-| :----- | :-------------------- |
-| `POST` | `/auth/github/config` |
-
-### Parameters
-
-- `organization` `(string: )` - The organization users must be part
- of.
-- `organization_id` `(int: 0)` - The ID of the organization users must be part
- of. Vault will attempt to fetch and set this value if it is not provided.
-- `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
- GitHub Enterprise or an API-compatible authentication server.
-
-### Environment variables
-- `VAULT_AUTH_CONFIG_GITHUB_TOKEN` `(string: "")` - An optional GitHub token used to make
- authenticated GitHub API requests. This can be useful for bypassing GitHub's
- rate-limiting during automation flows when the `organization_id` is not provided.
- We encourage you to provide the `organization_id` instead of relying on this environment variable.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "organization": "acme-org"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/github/config
-```
-
-## Read configuration
-
-Reads the GitHub configuration.
-
-| Method | Path |
-| :----- | :-------------------- |
-| `GET` | `/auth/github/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/github/config
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "organization": "acme-org",
- "base_url": "",
- "ttl": "",
- "max_ttl": ""
- },
- "warnings": null
-}
-```
-
-## Map GitHub teams
-
-Map a list of policies to a team that exists in the configured GitHub organization.
-
-| Method | Path |
-| :----- | :---------------------------------- |
-| `POST` | `/auth/github/map/teams/:team_name` |
-
-### Parameters
-
-- `team_name` `(string)` - GitHub team name in "slugified" format
-- `value` `(string)` - Comma separated list of policies to assign
-
-### Sample payload
-
-```json
-{
- "value": "dev-policy"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/github/map/teams/dev
-```
-
-## Read team mapping
-
-Reads the GitHub team policy mapping.
-
-| Method | Path |
-| :----- | :---------------------------------- |
-| `GET` | `/auth/github/map/teams/:team_name` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/github/map/teams/dev
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "key": "dev",
- "value": "dev-policy"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-## Map GitHub users
-
-Map a list of policies to a specific GitHub user exists in the configured
-organization.
-
-| Method | Path |
-| :----- | :---------------------------------- |
-| `POST` | `/auth/github/map/users/:user_name` |
-
-### Parameters
-
-- `user_name` `(string)` - GitHub user name
-- `value` `(string)` - Comma separated list of policies to assign
-
-### Sample payload
-
-```json
-{
- "value": "sethvargo-policy"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
-```
-
-The user with username `sethvargo` will be assigned the `sethvargo-policy`
-policy **in addition to** any team policies.
-
-## Read user mapping
-
-Reads the GitHub user policy mapping.
-
-| Method | Path |
-| :----- | :---------------------------------- |
-| `GET` | `/auth/github/map/users/:user_name` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/github/map/users/sethvargo
-```
-
-### Sample response
-
-```json
-{
- "request_id": "764b6f88-efba-51bd-ed62-cf1c9e80e37a",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "key": "sethvargo",
- "value": "sethvargo-policy"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-## Login
-
-Login using GitHub access token.
-
-| Method | Path |
-| :----- | :------------------- |
-| `POST` | `/auth/github/login` |
-
-### Parameters
-
-- `token` `(string: )` - GitHub personal API token.
-
-### Sample payload
-
-```json
-{
- "token": "ABC123..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- http://127.0.0.1:8200/v1/auth/github/login
-```
-
-### Sample response
-
-```javascript
-{
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "warnings": null,
- "auth": {
- "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
- "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
- "policies": ["default"],
- "metadata": {
- "username": "fred",
- "org": "acme-org"
- },
- },
- "lease_duration": 7200,
- "renewable": true
-}
-```
diff --git a/website/content/api-docs/auth/index.mdx b/website/content/api-docs/auth/index.mdx
deleted file mode 100644
index d2b662184d..0000000000
--- a/website/content/api-docs/auth/index.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
----
-layout: api
-page_title: Auth Methods - HTTP API
-description: |-
- Each auth method publishes its own set of API paths and methods.
- These endpoints are documented in this section.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Auth methods
-
-Each auth method publishes its own set of API paths and methods. These endpoints
-are documented in this section. Auth methods are enabled at a path, but the
-documentation will assume the default paths for simplicity. If you are enabling
-at a different path, you should adjust your API calls accordingly.
-
-For the API documentation for a specific auth method, please choose a auth
-method from the navigation.
diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx
deleted file mode 100644
index 2217ae5c13..0000000000
--- a/website/content/api-docs/auth/jwt.mdx
+++ /dev/null
@@ -1,447 +0,0 @@
----
-layout: api
-page_title: JWT/OIDC - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault JWT/OIDC authentication
- method plugin.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# JWT/OIDC auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault JWT/OIDC auth method
-plugin. To learn more about the usage and operation, see the
-[Vault JWT/OIDC method documentation](/vault/docs/auth/jwt).
-
-This documentation assumes the plugin method is mounted at the
-`/auth/jwt` path in Vault. Since it is possible to enable auth methods
-at any location, please update your API calls accordingly.
-
-## Configure
-
-Configures the validation information to be used globally across all roles. One
-(and only one) of `oidc_discovery_url`, `jwks_url`, and `jwt_validation_pubkeys` must be
-set.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/auth/jwt/config` |
-
-### Parameters
-
-- `oidc_discovery_url` `(string: )` - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
-- `oidc_discovery_ca_pem` `(string: )` - The contents of a CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
-- `oidc_client_id` `(string: )` - The OAuth Client ID from the provider for OIDC roles.
-- `oidc_client_secret` `(string: )` - The OAuth Client Secret from the provider for OIDC roles.
-- `oidc_response_mode` `(string: )` - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query". If using Vault namespaces, and oidc_response_mode is "form_post", then "namespace_in_state" should be set to false.
-- `oidc_response_types` `(comma-separated string, or array of strings: )` - The response types to request. Allowed values are "code" and "id_token". Defaults to "code".
- Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post".
-- `jwks_url` `(string: )` - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-- `jwks_ca_pem` `(string: )` - The contents of a CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-- `jwks_pairs` `(list of JSON object: )` - List of JWKS URL and optional CA certificate pairs. CA certificates must be in PEM format. Must be a list of JSON objects with format `[{"jwks_url": "", "jwks_ca_pem": ""}]`. Cannot be used with "jwks_url" or "jwks_ca_pem".
-- `jwt_validation_pubkeys` `(comma-separated string, or array of strings: )` - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
-- `bound_issuer` `(string: )` - The value against which to match the `iss` claim in a JWT. Cannot be configured when `jwks_pairs` is set.
-- `jwt_supported_algs` `(comma-separated string, or array of strings: )` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles.
-- `default_role` `(string: )` - The default role to use if none is provided during login.
-- `provider_config` `(map: )` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth, IBM ISAM. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
-- `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
-
-### Sample payload
-
-```json
-{
- "oidc_discovery_url": "https://myco.auth0.com/",
- "bound_issuer": "https://myco.auth0.com/"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/jwt/config
-```
-
-## Read config
-
-Returns the previously configured config.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/auth/jwt/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- https://127.0.0.1:8200/v1/auth/jwt/config
-```
-
-### Sample response
-
-```json
-{
- "data":{
- "oidc_discovery_url": "https://myco.auth0.com/",
- "oidc_discovery_ca_pem": [],
- "bound_issuer": "https://myco.auth0.com/",
- "jwt_validation_pubkeys": []
- },
- ...
-}
-```
-
-## Create/Update role
-
-Registers a role in the method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login. At least one of the bound values must be set.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/jwt/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-- `role_type` `(string: )` - Type of role, either "oidc" (default) or "jwt".
-- `bound_audiences` `(array: )` - List of `aud` claims to match against.
- The `bound_audiences` parameter is required for "jwt" roles that contain an
- audience (typical case) and **must** match at least one of the associated JWT
- `aud` claims.
-- `user_claim` `(string: )` - The claim to use to uniquely identify
- the user; this will be used as the name for the Identity entity alias created
- due to a successful login. The claim value must be a string.
-- `user_claim_json_pointer` `(bool: false)` - Specifies if the `user_claim` value uses
- [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for
- referencing claims. By default, the `user_claim` value will not use JSON pointer.
-- `clock_skew_leeway` `(int or string: )` - The amount of leeway to add to all claims to
- account for clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled
- if set to `-1`. Accepts an integer number of seconds, or a Go duration format string. Only applicable
- with "jwt" roles.
-- `expiration_leeway` `(int or string: )` - The amount of leeway to add to expiration (`exp`) claims to
- account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
- if set to `-1`. Accepts an integer number of seconds, or a Go duration format string. Only applicable
- with "jwt" roles.
-- `not_before_leeway` `(int or string: )` - The amount of leeway to add to not before (`nbf`) claims to
- account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
- if set to `-1`. Accepts an integer number of seconds, or a Go duration format string. Only applicable
- with "jwt" roles.
-- `bound_subject` `(string: )` - If set, requires that the `sub`
- claim matches this value.
-- `bound_claims` `(map: )` - If set, a map of claims (keys) to match against respective claim values (values).
- Each expected value may be a string, integer, boolean or a list of strings. The interpretation of the bound
- claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
- syntax for referencing claims.
-- `bound_claims_type` `(string: "string")` - Configures the interpretation of the bound_claims values.
- If `"string"` (the default), the values will be treated as literals and must match exactly.
- If set to `"glob"`, the values will be interpreted as globs, with `*` matching any number of
- characters.
-- `groups_claim` `(string: )` - The claim to use to uniquely identify
- the set of groups to which the user belongs; this will be used as the names
- for the Identity group aliases created due to a successful login. The claim
- value must be a list of strings. Supports [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
- syntax for referencing claims.
-- `claim_mappings` `(map: )` - If set, a map of claims (keys) to be copied to
- specified metadata fields (values). Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
- syntax for referencing claims.
-- `oidc_scopes` `(list: )` - If set, a list of OIDC scopes to be used with an OIDC role.
- The standard scope "openid" is automatically included and need not be specified.
-- `allowed_redirect_uris` `(list: )` - The list of allowed values for redirect_uri
- during OIDC logins.
-- `verbose_oidc_logging` `(bool: false)` - Log received OIDC tokens and claims when debug-level
- logging is active. Not recommended in production since sensitive information may be present
- in OIDC responses.
-- `max_age` `(int or string: )` - Specifies the allowable elapsed time in seconds since the last
- time the user was actively authenticated with the OIDC provider. If set, the `max_age` request parameter
- will be included in the authentication request. See [AuthRequest](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
- for additional details. Accepts an integer number of seconds, or a Go duration format string.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "policies": ["dev", "prod"],
- "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
- "bound_audiences": "https://myco.test",
- "user_claim": "https://vault/user",
- "groups_claim": "https://vault/groups",
- "bound_claims": {
- "department": "engineering",
- "sector": "7g"
- },
- "claim_mappings": {
- "preferred_language": "language",
- "group": "group"
- }
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `GET` | `/auth/jwt/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-### Sample response
-
-```json
-{
- "data":{
- "bound_subject": "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@clients",
- "bound_audiences": [
- "https://myco.test"
- ],
- "bound_cidrs": [],
- "user_claim": "https://vault/user",
- "groups_claim": "https://vault/groups",
- "policies": [
- "dev",
- "prod"
- ],
- "period": 0,
- "ttl": 0,
- "num_uses": 0,
- "max_ttl": 0
- },
- ...
-}
-
-```
-
-## List roles
-
-Lists all the roles that are registered with the plugin.
-
-| Method | Path |
-| :----- | :--------------- |
-| `LIST` | `/auth/jwt/role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- https://127.0.0.1:8200/v1/auth/jwt/role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": [
- "dev-role",
- "prod-role"
- ]
- },
- ...
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :--------------------- |
-| `DELETE` | `/auth/jwt/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- https://127.0.0.1:8200/v1/auth/jwt/role/dev-role
-```
-
-## OIDC authorization URL request
-
-Obtain an authorization URL from Vault to start an OIDC login flow.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/jwt/oidc/auth_url` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role against which the login is being
- attempted. Defaults to configured `default_role` if not provided.
-- `redirect_uri` `(string: )` - Path to the callback to complete the login. This will be
- of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault
- server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
- provider. See [Redirect URIs](/vault/docs/auth/jwt#redirect-uris) for more information.
-- `client_nonce` `(string: )` - Optional client-provided nonce that
- must match the `client_nonce` value provided during a subsequent request to the
- [callback](/vault/api-docs/auth/jwt#oidc-callback) API.
-
-### Sample payload
-
-```json
-{
- "role": "dev-role",
- "redirect_uri": "https://vault.myco.com:8200/ui/vault/auth/jwt/oidc/callback"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/jwt/oidc/auth_url
-```
-
-### Sample response
-
-```json
-{
- "request_id": "c701169c-64f8-26cc-0315-078e8c3ce897",
- "data": {
- "auth_url": "https://myco.auth0.com/authorize?client_id=r3qXcK2bezU3Sbmh0K16fatW6&nonce=851b69a9bfa5a6a5668111314414e3687891a599&redirect_uri=https%3A%2F%2Fvault.myco.com3A8200%2Fui%2Fvault%2Fauth%2Fjwt%2Foidc%2Fcallback&response_type=code&scope=openid+email+profile&state=1011e726d24960e09cfca2e04b36b38593cb6a22"
- },
- ...
-}
-```
-
-## OIDC callback
-
-Exchange an authorization code for an OIDC ID Token. The ID token will be further validated
-against any bound claims, and if valid a Vault token will be returned.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/jwt/oidc/callback` |
-
-### Parameters
-
-- `state` `(string: )` - Opaque state ID that is part of the Authorization URL and will
- be included in the the redirect following successful authentication on the provider.
-- `nonce` `(string: )` - Opaque nonce that is part of the Authorization URL and will
- be included in the the redirect following successful authentication on the provider.
-- `code` `(string: )` - Provider-generated authorization code that Vault will exchange for
- an ID token.
-- `client_nonce` `(string: )` - Optional client-provided nonce that must
- match the `client_nonce` value provided during the prior request to the
- [auth_url](/vault/api-docs/auth/jwt#oidc-authorization-url-request) API.
-
-### Sample request
-
-```shell-session
-$ curl \
- https://127.0.0.1:8200/v1/auth/jwt/oidc/callback?state=n2kfh3nsl&code=mn2ldl2nv98h2jl&nonce=ni42i2idj2jj
-```
-
-### Sample response
-
-```json
-{
- "auth":{
- "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
- "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
- "policies":[
- "default",
- "dev",
- "prod"
- ],
- "lease_duration":2764800,
- "renewable":true
- },
- ...
-}
-```
-
-## JWT login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method | Path |
-| :----- | :---------------- |
-| `POST` | `/auth/jwt/login` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role against which the login is being
- attempted. Defaults to configured `default_role` if not provided.
-- `jwt` `(string: )` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT).
-
-### Sample payload
-
-```json
-{
- "role": "dev-role",
- "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- https://127.0.0.1:8200/v1/auth/jwt/login
-```
-
-### Sample response
-
-```json
-{
- "auth":{
- "client_token":"f33f8c72-924e-11f8-cb43-ac59d697597c",
- "accessor":"0e9e354a-520f-df04-6867-ee81cae3d42d",
- "policies":[
- "default",
- "dev",
- "prod"
- ],
- "lease_duration":2764800,
- "renewable":true
- },
- ...
-}
-```
diff --git a/website/content/api-docs/auth/kerberos.mdx b/website/content/api-docs/auth/kerberos.mdx
deleted file mode 100644
index 5173d4a470..0000000000
--- a/website/content/api-docs/auth/kerberos.mdx
+++ /dev/null
@@ -1,413 +0,0 @@
----
-layout: api
-page_title: Kerberos - Auth Methods - HTTP API
-description: This is the API documentation for the Vault Kerberos auth method plugin.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Kerberos auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault Kerberos auth method plugin. To
-learn more about the usage and operation, see the
-[Vault Kerberos auth method](/vault/docs/auth/kerberos).
-
-This documentation assumes the Kerberos auth method is mounted at the
-`auth/kerberos` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-The Kerberos auth method validates both Kerberos and LDAP authorization,
-so both configurations are required.
-
-## Configure Vault Kerberos
-
-This endpoint configures the keytab and service account to be used by Vault
-for verifying inbound SPNEGO tokens.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `POST` | `/auth/kerberos/config` |
-
-- `keytab` `(string: )` – A base 64 representation of the contents
- of the Kerberos keytab that will be used for verifying inbound SPNEGO tokens.
- It should contain an entry matching the service account given. This can be
- created through the following command: `$ base64 vault.keytab > vault.keytab.base64`.
-- `service_account` `(string: )` – The service account associated
- with both the keytab entry and an LDAP service account created for Vault. Ex.:
- `"vault_svc"`.
-- `remove_instance_name` - Removes any instance names from a Kerberos service
- principal name when parsing the keytab file. For example when this is set to true,
- if a keytab has the service principal name `foo/localhost@example.com`, Vault
- will strip the service principal name to just be `foo@example.com`.
-- `add_group_aliases` - When set to true, Vault will add any LDAP groups found for
- the user as group aliases.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kerberos/config
-```
-
-### Sample payload
-
-```json
-{
- "add_group_aliases": false,
- "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==",
- "remove_instance_name": false,
- "service_account": "vault_svc"
-}
-```
-
-## Read Vault Kerberos
-
-This endpoint retrieves the service account for the Kerberos auth method.
-The keytab is not returned because it is sensitive information.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `GET` | `/auth/kerberos/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/kerberos/config
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "add_group_aliases": false,
- "remove_instance_name": false,
- "service_account": "vault_svc"
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Configure Kerberos LDAP
-
-This endpoint configures LDAP in the Kerberos auth method.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/kerberos/config/ldap` |
-
-### Parameters
-
-- `url` `(string: )` – The LDAP server to connect to. Examples:
- `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
- specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
- these will be tried in-order.
-- `case_sensitive_names` `(bool: false)` – If set, user and group names
- assigned to policies within the backend will be case sensitive. Otherwise,
- names will be normalized to lower case. Case will still be preserved when
- sending the username to the LDAP server at login time; this is only for
- matching local user/group definitions.
-- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
- establishing an unencrypted connection.
-- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
- values are `tls10`, `tls11`, `tls12` or `tls13`.
-- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
- values are `tls10`, `tls11`, `tls12` or `tls13`.
-- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
- verification - insecure, use with caution!
-- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
- certificate, must be x509 PEM encoded.
-- `binddn` `(string: "")` – Distinguished name of object to bind when performing
- user search. Example: `cn=vault,ou=Users,dc=example,dc=com`
-- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
- user search.
-- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
- `ou=Users,dc=example,dc=com`
-- `userattr` `(string: "")` – Attribute on user attribute object matching the
- username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
- user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
- authentication when providing an empty password.
-- `upndomain` `(string: "")` – The _userPrincipalDomain_ used to construct the UPN
- string for the authenticating user. The constructed UPN will appear as
- `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
- as `username@example.com`.
-- `groupfilter` `(string: "")` – Go template used when constructing the group
- membership query. The template can access the following context variables:
- \[`UserDN`, `Username`\]. The default is
- `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
- which is compatible with several common directory schemas. To support
- nested group resolution for Active Directory, instead use the following
- query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
-- `groupdn` `(string: "")` – LDAP search base to use for group membership
- search. This can be the root containing either groups or users. Example:
- `ou=Groups,dc=example,dc=com`
-- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
- `groupfilter` in order to enumerate user group membership. Examples: for
- groupfilter queries returning _group_ objects, use: `cn`. For queries
- returning _user_ objects, use: `memberOf`. The default is `cn`.
-
-@include 'tokenfields.mdx'
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
-```
-
-### Sample payload
-
-```json
-{
- "binddn": "cn=vault,ou=Users,dc=example,dc=com",
- "deny_null_bind": true,
- "discoverdn": false,
- "groupattr": "cn",
- "groupdn": "ou=Groups,dc=example,dc=com",
- "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
- "insecure_tls": false,
- "starttls": false,
- "tls_max_version": "tls12",
- "tls_min_version": "tls12",
- "url": "ldaps://ldap.myorg.com:636",
- "userattr": "samaccountname",
- "userdn": "ou=Users,dc=example,dc=com"
-}
-```
-
-## Read Kerberos LDAP configuration
-
-This endpoint retrieves the LDAP configuration for the Kerberos auth method.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `GET` | `/auth/kerberos/config/ldap` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/kerberos/config/ldap
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "binddn": "cn=vault,ou=Users,dc=example,dc=com",
- "bindpass": "",
- "certificate": "",
- "deny_null_bind": true,
- "discoverdn": false,
- "groupattr": "cn",
- "groupdn": "ou=Groups,dc=example,dc=com",
- "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
- "insecure_tls": false,
- "starttls": false,
- "tls_max_version": "tls12",
- "tls_min_version": "tls12",
- "upndomain": "",
- "url": "ldaps://ldap.myorg.com:636",
- "userattr": "samaccountname",
- "userdn": "ou=Users,dc=example,dc=com"
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## List Kerberos LDAP groups
-
-This endpoint returns a list of existing LDAP groups in the Kerberos auth method.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `LIST` | `/auth/kerberos/groups` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/kerberos/groups
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["scientists", "engineers"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Read Kerberos LDAP group
-
-This endpoint returns the policies associated with a Kerberos LDAP group.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `GET` | `/auth/kerberos/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "policies": ["admin", "default"]
- },
- "renewable": false,
- "lease_id": "",
- "lease_duration": 0,
- "warnings": null
-}
-```
-
-## Create/Update Kerberos LDAP group
-
-This endpoint creates or updates LDAP group policies.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `POST` | `/auth/kerberos/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group.
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
- group.
-
-### Sample payload
-
-```json
-{
- "policies": "admin,default"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-## Delete Kerberos LDAP group
-
-This endpoint deletes the LDAP group and policy association.
-
-| Method | Path |
-| :------- | :---------------------------- |
-| `DELETE` | `/auth/kerberos/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/kerberos/groups/admins
-```
-
-## Login with Kerberos
-
-This endpoint allows you to log in with a valid Kerberos SPNEGO
-token. This token is obtained by the client, marshalled, and
-converted to base 64 using standard encoding.
-
-Example SPNEGO token (newlines added for readability):
-
-```
-YIIFSwYGKwYBBQUCoIIFPzCCBTugDTALBgkqhkiG9xIBAgKiggUoBIIFJGCCBSAGCSq
-GSIb3EgECAgEAboIFDzCCBQugAwIBBaEDAgEOogcDBQAgAAAAo4IEB2GCBAMwggP/oA
-MCAQWhDBsKTUFUUklYLkxBTqIvMC2gAwIBA6EmMCQbBEhUVFAbHDdlZmNjZTg4MGVkM
-y5tYXRyaXgubGFuOjgyMDCjggO3MIIDs6ADAgEXoQMCAQKiggOlBIIDoXky+VDSMXqT
-Z8XqUiIfzX3+t1ROgO49WYQPoqW1EJLA6vOVtsLITTuDUw8WaLIexki07up3wiO7bKn
-unPFN3Y6VaKZfGoubVBFnLwrxqiEqytk19fiuc0bUJD5fNX+BUeHjePPmE73kRcuchC
-L5+WkbY0X37cH5uKwCWI6TxpuEc74+mvmGOdAOdisC31MO6EBnOpTlxvKOXzShVk5Xa
-rkkHjTJyjoUslgm8JVdj/uB/+x16k0bFVOuWybfeCkn4FY7OeIxypxDJgk6uHU+5jpy
-XsdXK4w5GG+TK5BI6LXW8ZH6NOhcTZnRyt1/S4Wihd6HKhL8lH6H+wPWAnN4Ym8jiSg
-7O0nIkp9su1l/umJWnLnyUdsC9ekKmCYS9MLrmaUREnKMFfrYOF283gWVmfuSWd832Q
-9PIE93vUVTfetw1OwbJXEbG7ex3BotXPJ8yaDUAz4Zv0a6zQlj6JutE7LF3JvuuQeot
-QnwPhrZTrmv7ZbmGO3GmkzbMzIwcTXCCKX8ocOo8GLmtEigAPK23FOW2Y0p1meYjF0U
-xPzU6MPxfQWiXTWflqabXug7uZh8u76rzSEEceosPxoBqMm6hSmGc85+0bzy/E7AGJM
-5ELa2Ny2KpyniPiYCap44GsFZbGM1FwJeh1bG3dJungIn7po4X2wlg00wZVlbHsBzhP
-Hys0oxVzOQfrvx88G0fH80+vyzQiQAq4ZqmZqkO0zFSsdqG8ReJvpY0eGzN6/lGwcRl
-eav7Vum/s5MalXhYUdOjB4K3A5yQArHbbLfeZlhb7d4vttzPNkmaZ9ZNTyW1GSuqDtd
-+YJ0g70aN82KQMWiK3cbJcx/1jcmaN5gjSDm0xk19G2eb8VlRpwLFAazOlpPGozPl0Y
-PD45h3Yv3AA5aMVXvEi+NvSYR3z9VXxk6A8wFJxV5NZxV2hYwmxt0S+TYXFeudXzT+W
-ySoykcsxIU6rUevmJlEqZDyD3VcdnUOE9pxrIY/cqpdBBwatorF+jIK/ytcTBjvoM6c
-LL4g4n/isWMu8Xs6lSMxZzrC3Ewv9VYMzOEFxaHUXlyIC8GCN6t9DHZNzT91TC0u5Rj
-XuLqXENczg33dACvr+yhvin/0QNBQG+EXz/E4NiBBWqtTFa0BiTVTwyrKL5OyiLcIVe
-v4l8l9vyj/ABwDacr9ZGjhFbOShCTuFFWBPNnBwPqiRBV4y1gPP4abYBmeboLrUiqwZ
-81UrP2L8rCTEtYu9q3GmW/pIHqMIHnoAMCAReigd8EgdxwBViqyCyL0+J/k2bw0upNL
-h+4wzJcFBFC/wxX2aMvvIYdQv5nWwdNLMII3l/zQ0+eRdzpKfg1ZRT6x0D5278eQLto
-9r1CqKNW515u4kD5+pE8VOwZJMVe3FmduaH2gnTLAcoYXkBUE24hcr0ExSY6kTTBWPj
-U5dsmUsj3+qrN9JruEADqw99t/EWnN3iTsHh1rOQOd9jIJ1wCIkgvnLB8Rad+q5jguG
-8qQh1WDObTlNOnezDtiuLtRb03QDo8Q4Sm72IIcLDlffVvl7WAog5TpC8qM97+Wmv0C
-sWw
-```
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/kerberos/login` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "Authorization: Negotiate YIIFSw...sWw" \
- --request POST \
- http://127.0.0.1:8200/v1/auth/kerberos/login
-```
diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
deleted file mode 100644
index b56855aa8c..0000000000
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ /dev/null
@@ -1,347 +0,0 @@
----
-layout: api
-page_title: Kubernetes - Auth Methods - HTTP API
-description: This is the API documentation for the Vault Kubernetes auth method plugin.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Kubernetes auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault Kubernetes auth method plugin. To
-learn more about the usage and operation, see the
-[Vault Kubernetes auth method](/vault/docs/auth/kubernetes).
-
-This documentation assumes the Kubernetes method is mounted at the
-`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-## Configure method
-
-The Kubernetes auth method validates service account JWTs and verifies their
-existence with the Kubernetes TokenReview API. This endpoint configures the
-public key used to validate the JWT signature and the necessary information to
-access the Kubernetes API.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/kubernetes/config` |
-
-### Parameters
-
-- `kubernetes_host` `(string: )` - Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
-- `kubernetes_ca_cert` `(string: "")` - Optional PEM encoded CA cert that the TLS client can use to talk with the Kubernetes API.
- **Every line must end with a newline `\n`.**
- If `kubernetes_ca_cert` is unset, the TLS client uses the local CA cert if Vault is running in a Kubernetes pod.
- If `kubernetes_ca_cert` is unset and `disable_local_ca_jwt` set to true, the TLS client uses the system's trusted CA certificate pool.
-- `token_reviewer_jwt` `(string: "")` - A service account JWT (or other token) used as a bearer
- token to access the TokenReview API to validate other JWTs during login. If not set,
- the local service account token is used if running in a Kubernetes pod, otherwise
- the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.
-- `pem_keys` `(array: [])` - Optional list of PEM-formatted public keys or certificates
- used to verify the signatures of Kubernetes service account
- JWTs. If a certificate is given, its public key will be
- extracted. Not every installation of Kubernetes exposes these
- keys.
-- `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
-- `use_annotations_as_alias_metadata` `(bool: false)` - Use annotations from the client token's associated service account
- as alias metadata for the Vault entity. Only annotations with the
- `vault.hashicorp.com/alias-metadata-` key prefix are targeted as alias metadata and
- your annotations must be 512 characters or less due to the Vault alias
- metadata value limit. For example, if you configure the annotation
- `vault.hashicorp.com/alias-metadata-foo`, Vault saves the string "foo" along
- with the annotation value to the alias metadata. **To save alias metadata,
- Vault must have permission to read service accounts from the Kubernetes API**.
-
-### Deprecated parameters
-
--> The following fields have been deprecated and will be removed in a future release:
-
-- `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation.
-
-- `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer.
-See [these instructions](/vault/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
-
-### Caveats
-
-If Vault is running in a Kubernetes Pod, the `kubernetes_ca_cert` and
-`token_reviewer_jwt` parameters will automatically default to the local CA cert
-(`/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`) and local service
-account JWT (`/var/run/secrets/kubernetes.io/serviceaccount/token`).
-
-If you override the default local CA cert behavior by setting `disable_local_ca_jwt` to `true`,
-the plugin's TLS client will automatically default to using the system's trust store for TLS certificate verification.
-
-### Sample payload
-
-```json
-{
- "kubernetes_host": "https://192.168.99.100:8443",
- "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----",
- "pem_keys": "-----BEGIN CERTIFICATE-----\n.....\n-----END CERTIFICATE-----"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kubernetes/config
-```
-
-## Read config
-
-Returns the previously configured config, excluding credentials.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/kubernetes/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/kubernetes/config
-```
-
-### Sample response
-
-```json
-{
- "data":{
- "kubernetes_host": "https://192.168.99.100:8443",
- "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
- "pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....],
- "disable_local_ca_jwt": false,
- "token_reviewer_jwt_set": false
- }
-}
-```
-
-## Create/Update role
-
-Registers a role in the auth method. Role types have specific entities
-that can perform login operations against this endpoint. Constraints specific
-to the role type must be set on the role. These are applied to the authenticated
-entities attempting to login.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `POST` | `/auth/kubernetes/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-- `bound_service_account_names` `(array: )` - List of service account
- names able to access this role. If set to "\*" all names are allowed.
-- `bound_service_account_namespaces` `(array: [])` - List of namespaces
- allowed to access this role. If set to "\*" all namespaces are allowed.
-- `bound_service_account_namespace_selector` `(string: "")` - A label selector for Kubernetes
- namespaces allowed to access this role. Accepts either a JSON or YAML object. The value
- should be of type
- [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported.
- To use label selectors, **Vault must have permission to read namespaces** on the Kubernetes
- cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
-- `audience` `(string: "")` - Audience claim to verify in the JWT. Will be required in Vault 1.21+.
-- `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
- Valid choices are: `serviceaccount_uid` and `serviceaccount_name`.
-
- When you specify `serviceaccount_uid`, Vault uses a machine generated UID from
- the service account as the identity alias name. Using a service account UID is
- both the default and the recommended method as it the more secure option.
-
- When you specify `serviceaccount_name`, Vault uses the name and namespace from
- the service account as the identity alias name (e.g., `vault/vault-auth`). You
- should only use `serviceaccount_name` if you consider the risk acceptable or
- can mitigate the risk with strong controls around the creation/deletion/access
- of your Kubernetes service accounts and need one of the following capabilities:
-
- 1. fine-grained control over the mapping between Kubernetes service accounts
- and Vault identities.
- 1. a simpler process for setting entity aliases before creating Kubernetes
- service account creation.
-
- See the [Create an Entity Alias](/vault/api-docs/secret/identity/entity-alias#create-an-entity-alias) document
- which further expands on the potential security implications mentioned above.
-
-@include 'tokenfields.mdx'
-
-### Sample Payload 1
-
-```json
-{
- "bound_service_account_names": "vault-auth",
- "bound_service_account_namespaces": "default",
- "policies": ["dev", "prod"],
- "max_ttl": 1800000
-}
-```
-
-### Sample Payload 2
-
-```json
-{
- "bound_service_account_names": "vault-auth",
- "bound_service_account_namespace_selector": "\"{\"matchLabels\":{\"stage\":\"dev\",\"vault-role\":\"dev-role\"}}",
- "policies": ["dev", "prod"],
- "max_ttl": 1800000
-}
-```
-
-### Sample Request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `GET` | `/auth/kubernetes/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "bound_service_account_names": "vault-auth",
- "bound_service_account_namespaces": "default",
- "max_ttl": 1800000,
- "ttl": 0,
- "period": 0,
- "policies": ["dev", "prod"]
- }
-}
-```
-
-## List roles
-
-Lists all the roles that are registered with the auth method.
-
-| Method | Path |
-| :----- | :-------------------------------- |
-| `LIST` | `/auth/kubernetes/role` |
-| `GET` | `/auth/kubernetes/role?list=true` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/kubernetes/role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["dev-role", "prod-role"]
- }
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :---------------------------- |
-| `DELETE` | `/auth/kubernetes/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/kubernetes/role/dev-role
-```
-
-## Login
-
-Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
-a role name for some entity. It verifies the JWT signature to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `POST` | `/auth/kubernetes/login` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role against which the login is being
- attempted.
-- `jwt` `(string: )` - Signed [JSON Web
- Token](https://tools.ietf.org/html/rfc7519) (JWT) for authenticating a service
- account.
-
-### Sample payload
-
-```json
-{
- "role": "dev-role",
- "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/kubernetes/login
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "62b858f9-529c-6b26-e0b8-0457b6aacdb4",
- "accessor": "afa306d0-be3d-c8d2-b0d7-2676e1c0d9b4",
- "policies": ["default"],
- "metadata": {
- "role": "test",
- "service_account_name": "vault-auth",
- "service_account_namespace": "default",
- "service_account_secret_name": "vault-auth-token-pd21c",
- "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
- },
- "lease_duration": 2764800,
- "renewable": true
- }
-}
-```
diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx
deleted file mode 100644
index 9c034468af..0000000000
--- a/website/content/api-docs/auth/ldap.mdx
+++ /dev/null
@@ -1,500 +0,0 @@
----
-layout: api
-page_title: LDAP - Auth Methods - HTTP API
-description: This is the API documentation for the Vault LDAP auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# LDAP auth method (API)
-
-@include 'x509-sha1-deprecation.mdx'
-
-This is the API documentation for the Vault LDAP auth method. For
-general information about the usage and operation of the LDAP method, please
-see the [Vault LDAP method documentation](/vault/docs/auth/ldap).
-
-This documentation assumes the LDAP method is mounted at the `/auth/ldap`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure LDAP
-
-This endpoint configures the LDAP auth method.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/auth/ldap/config` |
-
-### Parameters
-
-- `url` `(string: ldap://127.0.0.1)` – The LDAP server to connect to. Examples:
- `ldap://ldap.myorg.com`, `ldaps://ldap.myorg.com:636`. Multiple URLs can be
- specified with commas, e.g. `ldap://ldap.myorg.com,ldap://ldap2.myorg.com`;
- these will be tried in-order.
-- `case_sensitive_names` `(bool: false)` – If set, user and group names
- assigned to policies within the backend will be case sensitive. Otherwise,
- names will be normalized to lower case. Case will still be preserved when
- sending the username to the LDAP server at login time; this is only for
- matching local user/group definitions.
-- `connection_timeout` `(integer: 30 or string: "30s")` - Timeout, in seconds,
- when attempting to connect to the LDAP server before trying the next URL in
- the configuration.
-- `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for
- the connection when making requests against the server before returning back
- an error.
-- `starttls` `(bool: false)` – If true, issues a `StartTLS` command after
- establishing an unencrypted connection.
-- `tls_min_version` `(string: tls12)` – Minimum TLS version to use. Accepted
- values are `tls10`, `tls11`, `tls12` or `tls13`.
-- `tls_max_version` `(string: tls12)` – Maximum TLS version to use. Accepted
- values are `tls10`, `tls11`, `tls12` or `tls13`.
-- `insecure_tls` `(bool: false)` – If true, skips LDAP server SSL certificate
- verification - insecure, use with caution!
-- `certificate` `(string: "")` – CA certificate to use when verifying LDAP server
- certificate, must be x509 PEM encoded.
-- `client_tls_cert` `(string "")` - Client certificate to provide to the LDAP
- server, must be x509 PEM encoded (optional).
-- `client_tls_key` `(string "")` - Client certificate key to provide to the LDAP
- server, must be x509 PEM encoded (optional).
-- `binddn` `(string: "")` – Distinguished name of object to bind when performing
- user search. Example: `cn=vault,ou=Users,dc=example,dc=com`
-- `bindpass` `(string: "")` – Password to use along with `binddn` when performing
- user search.
-- `userdn` `(string: "")` – Base DN under which to perform user search. Example:
- `ou=Users,dc=example,dc=com`
-- `userattr` `(string: "cn")` – Attribute on user attribute object matching the
- username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
-- `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
- user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
- authentication when providing an empty password.
-- `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
- string for the authenticating user. The constructed UPN will appear as
- `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind
- as `username@example.com`.
-- `userfilter` `(string: "")` – An optional LDAP user search filter.
- The template can access the following context variables: UserAttr, Username.
- The default is `({{.UserAttr}}={{.Username}})`, or `({{.UserAttr}}={{.Username@.upndomain}})`
- if `upndomain` is set. In order for the `userfilter` to be applied,
- both `binddn` and `bindpass` must be set, or `discoverdn` must be set to `true`.
-- `anonymous_group_search` `(bool: false)` - Use anonymous binds when performing
- LDAP group searches (note: even when `true`, the initial credentials will still
- be used for the initial connection test).
-- `groupfilter` `(string: "")` – Go template used when constructing the group
- membership query. The template can access the following context variables:
- \[`UserDN`, `Username`\]. The default is
- `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
- which is compatible with several common directory schemas. To support
- nested group resolution for Active Directory, instead use the following
- query: `(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))`.
-- `groupdn` `(string: "")` – LDAP search base to use for group membership
- search. This can be the root containing either groups or users. Example:
- `ou=Groups,dc=example,dc=com`
-- `groupattr` `(string: "")` – LDAP attribute to follow on objects returned by
- `groupfilter` in order to enumerate user group membership. Examples: for
- groupfilter queries returning _group_ objects, use: `cn`. For queries
- returning _user_ objects, use: `memberOf`. The default is `cn`.
-- `username_as_alias` `(bool: false)` - If set to true, forces the auth method
- to use the username passed by the user as the alias name.
-- `dereference_aliases` `(string: never)` - When aliases should be dereferenced
- on search operations. Accepted values are 'never', 'finding', 'searching',
- 'always'. Defaults to 'never'.
-- `max_page_size` `(int: 0)` - If set to a value greater than 0, the LDAP
- backend will use the LDAP server's paged search control to request pages of
- up to the given size. This can be used to avoid hitting the LDAP server's
- maximum result size limit. Otherwise, the LDAP backend will not use the
- paged search control.
-- `use_token_groups` `(bool: true)` - (Optional) Use the Active Directory tokenGroups
- constructed attribute of the user to find the group memberships.
-- `enable_samaccountname_login` `(bool: false)` - (Optional) Lets Active Directory
- LDAP users log in using `sAMAccountName` or `userPrincipalName` when the
- `upndomain` parameter is set.
-
-@include 'rotationfields.mdx'
-
-@include 'tokenfields.mdx'
-
-@include 'ldap-auth-userfilter-warning.mdx'
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/ldap/config
-```
-
-### Sample payload
-
-```json
-{
- "binddn": "cn=vault,ou=Users,dc=example,dc=com",
- "deny_null_bind": true,
- "discoverdn": false,
- "groupattr": "cn",
- "groupdn": "ou=Groups,dc=example,dc=com",
- "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
- "insecure_tls": false,
- "starttls": false,
- "tls_max_version": "tls12",
- "tls_min_version": "tls12",
- "url": "ldaps://ldap.myorg.com:636",
- "username_as_alias": false,
- "userattr": "samaccountname",
- "userdn": "ou=Users,dc=example,dc=com",
- "max_page_size": 1000
-}
-```
-
-## Read LDAP configuration
-
-This endpoint retrieves the LDAP configuration for the auth method.
-
-| Method | Path |
-| :----- | :------------------ |
-| `GET` | `/auth/ldap/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/ldap/config
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "binddn": "cn=vault,ou=Users,dc=example,dc=com",
- "bindpass": "",
- "certificate": "",
- "deny_null_bind": true,
- "discoverdn": false,
- "groupattr": "cn",
- "groupdn": "ou=Groups,dc=example,dc=com",
- "groupfilter": "(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
- "insecure_tls": false,
- "starttls": false,
- "tls_max_version": "tls12",
- "tls_min_version": "tls12",
- "upndomain": "",
- "url": "ldaps://ldap.myorg.com:636",
- "username_as_alias": false,
- "userattr": "samaccountname",
- "userdn": "ou=Users,dc=example,dc=com"
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## List LDAP groups
-
-This endpoint returns a list of existing groups in the method.
-
-| Method | Path |
-| :----- | :------------------ |
-| `LIST` | `/auth/ldap/groups` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/ldap/groups
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["scientists", "engineers"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Read LDAP group
-
-This endpoint returns the policies associated with a LDAP group.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/ldap/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "policies": [
- "admin",
- "default"
- ]
- },
- "renewable": false,
- "lease_id": ""
- "lease_duration": 0,
- "warnings": null
-}
-```
-
-## Create/Update LDAP group
-
-This endpoint creates or updates LDAP group policies.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/ldap/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
- group.
-
-### Sample payload
-
-```json
-{
- "policies": "admin,default"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-## Delete LDAP group
-
-This endpoint deletes the LDAP group and policy association.
-
-| Method | Path |
-| :------- | :------------------------ |
-| `DELETE` | `/auth/ldap/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` – The name of the LDAP group
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/ldap/groups/admins
-```
-
-## List LDAP users
-
-This endpoint returns a list of existing users in the method.
-
-| Method | Path |
-| :----- | :----------------- |
-| `LIST` | `/auth/ldap/users` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/ldap/users
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["mitchellh", "armon"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Read LDAP user
-
-This endpoint returns the policies associated with a LDAP user.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `GET` | `/auth/ldap/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username of the LDAP user
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "policies": [
- "admin",
- "default"
- ],
- "groups": ""
- },
- "renewable": false,
- "lease_id": ""
- "lease_duration": 0,
- "warnings": null
-}
-```
-
-## Create/Update LDAP user
-
-This endpoint creates or updates LDAP users policies and group associations.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/ldap/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username of the LDAP user
-- `policies` `(string: "")` – Comma-separated list of policies associated to the
- user.
-- `groups` `(string: "")` – Comma-separated list of groups associated to the
- user.
-
-### Sample payload
-
-```json
-{
- "policies": "admin,default"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-## Delete LDAP user
-
-This endpoint deletes the LDAP user and policy association.
-
-| Method | Path |
-| :------- | :--------------------------- |
-| `DELETE` | `/auth/ldap/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username of the LDAP user
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/ldap/users/mitchellh
-```
-
-## Login with LDAP user
-
-This endpoint allows you to log in with LDAP credentials
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/ldap/login/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username of the LDAP user
-- `password` `(string: )` – The password for the LDAP user.
-When authenticating with the Vault CLI, i.e. `vault login -method=ldap username=mitchellh`
-the password can alternatively be supplied via the `VAULT_LDAP_PASSWORD` environment variable.
-
-### Sample payload
-
-```json
-{
- "password": "MyPassword1"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh
-```
-
-### Sample response
-
-```json
-{
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "auth": {
- "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
- "policies": ["admins", "default"],
- "metadata": {
- "username": "mitchellh"
- },
- "lease_duration": 0,
- "renewable": false
- }
-}
-```
diff --git a/website/content/api-docs/auth/oci.mdx b/website/content/api-docs/auth/oci.mdx
deleted file mode 100644
index 2f32218c9d..0000000000
--- a/website/content/api-docs/auth/oci.mdx
+++ /dev/null
@@ -1,246 +0,0 @@
----
-layout: api
-page_title: OCI - Auth Methods - HTTP API
-description: This is the API documentation for the Vault OCI auth method plugin.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# OCI auth method (API)
-
-This is the API documentation for the Vault OCI auth method plugin. To
-learn more about the usage and operation, see the
-[Vault OCI auth method](/vault/docs/auth/oci).
-
-This documentation assumes the OCI method is mounted at the
-`/auth/oci` path in Vault. Since it is possible to enable auth methods at
-any location, please update your API calls accordingly.
-
-## Configure home tenancy method
-
-Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/auth/oci/config` |
-
-### Parameters
-
-- `home_tenancy_id` `(string: )` - The Tenancy OCID of your OCI account.
-
-### Sample payload
-
-```json
-{
- "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/oci/config
-```
-
-## Read config
-
-Returns the previously configured config.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/auth/oci/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/oci/config
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
- }
-}
-```
-
-## Create/Update role
-
-Create a Vault administrator role in the OCI Auth method.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `POST` | `/auth/oci/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-- `ocid_list` `(string: )` - A comma separated list of Group or Dynamic Group OCIDs that can take this role.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
- "token_policies": ["dev", "prod"],
- "token_ttl": 1800
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-## Read role
-
-Returns the previously registered role configuration.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `GET` | `/auth/oci/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "ocid_list": [
- "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq",
- "ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
- ],
- "token_ttl": 1800,
- "token_policies": ["dev", "prod"]
- }
-}
-```
-
-## List roles
-
-Lists all the roles that are registered with the auth method.
-
-| Method | Path |
-| :----- | :------------------------- |
-| `LIST` | `/auth/oci/role` |
-| `GET` | `/auth/oci/role?list=true` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/oci/role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["devrole", "prodrole"]
- }
-}
-```
-
-## Delete role
-
-Deletes the previously registered role.
-
-| Method | Path |
-| :------- | :--------------------- |
-| `DELETE` | `/auth/oci/role/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/oci/role/devrole
-```
-
-## Login
-
-Fetch a token. This endpoint takes signed request headers and
-a role name for some entity. It verifies the signed request headers to authenticate that
-entity and then authorizes the entity for the given role.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `POST` | `/auth/oci/login/:role` |
-
-### Parameters
-
-- `role` `(string: )` - Name of the role against which the login is being attempted.
-- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)
-
-### Sample payload
-
-```json
-{
- "request_headers": {
- "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
- "(request-target)": ["get /v1/auth/oci/login/devrole"],
- "host": ["127.0.0.1"],
- "content-type": ["application/json"],
- "authorization": [
- "Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""
- ]
- }
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/oci/login/devrole
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
- "token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
- "token_policies": ["dev"],
- "token_duration": 1800
- }
-}
-```
diff --git a/website/content/api-docs/auth/okta.mdx b/website/content/api-docs/auth/okta.mdx
deleted file mode 100644
index 98e6831436..0000000000
--- a/website/content/api-docs/auth/okta.mdx
+++ /dev/null
@@ -1,437 +0,0 @@
----
-layout: api
-page_title: Okta - Auth Methods - HTTP API
-description: This is the API documentation for the Vault Okta auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Okta auth method (API)
-
-This is the API documentation for the Vault Okta auth method. For
-general information about the usage and operation of the Okta method, please
-see the [Vault Okta method documentation](/vault/docs/auth/okta).
-
-This documentation assumes the Okta method is mounted at the `/auth/okta`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create configuration
-
-Configures the connection parameters for Okta. This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/auth/okta/config` |
-
-### Parameters
-
-- `org_name` `(string: )` - Name of the organization to be used in the
- Okta API.
-- `api_token` `(string: "")` - Okta API token. This is required to query Okta
- for user group membership. If this is not supplied only locally configured
- groups will be enabled.
- **Support for okta auth without api_token is deprecated in Vault 1.4**
-- `base_url` `(string: "")` - If set, will be used as the base domain
- for API requests. If unset, "okta.com" will be used. Other valid examples
- are oktapreview.com, and okta-emea.com.
-- `bypass_okta_mfa` `(bool: false)` - Whether to bypass an Okta MFA request.
- Useful if using one of Vault's built-in MFA mechanisms, but this will also
- cause certain other statuses to be ignored, such as `PASSWORD_EXPIRED`.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "org_name": "example",
- "api_token": "abc123"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/okta/config
-```
-
-## Read configuration
-
-Reads the Okta configuration.
-
-| Method | Path |
-| :----- | :------------------ |
-| `GET` | `/auth/okta/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/okta/config
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "base_url": "okta.com",
- "bypass_okta_mfa": false,
- "org_name": "example",
- "token_bound_cidrs": [],
- "token_explicit_max_ttl": 0,
- "token_max_ttl": 0,
- "token_no_default_policy": false,
- "token_num_uses": 0,
- "token_period": 0,
- "token_policies": [],
- "token_ttl": 0,
- "token_type": "default"
- },
- "warnings": null
-}
-```
-
-## List users
-
-List the users configured in the Okta method.
-
-| Method | Path |
-| :----- | :----------------- |
-| `LIST` | `/auth/okta/users` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/okta/users
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["fred", "jane"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Register user
-
-Registers a new user and maps a set of policies to it.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Name of the user.
-- `groups` `(array: [])` - List or comma-separated string of groups associated with the user.
-- `policies` `(array: [])` - List or comma-separated string of policies associated with the user.
-
-```json
-{
- "policies": ["dev", "prod"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/okta/users/fred
-```
-
-## Read user
-
-Reads the properties of an existing username.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `GET` | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "policies": ["default", "dev"],
- "groups": []
- },
- "warnings": null
-}
-```
-
-## Delete user
-
-Deletes an existing username from the method.
-
-| Method | Path |
-| :------- | :--------------------------- |
-| `DELETE` | `/auth/okta/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-## List groups
-
-List the groups configured in the Okta method.
-
-| Method | Path |
-| :----- | :------------------ |
-| `LIST` | `/auth/okta/groups` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/okta/groups
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["admins", "dev-users"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Register group
-
-Registers a new group and maps a set of policies to it.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/okta/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the group.
-- `policies` `(array: [])` - The list or comma-separated string of policies associated with the group.
-
-```json
-{
- "policies": ["dev", "prod"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/okta/groups/admins
-```
-
-## Read group
-
-Reads the properties of an existing group.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/okta/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name for the group.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/okta/groups/admins
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "policies": ["default", "admin"]
- },
- "warnings": null
-}
-```
-
-## Delete group
-
-Deletes an existing group from the method.
-
-| Method | Path |
-| :------- | :------------------------ |
-| `DELETE` | `/auth/okta/groups/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name for the group.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/okta/users/test-user
-```
-
-## Login
-
-Login with the username and password.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/okta/login/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-- `password` `(string: )` - Password for the authenticating user.
-- `totp` `(string: )` - Okta Verify TOTP passcode.
-- `provider` `(string: )` - MFA TOTP factor provider. `GOOGLE` and `OKTA` are currently supported.
-- `nonce` `(string: )` - Nonce provided during a login request to
- retrieve the number verification challenge for the matching request.
-
-### Sample payload
-
-```json
-{
- "password": "Password!"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/okta/login/fred
-```
-
-### Sample response
-
-```json
-{
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "warnings": null,
- "auth": {
- "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
- "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
- "policies": ["default"],
- "metadata": {
- "username": "fred",
- "policies": "default"
- },
- "lease_duration": 7200,
- "renewable": true
- }
-}
-```
-
-## Verify
-
-Verify a number challenge that may result from an Okta Verify Push challenge.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `GET` | `/auth/okta/verify/:nonce` |
-
-### Parameters
-
-- `nonce` `(string: )` - Nonce provided if performing login that
-requires number verification challenge. Logins through the vault login CLI
-command will automatically generate a nonce.
-
-### Sample request
-
-```shell-session
-$ curl \
- http://127.0.0.1:8200/v1/auth/okta/verify/nonce/BCR66Ru6oJKPtC00PxJJ
-```
-
-### Sample response
-
-```json
-{
- "request_id": "de6a8029-79e5-1dd1-dbe9-6405166b3f94",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "correct_answer": 94
- },
- "warnings": null
-}
-```
-
diff --git a/website/content/api-docs/auth/radius.mdx b/website/content/api-docs/auth/radius.mdx
deleted file mode 100644
index 38163a7659..0000000000
--- a/website/content/api-docs/auth/radius.mdx
+++ /dev/null
@@ -1,236 +0,0 @@
----
-layout: api
-page_title: RADIUS - Auth Methods - HTTP API
-description: This is the API documentation for the Vault RADIUS auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# RADIUS auth method (API)
-
-This is the API documentation for the Vault RADIUS auth method. For
-general information about the usage and operation of the RADIUS method, please
-see the [Vault RADIUS method documentation](/vault/docs/auth/radius).
-
-This documentation assumes the RADIUS method is mounted at the `/auth/radius`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Configure RADIUS
-
-Configures the connection parameters and shared secret used to communicate with
-RADIUS.
-
-| Method | Path |
-| :----- | :-------------------- |
-| `POST` | `/auth/radius/config` |
-
-### Parameters
-
-- `host` `(string: )` - The RADIUS server to connect to. Examples:
- `radius.myorg.com`, `127.0.0.1`
-- `port` `(integer: 1812)` - The UDP port where the RADIUS server is listening
- on. Defaults is 1812.
-- `secret` `(string: )` - The RADIUS shared secret.
-- `unregistered_user_policies` `(string: "")` - A comma-separated list of
- policies to be granted to unregistered users.
-- `dial_timeout` `(integer: 10)` - Number of second to wait for a backend
- connection before timing out. Default is 10.
-- `nas_port` `(integer: 10)` - The NAS-Port attribute of the RADIUS request.
- Defaults is 10.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "host": "radius.myorg.com",
- "port": 1812,
- "secret": "mySecret"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/radius/config
-```
-
-## Register user
-
-Registers a new user and maps a set of policies to it. This path honors the
-distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-- `policies` `(string: "")` - Comma-separated list of policies. If set to
- empty string, only the `default` policy will be applicable to the user.
-
-```json
-{
- "policies": "dev,prod"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-## Read user
-
-Reads the properties of an existing username.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `GET` | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-### Sample response
-
-```json
-{
- "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "policies": "default,dev"
- },
- "warnings": null
-}
-```
-
-## Delete user
-
-Deletes an existing username from the method.
-
-| Method | Path |
-| :------- | :----------------------------- |
-| `DELETE` | `/auth/radius/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/radius/users/test-user
-```
-
-## List users
-
-List the users registered with the method.
-
-| Method | Path |
-| :----- | :------------------- |
-| `LIST` | `/auth/radius/users` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/radius/users
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["devuser", "produser"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Login
-
-Login with the username and password.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/radius/login` |
-| `POST` | `/auth/radius/login/:username` |
-
-### Parameters
-
-- `username` `(string: )` - Username for this user.
-- `password` `(string: )` - Password for the authenticating user.
-
-### Sample payload
-
-```json
-{
- "password": "Password!"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/radius/login/test-user
-```
-
-### Sample response
-
-```javascript
-{
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "warnings": null,
- "auth": {
- "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
- "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
- "policies": ["default"],
- "metadata": {
- "username": "vishal"
- },
- },
- "lease_duration": 7200,
- "renewable": true
-}
-```
diff --git a/website/content/api-docs/auth/saml.mdx b/website/content/api-docs/auth/saml.mdx
deleted file mode 100644
index f5c2bd1a19..0000000000
--- a/website/content/api-docs/auth/saml.mdx
+++ /dev/null
@@ -1,458 +0,0 @@
----
-layout: api
-page_title: SAML - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault SAML auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# SAML auth method (API)
-
-
-
-This is the API documentation for the Vault SAML auth method. To learn more about the
-usage and operation, see the [Vault SAML auth method documentation](/vault/docs/auth/saml).
-
-This documentation assumes the SAML auth method is mounted at the `/auth/saml` path in
-Vault. Since it is possible to enable auth methods at any location, please update your
-API calls accordingly.
-
-## Create or update configuration
-
-Configures the auth method with a SAML identity provider.
-
-| Method | Path |
-|:-----------| :------------------ |
-| `POST/PUT` | `/auth/saml/config` |
-
-### Parameters
-
-- `idp_metadata_url` `(string, )` - The metadata URL of the identity provider.
- Mutually exclusive with `idp_sso_url`, `idp_issuer` and `idp_cert`. Must be a
- well-formatted URL.
-- `idp_sso_url` `(string, )` - The SSO URL of the
- identity provider. Mutually exclusive with `idp_metadata_url`. Must be a
- well-formatted URL.
-- `idp_entity_id` `(string, )` - The entity ID of
- the identity provider. Mutually exclusive with `idp_metadata_url`.
-- `idp_cert` `(string, )` - The PEM-encoded
- certificate of the identity provider used to verify response and assertion signatures.
- Mutually exclusive with `idp_metadata_url`.
-- `entity_id` `(string, )` - The entity ID of the SAML authentication
- service provider. Must match entity ID configured for the application in the
- SAML identity provider.
-- `acs_urls` `(list, )` - The well-formated URLs of your Assertion
- Consumer Service (ACS) that should receive a response from the identity
- provider. Vault returns a security warning if any of the given URLs lack TLS
- protection.
-- `default_role` `(string, )` - The role to use if no role is provided during login.
- If not set, a role is required during login.
-- `verbose_logging` `(bool, false)` - **Not recommended for production**. Log
- additional, **potentially sensitive** information during the SAML exchange
- according to the current logging level. When `verbose_logging` is `true`,
- debug-level logs provide user attributes and trace-level logs provide the full
- SAML response.
-- `validate_response_signature` `(bool, false)` - Enables validation of signature
- for at least response in the SAML response. If your IDP allows signing both response
- and assertion, then recommendation is to opt in for validating signatures of both
- by enabling both options.
-- `validate_assertion_signature` `(bool, false)` - Enables validation of signature
- for at least assertion in the SAML response. If your IDP allows signing both response
- and assertion, then recommendation is to opt in for validating signatures of both
- by enabling both options.
-
-### Sample payload
-
-```json
-{
- "acs_urls": "https://my.vault/v1/auth/saml/callback",
- "default_role": "admin",
- "entity_id": "https://my.vault/v1/auth/saml",
- "idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request PUT \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/config
-```
-
-## Read configuration
-
-Reads the auth method configuration.
-
-| Method | Path |
-| :------ | :------------------ |
-| `GET` | `/auth/saml/config` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request GET \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/config
-```
-
-### Sample response
-
-```json
-{
- "request_id": "09c907d2-2dbe-8a5c-ca97-fad83195738b",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "acs_urls": [
- "https://my.vault/v1/auth/saml/callback"
- ],
- "default_role": "admin",
- "entity_id": "https://my.vault/v1/auth/saml",
- "idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
- "validate_assertion_signature" : false,
- "validate_response_signature" : false
- },
- "warnings": null
-}
-```
-
-## Create or update role
-
-Configures a role in the auth method. Roles define specific constraints required for
-authentication and properties of resulting Vault tokens.
-
-| Method | Path |
-|:-----------|:-------------------------|
-| `POST/PUT` | `/auth/saml/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - URL parameter that provides the name of the role to create.
-- `bound_subjects` `(string: )` - The subject being asserted for SAML
- authentication. One of the provided values must match the subject returned in
- the SAML assertion from the identity provider.
-- `bound_subjects_type` `(string: )` - The type of matching assertion to perform
- on `bound_subjects`. If `string`, requires a direct string match. If `glob`, allows for
- wildcard matching using the `*` character.
-- `bound_attributes` `(map: )` - Mapping of attribute names to values that are
- expected to exist in the SAML assertion. The expected value may be a single string or a
- comma-separated list of strings. The user will be authenticated if the SAML attributes
- match at least one of the expected values.
-- `bound_attributes_type` `(string: "string")` - The type of matching assertion to perform
- on the key-value pairs provided by `bound_attributes`. If set to `string`, a direct string
- match is required. If set to `glob`, allows for wildcard matching using the `*` character.
-- `groups_attribute` `(string: )` - The attribute to use to identify the set of
- groups to which the user belongs. This will be used as the names for the Identity group
- aliases created due to a successful login.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "bound_attributes": "group=admin",
- "bound_subjects": "*@hashicorp.com",
- "bound_subjects_type": "glob",
- "token_policies": "writer",
- "ttl": "1h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request PUT \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/role/admin
-```
-
-## Read role
-
-Reads a configured role.
-
-| Method | Path |
-| :----- |:------------------------|
-| `GET` | `/auth/saml/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - URL parameter that provides the name of the
- role to read.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request GET \
- http://127.0.0.1:8200/v1/auth/saml/role/admin
-```
-
-### Sample response
-
-```json
-{
- "request_id": "3148ca9a-286e-a0a4-5a4b-31b6abb63d37",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "bound_attributes": {
- "group": [
- "admin"
- ]
- },
- "bound_attributes_type": "string",
- "bound_subjects": [
- "*@hashicorp.com"
- ],
- "bound_subjects_type": "glob",
- "groups_attribute": "",
- "token_bound_cidrs": [],
- "token_explicit_max_ttl": 0,
- "token_max_ttl": 0,
- "token_no_default_policy": false,
- "token_num_uses": 0,
- "token_period": 0,
- "token_policies": [
- "writer"
- ],
- "token_ttl": 0,
- "token_type": "default"
- },
- "warnings": null
-}
-```
-
-## List roles
-
-Lists all the configured roles.
-
-| Method | Path |
-| :----- | :---------------- |
-| `LIST` | `/auth/saml/role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request GET \
- http://127.0.0.1:8200/v1/auth/saml/role?list=true
-```
-
-### Sample response
-
-```json
-[
- "admin",
- "operations"
-]
-```
-
-## Delete Role
-
-Deletes a configured role.
-
-| Method | Path |
-| :------- | :---------------------- |
-| `DELETE` | `/auth/saml/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - URL parameter that provides the name of the
- role to delete.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/saml/role/admin
-```
-
-## Obtain SSO service URL
-
-Starts a login flow by providing a SAML Single Sign-On (SSO) Service URL for the
-configured identity provider. The returned `token_poll_id` can be used to obtain
-the Vault token after the user is authenticated with the identity provider and the
-SAML response has passed validation.
-
-
-A Vault token is not required to interact with this API.
-
-
-| Method | Path |
-|:--------|:-----------------------------|
-| `POST` | `/auth/saml/sso_service_url` |
-
-### Parameters
-
-- `role` `(string, )` - The role name to use for the login flow.
- Defaults to the role configured with `default_role`.
-- `client_challenge` `(string, )` - The client challenge value. Must be the
- output of a base64-encoded, sha256 digest of the `client_verifier` eventually provided
- to the [Token API](/vault/api-docs/auth/saml#obtain-vault-token). Must be at least 44
- bytes in length.
-- `client_type` `(string, )` - The type of the requesting client. The response
- from the Assertion Consumer Service [Callback API](/vault/api-docs/auth/saml#assertion-consumer-service-callback)
- will differ based on the provided type. If `cli`, an HTML success page will be returned
- in the response. If `browser`, a blank HTML page will be returned in the response.
-- `acs_url` `(string, )` - The URL where the identity provider will send its
- SAML response. Must be in the set of configured [`acs_urls`](/vault/api-docs/auth/saml#acs_urls).
-
-### Sample payload
-
-```json
-{
- "acs_url": "https://my.vault/v1/auth/saml/callback",
- "client_challenge": "Z6+7owP80d1aHTha1kdixtT99JkvmG4TPSgbvDwZ70A=",
- "client_type": "cli",
- "role": "admin"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/sso_service_url
-```
-
-### Sample response
-
-```json
-{
- "sso_service_url": "https://example.okta.com/app/abc123eb9xnIfzlaf697/id/sso/saml?RelayState=...&SAMLRequest=...",
- "token_poll_id": "ee442348-159b-df10-4c59-63050069df4d"
-}
-```
-
-## Assertion consumer service callback
-
-The assertion consumer service URL of the auth method. Completes the round trip from
-the identity provider and performs validations on the SAML response.
-
-
-A Vault token is not required to interact with this API.
-
-
-| Method | Path |
-|:--------|:----------------------|
-| `POST` | `/auth/saml/callback` |
-
-### Parameters
-
-- `RelayState` `(string, )` - The relay state from the original SAML
- authentication request that was returned by the identity provider.
-- `SAMLResponse` `(string, )` - The signed SAML response from the identity
- provider.
-
-### Sample payload
-
-```json
-{
- "RelayState": "0afe62a9-7b83-a182-0650-c749badfb900",
- "SAMLResponse": "..."
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/callback
-```
-
-## Obtain vault token
-
-The token endpoint completes the login flow by returning a Vault token.
-
-
-A Vault token is not required to interact with this API.
-
-
-| Method | Path |
-|:--------|:-------------------|
-| `POST` | `/auth/saml/token` |
-
-### Parameters
-
-- `client_verifier` `(string, )` - The value which produced the `client_challenge`
- provided to the [SSO Service URL API](/vault/api-docs/auth/saml#obtain-sso-service-url)
- at the start of the authentication flow. Its base64-encoded, sha256 digest must match the
- `client_challenge` value.
-- `token_poll_id` `(string, )` - The `token_poll_id` value returned from the
- [SSO Service URL API](/vault/api-docs/auth/saml#obtain-sso-service-url) at the start of
- the authentication flow.
-
-### Sample payload
-
-```json
-{
- "client_verifier": "59634224-5869-6002-e0b1-35370b8f6b82",
- "token_poll_id": "ee442348-159b-df10-4c59-63050069df4d"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/saml/token
-```
-
-### Sample response
-
-```json
-{
- "request_id": "b16f7cf9-0970-2e64-69d6-f00d055e93c4",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": null,
- "warnings": null,
- "auth": {
- "client_token": "hvs.CAES...",
- "accessor": "Rl4gU4amxzBFpFBJixv8xJBK",
- "policies": [
- "default",
- "writer"
- ],
- "token_policies": [
- "default",
- "writer"
- ],
- "identity_policies": null,
- "metadata": {
- "role": "admin"
- },
- "orphan": true,
- "entity_id": "afd74442-6c48-3d2f-9449-689ce050ba88",
- "lease_duration": 3600,
- "renewable": true,
- "mfa_requirement": null
- }
-}
-```
diff --git a/website/content/api-docs/auth/scep.mdx b/website/content/api-docs/auth/scep.mdx
deleted file mode 100644
index 3af5c3ca04..0000000000
--- a/website/content/api-docs/auth/scep.mdx
+++ /dev/null
@@ -1,209 +0,0 @@
----
-layout: api
-page_title: SCEP - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault SCEP authentication
- method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# SCEP auth method (API)
-
-Use the SCEP authentication plugin API to interact with a mounted plugin
-instance. For general information about the usage and operation of the
-SCEP method, refer to the [Vault SCEP method documentation](/vault/docs/auth/scep).
-
-
-## Create SCEP role
-
-Creates or updates a named SCEP role.
-
-| Method | Path |
-|:-------|:------------------------|
-| `POST` | `/auth/{mount_path}/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the SCEP role.
-- `display_name` `(string: "")` - The `display_name` value for tokens
- issued when authenticating against the role. Defaults to `name`.
-- `auth_type` `(enum: )` - Required authentication type for the SCEP
- role. Must be one of: `static-challenge`, `intune`.
-- `challenge` `(string: "")` - The authentication challenge to use when
- `auth_type` is `static-challenge`.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "auth_type": "static-challenge",
- "challenge": "super-secret-challenge",
- "display_name": "test",
- "token_policies": ["access-scep"],
- "token_type": "batch"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json
- http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
-```
-
-### Sample response
-
-```json
-{
- "request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "auth_type": "static-challenge",
- "display_name": "test",
- "name": "static-challenge-1",
- "token_bound_cidrs": [],
- "token_explicit_max_ttl": 0,
- "token_max_ttl": 0,
- "token_no_default_policy": false,
- "token_num_uses": 0,
- "token_period": 0,
- "token_policies": [
- "access-scep"
- ],
- "token_ttl": 0,
- "token_type": "batch"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null,
- "mount_type": "scep"
-}
-```
-
-## Read SCEP role
-
-Get information associated with the named role.
-
-| Method | Path |
-|:-------|:------------------------|
-| `GET` | `/auth/{mount_path}/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the SCEP role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
-```
-
-### Sample response
-
-```json
-{
- "request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "auth_type": "static-challenge",
- "display_name": "static-challenge-1",
- "name": "static-challenge-1",
- "token_bound_cidrs": [],
- "token_explicit_max_ttl": 0,
- "token_max_ttl": 0,
- "token_no_default_policy": false,
- "token_num_uses": 0,
- "token_period": 0,
- "token_policies": [
- "access-scep"
- ],
- "token_ttl": 0,
- "token_type": "batch"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null,
- "mount_type": "scep"
-}
-```
-
-## List SCEP roles
-
-List all currently configured SCEP role names.
-
-| Method | Path |
-| :----- | :----------------- |
-| `LIST` | `/auth/{mount_path}/role` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/scep/role
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": ["static-challenge-1", "intune-1"]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Delete SCEP role
-
-Delete the named role.
-
-| Method | Path |
-|:---------|:------------------------|
-| `DELETE` | `/auth/{mount_path}/role/:name` |
-
-### Parameters
-
-- `name` `(string: )` - The name of the SCEP role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
-```
-
-## Login
-
-SCEP authentication endpoint for delegated authentication from a PKI mount.
-
-| Method | Path |
-|:-------|:-------------------|
-| `POST` | `/auth/{mount_path}/login` |
-
-### Parameters
-
-- `name` `(string: "")` - The SCEP role associated with the PKI mount. Leaving
- `name` unset tells Vault to try all SCEP roles and return the first one that
- matches.
diff --git a/website/content/api-docs/auth/token.mdx b/website/content/api-docs/auth/token.mdx
deleted file mode 100644
index 880fb322e7..0000000000
--- a/website/content/api-docs/auth/token.mdx
+++ /dev/null
@@ -1,854 +0,0 @@
----
-layout: api
-page_title: Token - Auth Methods - HTTP API
-description: This is the API documentation for the Vault token auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Token auth method (API)
-
-This is the API documentation for the Vault token auth method. For
-general information about the usage and operation of the token method, please
-see the [Vault Token method documentation](/vault/docs/auth/token).
-
-## List accessors
-
-This endpoint lists token accessor. This requires `sudo` capability, and access
-to it should be tightly controlled as the accessors can be used to revoke very
-large numbers of tokens and their associated leases at once.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `LIST` | `/auth/token/accessors` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/token/accessors
-```
-
-### Sample response
-
-```json
-{
- "auth": null,
- "warnings": null,
- "wrap_info": null,
- "data": {
- "keys": [
- "476ea048-ded5-4d07-eeea-938c6b4e43ec",
- "bb00c093-b7d3-b0e9-69cc-c4d85081165b"
- ]
- },
- "lease_duration": 0,
- "renewable": false,
- "lease_id": ""
-}
-```
-
-## Create token
-
-Creates a new token. Certain options are only available when called by a
-root token. If used via the `/auth/token/create-orphan` endpoint, a root
-token is not required to create an orphan token (otherwise set with the
-`no_parent` option). If used with a role name in the path, the token will
-be created against the specified role name; this may override options set
-during this call.
-
-| Method | Path |
-| :----- | :------------------------------ |
-| `POST` | `/auth/token/create` |
-| `POST` | `/auth/token/create-orphan` |
-| `POST` | `/auth/token/create/:role_name` |
-
-### Parameters
-
-- `id` `(string: "")` – The ID of the client token. Can only be specified by a
- root token. The ID provided may not contain a `.` character. Otherwise, the
- token ID is a randomly generated value.
-
- _Note:_ The ID should not start with the `s.` prefix.
-
-- `role_name` `(string: "")` – The name of the token role.
-- `policies` `(array: "")` – A list of policies for the token. This must be a
- subset of the policies belonging to the token making the request, unless
- the calling token is root or contains `sudo` capabilities to `auth/token/create`.
- If not specified, defaults to all the policies of the calling token.
-- `meta` `(map: {})` – A map of string to string valued metadata. This is
- passed through to the audit devices.
-- `no_parent` `(bool: false)` - This argument only has effect if used by a root
- or sudo caller. When set to true, the token created will not have a parent.
-- `no_default_policy` `(bool: false)` - If true the `default` policy will not be
- contained in this token's policy set.
-- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
- to be renewed past its initial TTL. Setting the value to `true` will allow
- the token to be renewable up to the system/mount maximum TTL.
-- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
-- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
- hour is the largest suffix. If not provided, the token is valid for the
- [default lease TTL](/vault/docs/configuration), or indefinitely if the
- root policy is used.
-- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
- to the type specified by the role configuration named by `role_name`.
-- `explicit_max_ttl` `(string: "")` - If set, the token will have an explicit
- max TTL set upon it. This maximum token TTL _cannot_ be changed later, and
- unlike with normal tokens, updates to the system/mount max TTL value will
- have no effect at renewal time -- the token will never be able to be renewed
- or used past the value set at issue time.
-- `display_name` `(string: "token")` - The display name of the token.
-- `num_uses` `(integer: 0)` - The maximum uses for the given token. This can be
- used to create a one-time-token or limited use token. The value of 0 has no
- limit to the number of uses.
-- `period` `(string: "")` - If specified, the token will be periodic; it will have
- no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
- will use the given period. Requires a root token or one with the sudo capability.
-- `entity_alias` `(string: "")` - Name of the entity alias to associate with
- during token creation. Only works in combination with `role_name` argument
- and used entity alias must be listed in `allowed_entity_aliases`. If this has
- been specified, the entity will not be inherited from the parent.
-
-### Sample payload
-
-```json
-{
- "policies": ["web", "stage"],
- "meta": {
- "user": "armon"
- },
- "ttl": "1h",
- "renewable": true
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/create
-```
-
-### Sample response
-
-```json
-{
- "request_id": "f00341c1-fad5-f6e6-13fd-235617f858a1",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": [
- "Policy \"stage\" does not exist",
- "Policy \"web\" does not exist"
- ],
- "auth": {
- "client_token": "s.wOrq9dO9kzOcuvB06CMviJhZ",
- "accessor": "B6oixijqmeR4bsLOJH88Ska9",
- "policies": ["default", "stage", "web"],
- "token_policies": ["default", "stage", "web"],
- "metadata": {
- "user": "armon"
- },
- "lease_duration": 3600,
- "renewable": true,
- "entity_id": "",
- "token_type": "service",
- "orphan": false,
- "num_uses": 0
- }
-}
-```
-
-## Lookup a token
-
-Returns information about the client token.
-
-| Method | Path |
-| :----- | :------------------- |
-| `POST` | `/auth/token/lookup` |
-
-### Parameters
-
-- `token` `(string: )` - Token to lookup.
-
-### Sample payload
-
-```json
-{
- "token": "ClientToken"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/lookup
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
- "creation_time": 1523979354,
- "creation_ttl": 2764800,
- "display_name": "ldap2-tesla",
- "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
- "expire_time": "2018-05-19T11:35:54.466476215-04:00",
- "explicit_max_ttl": 0,
- "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
- "identity_policies": ["dev-group-policy"],
- "issue_time": "2018-04-17T11:35:54.466476078-04:00",
- "meta": {
- "username": "tesla"
- },
- "num_uses": 0,
- "orphan": true,
- "path": "auth/ldap2/login/tesla",
- "policies": ["default", "testgroup2-policy"],
- "renewable": true,
- "ttl": 2764790
- }
-}
-```
-
-## Lookup a token (Self)
-
-Returns information about the current client token.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/auth/token/lookup-self` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/token/lookup-self
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
- "creation_time": 1523979354,
- "creation_ttl": 2764800,
- "display_name": "ldap2-tesla",
- "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
- "expire_time": "2018-05-19T11:35:54.466476215-04:00",
- "explicit_max_ttl": 0,
- "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
- "identity_policies": ["dev-group-policy"],
- "issue_time": "2018-04-17T11:35:54.466476078-04:00",
- "meta": {
- "username": "tesla"
- },
- "num_uses": 0,
- "orphan": true,
- "path": "auth/ldap2/login/tesla",
- "policies": ["default", "testgroup2-policy"],
- "renewable": true,
- "ttl": 2764790
- }
-}
-```
-
-## Lookup a token (Accessor)
-
-Returns information about the client token from the accessor.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `POST` | `/auth/token/lookup-accessor` |
-
-### Parameters
-
-- `accessor` `(string: )` - Token accessor to lookup.
-
-### Sample payload
-
-```json
-{
- "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/lookup-accessor
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
- "creation_time": 1523979354,
- "creation_ttl": 2764800,
- "display_name": "ldap2-tesla",
- "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
- "expire_time": "2018-05-19T11:35:54.466476215-04:00",
- "explicit_max_ttl": 0,
- "id": "",
- "identity_policies": ["dev-group-policy"],
- "issue_time": "2018-04-17T11:35:54.466476078-04:00",
- "meta": {
- "username": "tesla"
- },
- "num_uses": 0,
- "orphan": true,
- "path": "auth/ldap2/login/tesla",
- "policies": ["default", "testgroup2-policy"],
- "renewable": true,
- "ttl": 2763902
- }
-}
-```
-
-## Renew a token
-
-Renews a lease associated with a token. This is used to prevent the expiration
-of a token, and the automatic revocation of it. Token renewal is possible only
-if there is a lease associated with it.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/auth/token/renew` |
-
-### Parameters
-
-- `token` `(string: )` - Token to renew. This can be part of the URL
- or the body.
-- `increment` `(string: "")` - An optional requested increment duration can be
- provided. This increment may not be honored, for instance in the case of periodic tokens.
- If not supplied, Vault will use the default TTL. This is specified as a numeric string
- with suffix like "30s" or "5m".
-
-### Sample payload
-
-```json
-{
- "token": "ClientToken"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/renew
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "ABCD",
- "policies": ["web", "stage"],
- "metadata": {
- "user": "armon"
- },
- "lease_duration": 3600,
- "renewable": true
- }
-}
-```
-
-## Renew a token (Self)
-
-Renews a lease associated with the calling token. This is used to prevent the
-expiration of a token, and the automatic revocation of it. Token renewal is
-possible only if there is a lease associated with it.
-
-| Method | Path |
-| :----- | :----------------------- |
-| `POST` | `/auth/token/renew-self` |
-
-### Parameters
-
-- `increment` `(string: "")` - An optional requested increment duration can be
- provided. This increment may not be honored, for instance in the case of periodic tokens.
- If not supplied, Vault will use the default TTL. This is specified as a numeric string
- with suffix like "30s" or "5m".
-
-### Sample payload
-
-```json
-{
- "increment": "1h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/renew-self
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "ABCD",
- "policies": ["web", "stage"],
- "metadata": {
- "user": "armon"
- },
- "lease_duration": 3600,
- "renewable": true
- }
-}
-```
-
-## Renew a token (Accessor)
-
-Renews a lease associated with a token using its accessor. This is used to
-prevent the expiration of a token, and the automatic revocation of it. Token
-renewal is possible only if there is a lease associated with it.
-
-| Method | Path |
-| :----- | :--------------------------- |
-| `POST` | `/auth/token/renew-accessor` |
-
-### Parameters
-
-- `accessor` `(string: )` - Accessor associated with the token to
- renew.
-- `increment` `(string: "")` - An optional requested lease increment can be
- provided. This increment may be ignored.
-
-### Sample payload
-
-```json
-{
- "accessor": "7JFKXuXKXa2D44YfDiovZ9aq"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/renew-accessor
-```
-
-### Sample response
-
-```json
-{
- "auth": {
- "client_token": "",
- "policies": ["web", "stage"],
- "metadata": {
- "user": "armon"
- },
- "lease_duration": 3600,
- "renewable": true
- }
-}
-```
-
-## Revoke a token
-
-Revokes a token and all child tokens. When the token is revoked, all dynamic secrets
-generated with it are also revoked.
-
-| Method | Path |
-| :----- | :------------------- |
-| `POST` | `/auth/token/revoke` |
-
-### Parameters
-
-- `token` `(string: )` - Token to revoke.
-
-### Sample payload
-
-```json
-{
- "token": "ClientToken"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/revoke
-```
-
-## Revoke a token (Self)
-
-Revokes the token used to call it and all child tokens. When the token is
-revoked, all dynamic secrets generated with it are also revoked.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/auth/token/revoke-self` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/token/revoke-self
-```
-
-## Revoke a token accessor
-
-Revoke the token associated with the accessor and all the child tokens. This is
-meant for purposes where there is no access to token ID but there is need to
-revoke a token and its children.
-
-| Method | Path |
-| :----- | :---------------------------- |
-| `POST` | `/auth/token/revoke-accessor` |
-
-### Parameters
-
-- `accessor` `(string: )` - Accessor of the token.
-
-### Sample payload
-
-```json
-{
- "accessor": "2c84f488-2133-4ced-87b0-570f93a76830"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/revoke-accessor
-```
-
-## Revoke token and orphan children
-
-Revokes a token but not its child tokens. When the token is revoked, all secrets
-generated with it are also revoked. All child tokens are orphaned, but can be
-revoked sub-sequently using `/auth/token/revoke/`. This is a root-protected
-endpoint.
-
-| Method | Path |
-| :----- | :-------------------------- |
-| `POST` | `/auth/token/revoke-orphan` |
-
-### Parameters
-
-- `token` `(string: )` - Token to revoke. This can be part of the URL
- or the body.
-
-### Sample payload
-
-```json
-{
- "token": "ClientToken"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/token/revoke-orphan
-```
-
-## Read token role
-
-Fetches the named role configuration.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `GET` | `/auth/token/roles/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` - The name of the token role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/token/roles/nomad
-```
-
-### Sample response
-
-```javascript
-{
- "request_id": "075a19cd-4e56-a3ca-d956-7609819831ec",
- "lease_id": "",
- "lease_duration": 0,
- "renewable": false,
- "data": {
- "allowed_entity_aliases": [
- "my-entity-alias"
- ],
- "allowed_policies": [],
- "disallowed_policies": [],
- "allowed_policies_glob": [],
- "disallowed_policies_glob": [],
- "explicit_max_ttl": 0,
- "name": "nomad",
- "orphan": false,
- "path_suffix": "",
- "period": 0,
- "renewable": true,
- "token_explicit_max_ttl": 0,
- "token_no_default_policy": false,
- "token_period": 0,
- "token_type": "default-service"
- },
- "warnings": null
-}
-```
-
-## List token roles
-
-List available token roles.
-
-| Method | Path |
-| :----- | :------------------ |
-| `LIST` | `/auth/token/roles` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST
- http://127.0.0.1:8200/v1/auth/token/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["role1", "role2"]
- }
-}
-```
-
-## Create/Update token role
-
-Creates (or replaces) the named role. Roles enforce specific behavior when
-creating tokens that allow token functionality that is otherwise not
-available or would require `sudo`/root privileges to access. Role
-parameters, when set, override any provided options to the `create`
-endpoints. The role name is also included in the token path, allowing all
-tokens created against a role to be revoked using the
-`/sys/leases/revoke-prefix` endpoint.
-
-| Method | Path |
-| :----- | :----------------------------- |
-| `POST` | `/auth/token/roles/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` – The name of the token role.
-- `allowed_policies` `(list: [])` – If set, tokens can be created with any
- subset of the policies in this list, rather than the normal semantics of
- tokens being a subset of the calling token's policies. The parameter is a
- comma-delimited string of policy names. If at creation time
- `no_default_policy` is not set and `"default"` is not contained in
- `disallowed_policies` or glob matched in `disallowed_policies_glob`,
- the `"default"` policy will be added to the created token automatically.
-- `disallowed_policies` `(list: [])` – If set, successful token creation via
- this role will require that no policies in the given list are requested. The
- parameter is a comma-delimited string of policy names. Adding `"default"` to
- this list will prevent `"default"` from being added automatically to created
- tokens.
-- `allowed_policies_glob` `(list: [])` – If set, tokens can be created with any
- subset of glob matched policies in this list, rather than the normal semantics
- of tokens being a subset of the calling token's policies. The parameter is a
- comma-delimited string of policy name globs. If at creation time
- `no_default_policy` is not set and `"default"` is not contained in
- `disallowed_policies` or glob matched in `disallowed_policies_glob`,
- the `"default"` policy will be added to the created token automatically.
- If combined with `allowed_policies` policies need to only match one of the two
- lists to be permitted. Note that unlike `allowed_policies` the policies listed
- in `allowed_policies_glob` will not be added to the token when no policies are
- specified in the call to `/auth/token/create/:role_name`.
-- `disallowed_policies_glob` `(list: [])` – If set, successful token creation via
- this role will require that no requested policies glob match any of policies in
- this list. The parameter is a comma-delimited string of policy name globs.
- Adding any glob that matches `"default"` to this list will prevent `"default"`
- from being added automatically to created tokens.
- If combined with `disallowed_policies` policies need to only match one of the
- two lists to be blocked.
-- `orphan` `(bool: false)` - If `true`, tokens created against this policy will
- be orphan tokens (they will have no parent). As such, they will not be
- automatically revoked by the revocation of any other token.
-- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
- to be renewed past its initial TTL. Setting the value to `true` will allow
- the token to be renewable up to the system/mount maximum TTL.
-- `path_suffix` `(string: "")` - If set, tokens created against this role will
- have the given suffix as part of their path in addition to the role name. This
- can be useful in certain scenarios, such as keeping the same role name in the
- future but revoking all tokens created against it before some point in time.
- The suffix can be changed, allowing new callers to have the new suffix as part
- of their path, and then tokens with the old suffix can be revoked via
- `/sys/leases/revoke-prefix`.
-- `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list
- of allowed entity aliases. If set, specifies the entity aliases which are
- allowed to be used during token generation. This field supports globbing.
- Note that `allowed_entity_aliases` is not case sensitive.
-
-@include 'tokenstorefields.mdx'
-
-### Sample payload
-
-```json
- "allowed_policies": [
- "dev"
- ],
- "name": "nomad",
- "orphan": false,
- "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
- "renewable": true,
- "allowed_entity_aliases": ["web-entity-alias", "app-entity-*"]
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST
- --data @payload.json
- http://127.0.0.1:8200/v1/auth/token/roles/nomad
-```
-
-## Delete token role
-
-This endpoint deletes the named token role.
-
-| Method | Path |
-| :------- | :----------------------------- |
-| `DELETE` | `/auth/token/roles/:role_name` |
-
-### Parameters
-
-- `role_name` `(string: )` - The name of the token role.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/token/roles/admins
-```
-
-## Tidy tokens
-
-Performs some maintenance tasks to clean up invalid entries that may remain
-in the token store. On Enterprise, Tidy will only impact the tokens in the
-specified namespace, or the root namespace if unspecified.
-
-Generally, running this is not needed unless upgrade notes or support personnel
-suggest it. There are two potential dangers to running tidy: first, this will
-perform a lot of read I/O to the storage method, as it will essentially reload the
-entirety of the token store into memory. Depending on how much cleanup is
-required (usually very little) there may also be a large number of writes.
-Second, this will cause Vault's memory usage to balloon up, because the default
-Vault internal cache is unlimited in size and every value read from storage will
-be cached. Listing the `/auth/token/accessors` endpoint is a good way to get
-some sense of the potential impact: tidy does this and more, so if this call creates problems
-for your cluster, it would be wise to give Vault more resources before attempting
-tidy. Note that the request may time out depending on
-[max duration](/vault/docs/configuration#default_max_request_duration)
-and your client's timeout configuration, make sure to allow it run to completion
-to properly judge the impact.
-
-Tidy will load every token accessor and cubbyhole in the namespace, as well
-as all the secondary index entries that are used to group tokens into trees so
-that parent token revocation also revokes child tokens.
-
-For each parent token listed in the secondary index, tidy will check if the token
-still exists in storage, and if not its child tokens that still exist will be
-made orphans, then the parent token will be removed from the secondary index.
-
-For each accessor found, tidy will check if the corresponding token still exists
-in storage, and if not will delete the accessor. If the token still exists in
-storage but shouldn't, tidy will try to revoke it and any child leases it might
-have, then delete the accessor.
-
-Finally, any cubbyhole entries that are associated with tokens which weren't deemed
-valid in the above steps will be deleted.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/auth/token/tidy` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/auth/token/tidy
-```
-
-### Sample response
-
-```json
-{
- "request_id": "84437c7f-36a1-6c1d-381d-14ec99217e94",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": [
- "Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
- ],
- "auth": null
-}
-```
diff --git a/website/content/api-docs/auth/userpass.mdx b/website/content/api-docs/auth/userpass.mdx
deleted file mode 100644
index 7c3bc437f5..0000000000
--- a/website/content/api-docs/auth/userpass.mdx
+++ /dev/null
@@ -1,297 +0,0 @@
----
-layout: api
-page_title: Userpass - Auth Methods - HTTP API
-description: |-
- This is the API documentation for the Vault username and password
- auth method.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Userpass auth method (HTTP API)
-
-This is the API documentation for the Vault Username & Password auth method. For
-general information about the usage and operation of the Username and Password method, please
-see the [Vault Userpass method documentation](/vault/docs/auth/userpass).
-
-This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
-path in Vault. Since it is possible to enable auth methods at any location,
-please update your API calls accordingly.
-
-## Create/Update user
-
-Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
-
-| Method | Path |
-| :----- | :------------------------------- |
-| `POST` | `/auth/userpass/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username for the user. Accepted characters: alphanumeric plus "_", "-", "." (underscore, hyphen and period); username cannot begin with a hyphen, nor can it begin or end with a period.
-- `password` `(string: )` - Password for the current user. Only required when creating the user. Mutually exclusive with `password_hash`.
-- `password_hash` `(string: )` - Pre-hashed password for the current user in bcrypt format. Mutually exclusive with `password`.
-
-@include 'tokenfields.mdx'
-
-### Sample payload
-
-```json
-{
- "password": "superSecretPassword",
- "token_policies": ["admin", "default"],
- "token_bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-### Examples
-
-Set role-level TTL values for a user named "alice" so the generated lease has a
-default TTL of 8 hours (28800 seconds) and maximum TTL of 12 hours
-(43200 seconds):
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: $VAULT_TOKEN" \
- --request POST \
- --data '{"token_ttl":"8h","token_max_ttl":"12h"}' \
- $VAULT_ADDR/v1/auth/userpass/users/alice
-```
-
-## Read user
-
-Reads the properties of an existing username.
-
-| Method | Path |
-| :----- | :------------------------------- |
-| `GET` | `/auth/userpass/users/:username` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-### Sample response
-
-```json
-{
- "request_id": "0ad1be52-9398-4b3c-f58b-98e427406471",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": {
- "token_bound_cidrs": [
- "127.0.0.1",
- "128.252.0.0/16"
- ],
- "token_explicit_max_ttl": 0,
- "token_max_ttl": 0,
- "token_no_default_policy": false,
- "token_num_uses": 0,
- "token_period": 0,
- "token_policies": [
- "admin",
- "default"
- ],
- "token_ttl": 0,
- "token_type": "default"
- },
- "wrap_info": null,
- "warnings": null,
- "auth": null
-}
-```
-
-## Delete user
-
-This endpoint deletes the user from the method.
-
-| Method | Path |
-| :------- | :------------------------------- |
-| `DELETE` | `/auth/userpass/users/:username` |
-
-### Parameters
-
-- `username` `(string: )` - The username for the user.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-```
-
-## Update password on user
-
-Update password for an existing user.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `POST` | `/auth/userpass/users/:username/password` |
-
-### Parameters
-
-- `username` `(string: )` – The username for the user.
-- `password` `(string: )` - The password for the user.
-
-### Sample payload
-
-```json
-{
- "password": "superSecretPassword2"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
-```
-
-## Update policies on user
-
-Update policies for an existing user.
-
-| Method | Path |
-| :----- | :---------------------------------------- |
-| `POST` | `/auth/userpass/users/:username/policies` |
-
-### Parameters
-
-- `username` `(string: )` – The username for the user.
-- `token_policies` `(array: [] or comma-delimited string: "")` - List of
- policies to encode onto generated tokens. Depending on the auth method, this
- list may be supplemented by user/group/other values.
-
-### Sample payload
-
-```json
-{
- "token_policies": ["policy1", "policy2"]
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
-```
-
-## List users
-
-List available userpass users.
-
-| Method | Path |
-| :----- | :--------------------- |
-| `LIST` | `/auth/userpass/users` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/auth/userpass/users
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["mitchellh", "armon"]
- }
-}
-```
-
-## Login
-
-Login with the username and password.
-
-| Method | Path |
-| :----- | :------------------------------- |
-| `POST` | `/auth/userpass/login/:username` |
-
-### Parameters
-
-- `username` `(string: )` – The username for the user.
-- `password` `(string: )` - The password for the user.
-
-### Sample payload
-
-```json
-{
- "password": "superSecretPassword2"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
-```
-
-### Sample response
-
-```json
-{
- "request_id": "ae1882ba-f60a-7629-ce1a-6618c482de3e",
- "lease_id": "",
- "renewable": false,
- "lease_duration": 0,
- "data": null,
- "wrap_info": null,
- "warnings": null,
- "auth": {
- "client_token": "hvs.CAESIJyeFmhLYRWVXPJStT3fDP1ZdFkon_otuk1sJUpkfk_WGh4KHGh2cy5xdW9XVHBnVUwwbzB1ZEhzZkpkRmVoU08",
- "accessor": "iP2Lw1JXpjlALbgJSeIx51n7",
- "policies": [
- "default",
- "policy1",
- "policy2"
- ],
- "token_policies": [
- "default",
- "policy1",
- "policy2"
- ],
- "metadata": {
- "username": "mitchellh"
- },
- "lease_duration": 2764800,
- "renewable": true,
- "entity_id": "0660dce5-4f2c-926a-8b15-158901557d9d",
- "token_type": "service",
- "orphan": true,
- "mfa_requirement": null,
- "num_uses": 0
- }
-}
-```
diff --git a/website/content/api-docs/index.mdx b/website/content/api-docs/index.mdx
deleted file mode 100644
index 23bbfcd41e..0000000000
--- a/website/content/api-docs/index.mdx
+++ /dev/null
@@ -1,346 +0,0 @@
----
-layout: api
-page_title: HTTP API
-description: Vault has an HTTP API that can be used to control every aspect of Vault.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# HTTP API
-
-The Vault HTTP API gives you full access to Vault using [REST like HTTP verbs](https://en.wikipedia.org/wiki/Representational_state_transfer).
-Every aspect of Vault can be controlled using the APIs. The Vault CLI uses the
-HTTP API to access Vault similar to all other consumers.
-
-All API routes are prefixed with `/v1/`.
-
-This documentation is only for the v1 API, which is currently the only version.
-
-~> **Backwards compatibility:** At the current version, Vault does not yet
-promise backwards compatibility even with the v1 prefix. We'll remove this
-warning when this policy changes. At this point in time the core API (that
-is, `sys/` routes) change very infrequently, but various secrets engines/auth
-methods/etc. sometimes have minor changes to accommodate new features as
-they're developed.
-
-## Transport
-
-The API is expected to be accessed over a TLS connection at all times, with a
-valid certificate that is verified by a well-behaved client. It is possible to
-disable TLS verification for listeners, however, so API clients should expect
-to have to do both depending on user settings.
-
-## Authentication
-
-Once Vault is unsealed, almost every other operation requires a _client token_.
-A user may have a client token sent to them. The client token must be sent as
-either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
-the `Bearer ` scheme.
-
-Otherwise, a client token can be retrieved using an [authentication
-engine](/vault/docs/auth).
-
-Each auth method has one or more unauthenticated login endpoints. These
-endpoints can be reached without any authentication, and are used for
-authentication to Vault itself. These endpoints are specific to each auth
-method.
-
-Responses from auth login methods that generate an authentication token are
-sent back to the client in JSON. The resulting token should be saved on the
-client or passed via the `X-Vault-Token` or `Authorization` header for future requests.
-
-## Parameter restrictions
-
-Several Vault APIs require specifying path parameters. The path parameter cannot end
-in periods. Otherwise, Vault will return a 404 unsupported path error.
-
-## Namespaces
-
-@include 'alerts/enterprise-and-hcp.mdx'
-
-When using [Namespaces](/vault/docs/enterprise/namespaces) the final path of the API
-request is relative to the `X-Vault-Namespace` header. For instance, if a
-request URI is `secret/foo` with the `X-Vault-Namespace` header set as `ns1/ns2/`,
-then the resulting request path to Vault will be `ns1/ns2/secret/foo`.
-
-Note that it is semantically equivalent to use the full path rather than the
-`X-Vault-Namespace` header, Vault will match the corresponding namespace
-based on correlating user input. Similar path results may be achieved if
-`X-Vault-Namespace` is set to `ns1/` with the request path of `ns2/secret/foo`
-as well, or otherwise if `X-Vault-Namespace` is omitted entirely and instead a
-complete path is provided such as: `ns1/ns2/secret/foo`.
-
-For example, the following two commands result in equivalent requests:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -H "X-Vault-Namespace: ns1/ns2/" \
- -X GET \
- http://127.0.0.1:8200/v1/secret/foo
-```
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -X GET \
- http://127.0.0.1:8200/v1/ns1/ns2/secret/foo
-```
-
-Some APIs are only available in a limited number of namespaces. More details
-are available in the Namespace
-[documentation](/vault/docs/enterprise/namespaces#restricted-api-paths).
-
-
-
-When you are working with HCP Vault Dedicated, your request must specify the
-target namespace. In absence of an explicit namespace, Vault tries to send
-the request to `root` namespace which results in an error.
-
-The top-level namespace for HCP Vault Dedicated clusters is `admin`, so the
-requests must include `-H "X-Vault-Namespace: admin"` header or `admin` in the
-API endpoint path.
-
-
-
-## API operations
-
-Typically the request data, body and response data to and from Vault is in JSON.
-Vault sets the `Content-Type` header appropriately with its response and does
-not require it from the clients request.
-
-The demonstration below uses the [`KVv1` secrets engine](/vault/api-docs/secret/kv/kv-v1), which is a
-simple Key Value store. Please read [the API documentation of KV secret engines](/vault/api-docs/secret/kv)
-for details of `KVv1` compared to `KVv2` and how they differ in their URI paths
-as well as the features available in version 2 of the KV secrets engine.
-
-For `KVv1`, reading a secret using the HTTP API is done by issuing a GET:
-
-```text
-/v1/secret/foo
-```
-
-This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
-is mounted by default on a fresh Vault install and is of type `kv`.
-
-Here is an example of reading a secret using cURL:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -X GET \
- http://127.0.0.1:8200/v1/secret/foo
-```
-
-A few endpoints consume calls with `GET` query string parameters, but only if
-those parameters are not sensitive, especially since some load balancers will
-be able log these. Most endpoints that accept `POST` query string parameters
-expect those parameters in the request body.
-
-You can list secrets as well. To do this, either issue a `GET` with the query
-string parameter `list=true`, or you use the `LIST` HTTP verb. For the `kv` secrets
-engine, listing is allowed on directories only, which returns the keys at the
-requested path:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -X LIST \
- http://127.0.0.1:8200/v1/secret/
-```
-
-The API documentation uses `LIST` as the HTTP verb, but you can still use `GET`
-with the `?list=true` query string.
-
-If the list result is an empty set, Vault responds with status code 404 and the following JSON:
-
-```json
-{"errors":[]}
-```
-
-To make an API with specific data in request body, issue a `POST`:
-
-```text
-/v1/secret/foo
-```
-
-with a JSON body like:
-
-```javascript
-{
- "value": "bar"
-}
-```
-
-Here is an example of writing a secret using cURL:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -H "Content-Type: application/json" \
- -X POST \
- -d '{"data":{"value":"bar"}}' \
- http://127.0.0.1:8200/v1/secret/baz
-```
-
-Vault currently considers `PUT` and `POST` to be synonyms. Rather than trust a
-client's stated intentions, Vault engines can implement an existence check to
-discover whether an operation is actually a create or update operation based on
-the data already stored within Vault. This makes permission management via ACLs
-more flexible.
-
-A [KVv2 example](/vault/api-docs/secret/kv/kv-v2#sample-request-3) for the engine path of `secret` requires that URI is
-appended with ***`data/`*** prior to the secret name (`baz`) such as:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -H "Content-Type: application/json" \
- -X POST \
- -d '{"data":{"value":"bar"}}' \
- http://127.0.0.1:8200/v1/secret/data/baz
-```
-
-For more examples, please look at the Vault API client.
-
-## The `X-Vault-Request` header
-
-Requests that are sent to a [Vault Proxy][proxy] that is configured to use the
-`require_request_header` option must include the `X-Vault-Request` header
-entry, e.g.:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- -H "X-Vault-Request: true" \
- -H "Content-Type: application/json" \
- -X POST \
- -d '{"value":"bar"}' \
- http://127.0.0.1:8200/v1/secret/baz
-```
-
-The Vault CLI always adds this header to every request, regardless of whether
-the request is being sent to a Vault Agent or directly to a Vault Server. In
-addition, the Vault SDK always adds this header to every request.
-
-## Help
-
-To retrieve the help for any API within Vault, including mounted engines, auth
-methods, etc. then append `?help=1` to any URL. If you have valid permission to
-access the path, then the help text will be returned as a markdown-formatted block
-in the `help` attribute of the response.
-
-Additionally, with the [OpenAPI generation](/vault/api-docs/system/internal-specs-openapi) in Vault, you will get back a small
-OpenAPI document in the `openapi` attribute. This document is relevant for the
-path you're looking up and any paths under it - also note paths in the OpenAPI
-document are relative to the initial path queried.
-
-
-Example request:
-
-```shell-session
-$ curl \
- -H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
- http://127.0.0.1:8200/v1/secret?help=1
-```
-
-Example response:
-
-```javascript
-{
- "help": "## DESCRIPTION\n\nThis backend provides a versioned key-value store. The kv backend reads and\nwrites arbitrary secrets to the storage backend. The secrets are\nencrypted/decrypted by Vault: they are never stored unencrypted in the backend\nand the backend never has an opportunity to see the unencrypted value. Each key\ncan have a configured number of versions, and versions can be retrieved based on\ntheir version numbers.\n\n## PATHS\n\nThe following paths are supported by this backend. To view help for\nany of the paths below, use the help command with any route matching\nthe path pattern. Note that depending on the policy of your auth token,\nyou may or may not be able to access certain paths.\n\n ^.*$\n\n\n ^config$\n Configures settings for the KV store\n\n ^data/(?P.*)$\n Write, Read, and Delete data in the Key-Value Store.\n\n ^delete/(?P.*)$\n Marks one or more versions as deleted in the KV store.\n\n ^destroy/(?P.*)$\n Permanently removes one or more versions in the KV store\n\n ^metadata/(?P.*)$\n Configures settings for the KV store\n\n ^undelete/(?P.*)$\n Undeletes one or more versions from the KV store.",
- "openapi": {
- "openapi": "3.0.2",
- "info": {
- "title": "HashiCorp Vault API",
- "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
- "version": "1.0.0",
- "license": {
- "name": "Mozilla Public License 2.0",
- "url": "https://www.mozilla.org/en-US/MPL/2.0"
- }
- },
- "paths": {
- "/.*": {},
- "/config": {
- "description": "Configures settings for the KV store",
- "x-vault-create-supported": true,
- "get": {
- "summary": "Read the backend level settings.",
- "tags": [
- "secrets"
- ],
- "responses": {
- "200": {
- "description": "OK"
- }
- }
- },
- ...[output truncated]...
- }
- }
-}
-```
-
-## Error response
-
-A common JSON structure is always returned to return errors:
-
-```javascript
-{
- "errors": [
- "message",
- "another message"
- ]
-}
-```
-
-This structure will be returned for any HTTP status greater than or equal to 400.
-
-## HTTP status codes
-
-The following HTTP status codes are used throughout the API. Vault tries to
-adhere to these whenever possible, but in case it doesn't -- then feel free to
-[raise a bug](https://github.com/hashicorp/vault/issues) for our attention!
-
-~> _Note_: Applications should be prepared to accept both `200` and `204` as
-success. `204` is simply an indication that there is no response body to parse,
-but API endpoints that indicate that they return a `204` may return a `200` if
-warnings are generated during the operation.
-
-- `200` - Success with data.
-- `204` - Success, no data returned.
-- `400` - Invalid request, missing or invalid data.
-- `403` - Forbidden, your authentication details are either incorrect, you
- don't have access to this feature, or - if CORS is enabled - you made a
- cross-origin request from an origin that is not allowed to make such
- requests.
-- `404` - Invalid path. This can both mean that the path truly doesn't exist or
- that you don't have permission to view a specific path. We use 404 in some
- cases to avoid state leakage. LIST requests with no results will also return 404s.
-- `405` - Unsupported operation. You tried to use a method inappropriate to
- the request path, e.g. a POST on an endpoint that only accepts GETs.
-- `412` - Precondition failed. Returned on Enterprise when a request can't be
- processed yet due to some missing eventually consistent data. Should be retried,
- perhaps with a little backoff.
- See [Vault Eventual Consistency](/vault/docs/enterprise/consistency).
-- `429` - Default return code for health status of standby nodes. This will
- likely change in the future.
-- `472` - Default return code for disaster recovery mode replication secondary and active.
-- `473` - Default return code for health status of performance standby nodes.
-- `500` - Internal server error. An internal error has occurred, try again
- later. If the error persists, report a bug.
-- `501` - Vault is not initialized.
-- `502` - A request to Vault required Vault making a request to a third party;
- the third party responded with an error of some kind.
-- `503` - Vault is down for maintenance or is currently sealed. Try again
- later.
-
-## Limits
-
-A maximum request size of 32MB is imposed to prevent a denial of service attack
-with arbitrarily large requests; this can be tuned per `listener` block in
-Vault's server configuration file.
-
-[proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza
diff --git a/website/content/api-docs/libraries.mdx b/website/content/api-docs/libraries.mdx
deleted file mode 100644
index 9a92535052..0000000000
--- a/website/content/api-docs/libraries.mdx
+++ /dev/null
@@ -1,226 +0,0 @@
----
-layout: api
-page_title: 'HTTP API: Libraries'
-description: >-
- List of official and community contributed libraries for interacting with the
- Vault HTTP API.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Libraries
-
-The programming libraries listed on this page can be used to consume the API more conveniently.
-Some are officially maintained while others are provided by the community.
-
-For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](/vault/docs/get-started/developer-qs).
-For copy-pastable code examples, see the [vault-examples](https://github.com/hashicorp/vault-examples) repo.
-
-## Official
-
-These libraries are officially maintained by HashiCorp.
-
-### Go
-
-- [Vault Go Client](https://github.com/hashicorp/vault/tree/main/api)
-
-```shell-session
-$ go get github.com/hashicorp/vault/api
-```
-
-[Example application](https://github.com/hashicorp/hello-vault-go)
-
-### Ruby
-
-@include 'alerts/deprecated.mdx'
-
-- [Vault Ruby Client](https://github.com/hashicorp/vault-ruby)
-
-```shell-session
-$ gem install vault
-```
-
-## Community
-
-These libraries are provided by the community.
-
-### Ansible
-
-- [ansible-vault](https://github.com/jhaals/ansible-vault) - Lookup plugin without third-party dependencies.
-- [Ansible Modules Hashivault](https://pypi.python.org/pypi/ansible-modules-hashivault)
-
-```shell-session
-$ pip install ansible-modules-hashivault
-```
-
-### C#
-
-- [VaultSharp](https://github.com/rajanadar/VaultSharp)
- - Supports .NET 4.6.x, 4.7.x, 4.8.x, .NET Standard 2.x, .NET 6.0, 7.0, and 8.0.
- - Supports every auth and secret backend supported by Vault, along with several system APIs.
-
-```shell-session
-$ Install-Package VaultSharp
-```
-
-- [Vault.NET](https://github.com/Chatham/Vault.NET)
-
-```shell-session
-$ Install-Package Vault
-```
-
-[Example application](https://github.com/hashicorp/hello-vault-dotnet)
-
-### C++
-
-- [libvault](https://github.com/abedra/libvault)
-
-### Clojure
-
-- [vault-clj](https://github.com/amperity/vault-clj)
-
-### Elixir
-
-- [libvault](https://hex.pm/packages/libvault)
-- [vaultex](https://hex.pm/packages/vaultex)
-
-### Erlang
-
-- [canal](https://github.com/rkallos/canal)
-
-### Go
-
-- [vaultgo](https://github.com/mittwald/vaultgo)
-
-```shell-session
-$ go get github.com/mittwald/vaultgo
-```
-
-### Haskell
-
-- [vault-tool](https://hackage.haskell.org/package/vault-tool)
-
-```shell-session
-$ cabal install vault-tool
-```
-
-- [gothic](http://hackage.haskell.org/package/gothic)
-
-```shell-session
-$ stack install gothic
-```
-
-### Java
-
-- [Quarkus Vault](https://github.com/quarkiverse/quarkus-vault)
-- [Spring Vault](https://github.com/spring-projects/spring-vault)
-- [vault-java-driver](https://github.com/jopenlibs/vault-java-driver)
-
-### Kotlin
-
-- [kault](https://github.com/Hansanto/kault)
-- [vault-kotlin](https://github.com/kunickiaj/vault-kotlin)
-
-### Node.js
-
-- [node-vault](https://github.com/kr1sp1n/node-vault)
-
-```shell-session
-$ npm install node-vault
-```
-
-- [node-vault](https://github.com/shahradelahi/node-vault) (Typescript)
-
-```shell-session
-$ npm install @litehex/node-vault
-```
-
-- [vaulTS](https://github.com/mittwald/vaulTS) (Github NPM Registry)
-
-```shell-session
-$ npm install @mittwald/vaults
-```
-
-- [vault-api](https://github.com/SaiHemanthBR/vault-api) (Typescript. Axios-like API)
-
-```shell-session
-$ npm install vault-api
-```
-
-- [loopback4-vault](https://github.com/sourcefuse/loopback4-vault) (LoopBack 4 Extension)
-
-```shell-session
-$ npm i @sourceloop/vault
-```
-
-### PHP
-
-- [vault-php-sdk](https://github.com/jippi/vault-php-sdk)
-
-```shell-session
-$ composer require jippi/vault-php-sdk
-```
-
-- [vault-php-sdk](https://github.com/violuke/vault-php-sdk) extended from jipppi
-
-```shell-session
-$ composer require violuke/vault-php-sdk
-```
-
-- [vault-php](https://github.com/CSharpRU/vault-php)
-
-```shell-session
-$ composer require csharpru/vault-php
-```
-
-- [vault-php](https://github.com/mittwald/vaultPHP)
-
-```shell-session
-$ composer require mittwald/vault-php
-```
-
-### PowerShell
-
-- [Zyborg.Vault](https://github.com/zyborg/Zyborg.Vault)
-
-```PowerShell
-Install-Module Zyborg.Vault
-```
-
-### Python
-
-- [HVAC](https://github.com/ianunruh/hvac)
-
-```shell-session
-$ pip install hvac
-```
-
-### R
-
-- [vaultr](https://github.com/vimc/vaultr)
-
-### Rust
-
-- [HashicorpVault](https://crates.io/crates/hashicorp_vault)
-- [vaultrs](https://crates.io/crates/vaultrs)
-
-### Scala
-
-- [scala-vault](https://github.com/janstenpickle/scala-vault)
-
-## Experimental
-
-### C#
-
-- [Vault DotNet Client](https://github.com/hashicorp/vault-client-dotnet) -
-Note that this is an experimental approach to auto-generating libraries from
-OpenAPI content and is not production-ready. We do not have plans to make
-this production-ready at this time.
-
-```shell-session
-# Install-Package HashiCorp.Vault
-```
-
-[Example application](https://github.com/hashicorp/vault-client-dotnet#getting-started)
-
diff --git a/website/content/api-docs/relatedtools.mdx b/website/content/api-docs/relatedtools.mdx
deleted file mode 100644
index 3816ddd988..0000000000
--- a/website/content/api-docs/relatedtools.mdx
+++ /dev/null
@@ -1,43 +0,0 @@
----
-layout: api
-page_title: Related Tools
-description: Short list of third-party tools that work with or are related to Vault.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# Related tools
-
-## HashiCorp tools
-
-- [Vault Agent](/vault/docs/agent-and-proxy/agent) can render Vault secrets either to files or directly into a child process as environment variables using `consul-template` templating syntax
-- [Vault Proxy](/vault/docs/agent-and-proxy/proxy) acts as an API Proxy for Vault, and can optionally allow or force interacting clients to use its automatically authenticated token
-- [Terraform Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) can read from, write to, and configure Vault from [HashiCorp Terraform](https://www.terraform.io/)
-- [consul-template](https://github.com/hashicorp/consul-template) is a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data
-- [vault-ssh-helper](https://github.com/hashicorp/vault-ssh-helper) can be used to enable one-time passwords for SSH authentication via Vault
-
-## Third-Party tools
-
-The following list of tools is maintained by the community of Vault users; HashiCorp has not tested or approved them and makes no claims as to their suitability or security.
-
-- [HashiCorp Vault Jenkins plugin](https://plugins.jenkins.io/hashicorp-vault-plugin) - a Jenkins plugin for injecting Vault secrets into the build environment
-- [Spring Vault](http://projects.spring.io/spring-vault/) - a Java Spring project for working with Vault secrets
-- [vault-exec](https://github.com/kmanning/vault_exec) - a shell wrapper to execute arbitrary scripts using temporary AWS credentials managed by Vault
-- [pouch](https://github.com/tuenti/pouch) - A set of tools to manage provisioning of secrets on hosts based on the AppRole authentication method of Vault
-- [vault-aws-creds](https://github.com/jantman/vault-aws-creds) - Python helper to export Vault-provided temporary AWS creds into the environment
-- [goldfish](https://github.com/Caiyeon/goldfish) - A Vault UI panel written with VueJS and Vault native Go API.
-- [vault-migrator](https://github.com/nebtex/vault-migrator) - A tool to migrate data between different Vault storage mechanisms
-- [Cryptr](https://github.com/adobe/cryptr) - a desktop Vault UI for Mac, Windows and Linux
-- [sequelize-vault](https://github.com/linyows/sequelize-vault) - A Sequelize plugin for easily integrating Vault secrets.
-- [ansible-modules-hashivault](https://github.com/TerryHowe/ansible-modules-hashivault) - An Ansible module for configuring most things in Vault including secrets, backends and policies.
-- [Docker credential helper](https://github.com/morningconsult/docker-credential-vault-login) - A program that automatically reads Docker credentials from your Vault server and passes them to the Docker daemon to authenticate to your Docker registry when pulling an image
-- [Cruise Daytona](https://github.com/cruise-automation/daytona) - An alternative implementation of the Vault client CLI for services and containers. Its core features are the ability to automate authentication, fetching of secrets, and automated token renewal. Support for AWS, GCP, & Kubernetes Vault Auth Backends.
-- [Vault-CRD](https://vault.koudingspawn.de/) - Synchronize secrets stored in HashiCorp Vault to Kubernetes Secrets for better GitOps without secrets stored in git manifest files.
-- [vsh](https://github.com/fishi0x01/vsh) - Interactive shell with tab-completion. Allows recursive operations on paths. Allows migration of secrets between both KV versions.
-- [vault-cli](https://github.com/IBM/vault-cli) - A yaml based automation tool that bootstraps Vault cluster(s) with the desired configuration (namespaces, endpoints, policies, roles, endpoint)
-- [vault-go](https://github.com/IBM/vault-go) - Helper Golang Vault types as Kubernetes Custom Resource Definitions (CRD)
-- [HashiBox](https://github.com/nunchistudio/hashibox) - Vagrant environment to simulate highly-available cloud with Consul, Nomad, Vault, and optional support for Waypoint. Community & Enterprise supported.
-- [vkv](https://github.com/FalcoSuessgott/vkv) - Recursively list key-values entries from Vaults KV2 engine in various formats.
-
-Want to add your own project, or one that you use? Additions are welcome via [pull requests](https://github.com/hashicorp/vault/blob/main/website/content/api-docs/relatedtools.mdx).
diff --git a/website/content/api-docs/secret/alicloud.mdx b/website/content/api-docs/secret/alicloud.mdx
deleted file mode 100644
index 42055387d6..0000000000
--- a/website/content/api-docs/secret/alicloud.mdx
+++ /dev/null
@@ -1,218 +0,0 @@
----
-layout: api
-page_title: AliCloud - Secrets Engines - HTTP API
-description: This is the API documentation for the Vault AliCloud secrets engine.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# AliCloud secrets engine (API)
-
-This is the API documentation for the Vault AliCloud secrets engine. For general
-information about the usage and operation of the AliCloud secrets engine, please see
-the [Vault AliCloud documentation](/vault/docs/secrets/alicloud).
-
-This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Config management
-
-This endpoint configures the root RAM credentials to communicate with AliCloud. AliCloud
-will use credentials in the following order:
-
-1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
-2. A static credential configuration set at this endpoint
-3. Instance metadata (recommended)
-
-To use instance metadata, leave the static credential configuration unset.
-
-At present, this endpoint does not confirm that the provided AliCloud credentials are
-valid AliCloud credentials with proper permissions.
-
-Please see the [Vault AliCloud documentation](/vault/docs/secrets/alicloud) for
-the policies that should be attached to the access key you provide.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/alicloud/config` |
-| `GET` | `/alicloud/config` |
-
-### Parameters
-
-- `access_key` (string, required) - The ID of an access key with appropriate policies.
-- `secret_key` (string, required) - The secret for that key.
-
-### Sample post request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/alicloud/config
-```
-
-### Sample post payload
-
-```json
-{
- "access_key": "0wNEpMMlzy7szvai",
- "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
-}
-```
-
-### Sample get response data
-
-```json
-{
- "access_key": "0wNEpMMlzy7szvai"
-}
-```
-
-## Role management
-
-The `role` endpoint configures how Vault will generate credentials for users of each role.
-
-### Parameters
-
-- `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
-- `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
-- `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
-- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/vault/docs/secrets/alicloud) regarding trusted actors.
-- `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
-- `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
-
-| Method | Path |
-| :------- | :-------------------------- |
-| `GET` | `/alicloud/role` |
-| `POST` | `/alicloud/role/:role_name` |
-| `GET` | `/alicloud/role/:role_name` |
-| `DELETE` | `/alicloud/role/:role_name` |
-
-### Sample post request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/alicloud/role/my-application
-```
-
-### Sample post payload using policies
-
-```json
-{
- "remote_policies": [
- "name:AliyunOSSReadOnlyAccess,type:System",
- "name:AliyunRDSReadOnlyAccess,type:System"
- ],
- "inline_policies": "[{\"Statement\": [{\"Action\": [\"ram:Get*\",\"ram:List*\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}],\"Version\": \"1\"}]"
-}
-```
-
-### Sample get role response using policies
-
-```json
-{
- "inline_policies": [
- {
- "hash": "49796debb24d39b7a61485f9b0c97e04",
- "policy_document": {
- "Statement": [
- {
- "Action": ["ram:Get*", "ram:List*"],
- "Effect": "Allow",
- "Resource": "*"
- }
- ],
- "Version": "1"
- }
- }
- ],
- "max_ttl": 0,
- "remote_policies": [
- {
- "name": "AliyunOSSReadOnlyAccess",
- "type": "System"
- },
- {
- "name": "AliyunRDSReadOnlyAccess",
- "type": "System"
- }
- ],
- "role_arn": "",
- "ttl": 0
-}
-```
-
-### Sample post payload using Assume-Role
-
-```json
-{
- "role_arn": "acs:ram::5138828231865461:role/hastrustedactors"
-}
-```
-
-### Sample get role response using Assume-Role
-
-```json
-{
- "inline_policies": null,
- "max_ttl": 0,
- "remote_policies": null,
- "role_arn": "acs:ram::5138828231865461:role/hastrustedactors",
- "ttl": 0
-}
-```
-
-### Sample list roles response
-
-Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all the roles Vault contains.
-
-```json
-["policy-based", "role-based"]
-```
-
-## Generate RAM credentials
-
-This endpoint generates dynamic RAM credentials based on the named role. This
-role must be created before queried.
-
-| Method | Path |
-| :----- | :---------------------- |
-| `GET` | `/alicloud/creds/:name` |
-
-### Parameters
-
-- `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/alicloud/creds/example-role
-```
-
-### Sample response for roles using policies
-
-```json
-{
- "access_key": "0wNEpMMlzy7szvai",
- "secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
-}
-```
-
-### Sample response for roles using Assume-Role
-
-```json
-{
- "access_key": "STS.L4aBSCSJVMuKg5U1vFDw",
- "expiration": "2018-08-15T22:04:07Z",
- "secret_key": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9",
- "security_token": "CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo="
-}
-```
diff --git a/website/content/api-docs/secret/aws.mdx b/website/content/api-docs/secret/aws.mdx
deleted file mode 100644
index d2ccef0fe5..0000000000
--- a/website/content/api-docs/secret/aws.mdx
+++ /dev/null
@@ -1,862 +0,0 @@
----
-layout: api
-page_title: AWS - Secrets Engines - HTTP API
-description: This is the API documentation for the Vault AWS secrets engine.
----
-
-> [!IMPORTANT]
-> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
-
-# AWS secrets engine (API)
-
-This is the API documentation for the Vault AWS secrets engine. For general
-information about the usage and operation of the AWS secrets engine, please see
-the [Vault AWS documentation](/vault/docs/secrets/aws).
-
-This documentation assumes the AWS secrets engine is enabled at the `/aws` path
-in Vault. Since it is possible to enable secrets engines at any location, please
-update your API calls accordingly.
-
-## Configure root credentials
-
-This endpoint configures the root credentials to communicate with AWS. Credentials
-can be configured either with IAM access keys for a privileged AWS account, or using
-Plugin Workload Identity Federation (WIF).
-
-### IAM
-
-There are multiple ways to pass root IAM credentials to the Vault server, specified
-below with the highest precedence first. If credentials already exist, this will
-overwrite them.
-
-The official AWS SDK is used for sourcing credentials from env vars, shared
-files, or IAM/ECS instances.
-
-- Static credentials provided to the API as a payload
-
-- [Plugin workload identity federation](/vault/docs/secrets/aws#plugin-workload-identity-federation-wif)
- credentials
-
-- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
- environment variables **on the server**
-
-- Shared credentials files
-
-- Assigned IAM role or ECS task role credentials
-
-At present, this endpoint does not confirm that the provided AWS credentials are
-valid AWS credentials with proper permissions.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/aws/config/root` |
-
-### Parameters
-
-- `max_retries` `(int: -1)` - Number of max retries the client should use for
- recoverable errors. The default (`-1`) falls back to the AWS SDK's default
- behavior.
-
-- `access_key` `(string: "")` – Specifies the AWS access key ID. Mutually exclusive with
- `identity_token_audience`.
-
-- `secret_key` `(string: "")` – Specifies the AWS secret access key. Must be provided with
- `access_key`.
-
-- `role_arn` `(string: "")` – Role ARN to assume
- for plugin workload identity federation. Required with `identity_token_audience`.
-
-- `identity_token_audience` `(string: "")` - The
- audience claim value for plugin identity tokens. Must match an allowed audience configured
- for the target [IAM OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console).
- Mutually exclusive with `access_key`.
-
-- `identity_token_ttl` `(string/int: 3600)` - The
- TTL of generated tokens. Defaults to 1 hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
-- `region` `(string: )` – Specifies the AWS region. If not set it
- will use the `AWS_REGION` env var, `AWS_DEFAULT_REGION` env var, or
- `us-east-1` in that order.
-
-- `iam_endpoint` `(string: )` – Specifies a custom HTTP IAM endpoint to use.
-
-- `sts_endpoint` `(string: )` – Specifies a custom HTTP STS endpoint to use.
-
-- `sts_region` `(string: )` - Specifies a custom STS region to use (should match `sts_endpoint`)
-
-- `sts_fallback_endpoints` `(list: )` - Specifies an ordered list of fallback STS endpoints to use
-
-- `sts_fallback_regions` `(list: )` - Specifies an ordered list of fallback STS regions to use (should match fallback endpoints)
-
-- `username_template` `(string: )` - [Template](/vault/docs/concepts/username-templating) describing how
- dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters)
- and STS usernames (capped at 32 characters). Longer usernames result in a 500 error.
-
- To ensure generated usernames are within length limits for both STS/IAM, the template must adequately handle
- both conditional cases (see [Conditional Templates](https://pkg.go.dev/text/template)). As an example, if no template
- is provided the field defaults to the template below. It is to be noted that, DisplayName is the name of the vault
- authenticated user running the AWS credential generation and PolicyName is the name of the Role for which the
- credential is being generated for:
-
- ```
- {{ if (eq .Type "STS") }}
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
- {{ else }}
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
- {{ end }}
- ```
-
-@include 'rotationfields.mdx'
-
-### Sample payload
-
-```json
-{
- "access_key": "AKIA...",
- "secret_key": "2J+...",
- "region": "us-east-1"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/aws/config/root
-```
-
-## Read root configuration
-
-This endpoint allows you to read non-secure values that have been configured in the
-`config/root` endpoint. In particular, the `secret_key` parameter is never returned.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/aws/config/root` |
-
-### Sample request
-
-```shell-session
-$ curl
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/aws/config/root
-
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "AKIAEXAMPLE",
- "region": "us-west-2",
- "iam_endpoint": "https://iam.amazonaws.com",
- "sts_endpoint": "https://sts.us-west-2.amazonaws.com",
- "max_retries": -1
- }
-}
-```
-
-## Rotate root IAM credentials
-
-When you have configured Vault with static credentials, you can use this
-endpoint to have Vault rotate the access key it used. Note that, due to AWS
-eventual consistency, after calling this endpoint, subsequent calls from Vault
-to AWS may fail for a few seconds until AWS becomes consistent again.
-
-In order to call this endpoint, Vault's AWS access key MUST be the only access
-key on the IAM user; otherwise, generation of a new access key will fail. Once
-this method is called, Vault will now be the only entity that knows the AWS
-secret key is used to access AWS.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/aws/config/rotate-root` |
-
-### Parameters
-
-There are no parameters to this operation.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- http://127.0.0.1:8200/v1/aws/config/rotate-root
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "AKIA..."
- }
-}
-```
-
-The new access key Vault uses is returned by this operation.
-
-## Configure lease
-
-This endpoint configures lease settings for the AWS secrets engine. It is
-optional, as there are default values for `lease` and `lease_max`.
-
-| Method | Path |
-| :----- | :------------------ |
-| `POST` | `/aws/config/lease` |
-
-### Parameters
-
-- `lease` `(string: )` – Specifies the lease value provided as a
- string duration with time suffix. "h" (hour) is the largest suffix.
-
-- `lease_max` `(string: )` – Specifies the maximum lease value
- provided as a string duration with time suffix. "h" (hour) is the largest
- suffix.
-
-### Sample payload
-
-```json
-{
- "lease": "30m",
- "lease_max": "12h"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/aws/config/lease
-```
-
-## Read lease
-
-This endpoint returns the current lease settings for the AWS secrets engine.
-
-| Method | Path |
-| :----- | :------------------ |
-| `GET` | `/aws/config/lease` |
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/aws/config/lease
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "lease": "30m0s",
- "lease_max": "12h0m0s"
- }
-}
-```
-
-## Create/Update role
-
-This endpoint creates or updates the role with the given `name`. If a role with
-the name does not exist, it will be created. If the role exists, it will be
-updated with the new attributes.
-
-| Method | Path |
-| :----- | :----------------- |
-| `POST` | `/aws/roles/:name` |
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the role to create. This
- is part of the request URL.
-
-- `credential_type` `(string: )` – Specifies the type of credential to be used when
- retrieving credentials from the role. Must be one of `iam_user`,
- `assumed_role`, `federation_token`, or `session_token`.
-
-- `role_arns` `(list: [])` – Specifies the ARNs of the AWS roles this Vault role
- is allowed to assume. Required when `credential_type` is `assumed_role` and
- prohibited otherwise. This is a comma-separated string or JSON array.
-
-- `policy_arns` `(list: [])` – Specifies a list of AWS managed policy ARN. The
- behavior depends on the credential type. With `iam_user`, the policies will
- be attached to IAM users when they are requested. With `assumed_role` and
- `federation_token`, the policy ARNs will act as a filter on what the
- credentials can do, similar to `policy_document`.
- When `credential_type` is `iam_user` or `federation_token`, at
- least one of `policy_arns` or `policy_document` must be specified. This is a
- comma-separated string or JSON array. When using `session_token`, this field
- is disallowed.
-
-- `policy_document` `(string)` – The IAM policy document for the role. The
- behavior depends on the credential type. With `iam_user`, the policy document
- will be attached to the IAM user generated and augment the permissions the IAM
- user has. With `assumed_role` and `federation_token`, the policy document will
- act as a filter on what the credentials can do, similar to `policy_arns`. With
- `session_token`, this field is disallowed.
-
-- `iam_groups` `(list: [])` - A list of IAM group names. IAM users generated
- against this vault role will be added to these IAM Groups. For a credential
- type of `assumed_role` or `federation_token`, the policies sent to the
- corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
- policies from each group in `iam_groups` combined with the `policy_document`
- and `policy_arns` parameters.
-
-- `iam_tags` `(list: [])` - A list of strings representing a key/value pair to be used as a
- tag for any `iam_user` user that is created by this role. Format is a key and value
- separated by an `=` (e.g. `test_key=value`). Note: when using the CLI multiple tags
- can be specified in the role configuration by adding another `iam_tags` assignment
- in the same command.
-
-- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not
- specified when STS credentials are requested, and a default TTL is specified
- on the role, then this default TTL will be used. Valid only when
- `credential_type` is one of `assumed_role` or `federation_token`.
-
-- `max_sts_ttl` `(string)` - The max allowed TTL for STS credentials (credentials
- TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is one of
- `assumed_role` or `federation_token`.
-
-- `session_tags` `(list: [])` - The set of key-value pairs to be included as tags for the STS session.
- Allowed formats are a map of strings or a list of strings in the format `key=value`.
- Valid only when `credential_type` is set to `assumed_role`.
-
-- `external_id` `(string)` - The external ID to use when assuming the role.
- Valid only when `credential_type` is set to `assumed_role`.
-
-- `user_path` `(string)` - The path for the user name. Valid only when
- `credential_type` is `iam_user`. Default is `/`
-
-- `permissions_boundary_arn` `(string)` - The ARN of the [AWS Permissions
- Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
- to attach to IAM users created in the role. Valid only when `credential_type`
- is `iam_user`. If not specified, then no permissions boundary policy will be
- attached.
-
-- `mfa_serial_number` `(string)` - The ARN or hardware device number of the device configured
- to the IAM user for multi-factor authentication. Only required if the IAM user has an MFA device
- set up in AWS.
-
-Legacy parameters:
-
-These parameters are supported for backwards compatibility only. They cannot be
-mixed with the parameters listed above.
-
-- `policy` `(string: )` – Specifies the IAM policy
- in JSON format.
-
-- `arn` `(string: )` – Specifies the full ARN
- reference to the desired existing policy.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-### Sample payloads
-
-Using an inline IAM policy:
-
-```json
-{
- "credential_type": "federation_token",
- "policy_document": "{\"Version\": \"...\"}"
-}
-```
-
-Using a Session Token:
-
-```json
-{
- "credential_type": "session_token"
-}
-```
-
-Using an ARN:
-
-```json
-{
- "credential_type": "assumed_role",
- "role_arns": "arn:aws:iam::123456789012:role/DeveloperRole"
-}
-```
-
-Using groups:
-
-```json
-{
- "credential_type": "assumed_role",
- "iam_groups": ["group1", "group2"]
-}
-```
-
-Using tags:
-
-
-
-
- ```json
- {
- "credential_type": "iam_user",
- "iam_tags": [
- "first_key=first_value",
- "second_key=second_value"
- ]
- }
- ```
-
- or
-
- ```json
- {
- "credential_type": "iam_user",
- "iam_tags": {
- "first_key": "first_value",
- "second_key": "second_value"
- }
- }
- ```
-
-
-
-
- ```bash
- vault write aws/roles/example-role \
- credential_type=iam_user \
- iam_tags="first_key=first_value" \
- iam_tags="second_key=second_value" \
- ```
-
- or
-
- ```bash
- vault write aws/roles/example-role \
- credential_type=iam_user \
- iam_tags=@test.json
- ```
-
- where `test.json` is:
-
- ```json
- ["tag1=42", "tag2=something"]
- ```
-
-
-
-
-## Read role
-
-This endpoint queries an existing role by the given name. If the role does not
-exist, a 404 is returned.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/aws/roles/:name` |
-
-If invalid role data was supplied to the role from an earlier version of Vault,
-then it will show up in the response as `invalid_data`.
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the role to read. This
- is part of the request URL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-### Sample responses
-
-For an inline IAM policy:
-
-```json
-{
- "data": {
- "policy_document": "{\"Version\": \"...\"}",
- "policy_arns": [],
- "credential_types": ["assumed_role"],
- "role_arns": [],
- "iam_groups": []
- }
-}
-```
-
-For a role ARN:
-
-```json
-{
- "data": {
- "policy_document": "",
- "policy_arns": [],
- "credential_types": ["assumed_role"],
- "role_arns": ["arn:aws:iam::123456789012:role/example-role"],
- "iam_groups": []
- }
-}
-```
-
-For IAM groups:
-
-```json
-{
- "data": {
- "policy_document": "",
- "policy_arns": [],
- "credential_types": ["assumed_role"],
- "role_arns": [],
- "iam_groups": ["group1", "group2"]
- }
-}
-```
-
-## List roles
-
-This endpoint lists all existing roles in the secrets engine.
-
-| Method | Path |
-| :----- | :----------- |
-| `LIST` | `/aws/roles` |
-
-### Sample request
-
-```shell-session
-$ curl
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/aws/roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["example-role"]
- }
-}
-```
-
-## Delete role
-
-This endpoint deletes an existing role by the given name. If the role does not
-exist, a 404 is returned.
-
-| Method | Path |
-| :------- | :----------------- |
-| `DELETE` | `/aws/roles/:name` |
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the role to delete. This
- is part of the request URL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request DELETE \
- http://127.0.0.1:8200/v1/aws/roles/example-role
-```
-
-## Generate credentials
-
-This endpoint generates credentials based on the named role. This role must be
-created before queried.
-
-| Method | Path |
-| :----- | :----------------- |
-| `GET` | `/aws/creds/:name` |
-| `POST` | `/aws/sts/:name` |
-
-The `/aws/creds` and `/aws/sts` endpoints are almost identical. The exception is
-when retrieving credentials for a role that was specified with the legacy `arn`
-or `policy` parameter. In this case, credentials retrieved through `/aws/sts`
-must be of either the `assumed_role` or `federation_token` types, and
-credentials retrieved through `/aws/creds` must be of the `iam_user` type.
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the role to generate
- credentials against. This is part of the request URL.
-
-- `role_arn` `(string)` – The ARN of the role to assume if `credential_type` on
- the Vault role is `assumed_role`. Must match one of the allowed role ARNs in
- the Vault role. Optional if the Vault role only allows a single AWS role ARN;
- required otherwise.
-
-- `role_session_name` `(string)` - The role session name to attach to the assumed role ARN.
- `role_session_name` is limited to 64 characters; if exceeded, the `role_session_name` in the
- assumed role ARN will be truncated to 64 characters. If `role_session_name` is not provided,
- then it will be generated dynamically by default.
-
-- `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token.
- This is specified as a string with a duration suffix. Valid only when
- `credential_type` is `assumed_role` `federation_token`, or `session_token`. When not specified,
- the `default_sts_ttl` set for the role will be used. If that is also not set, then
- the default value of `3600s` will be used. AWS places limits
- on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds`
- parameter for
- [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
- (for `assumed_role` credential types),
- [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
- (for `federation_token` credential types), or
- [GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html)
- (for `session_token` credential types) for more details.
-
-- `mfa_code` `(string)` - The TOTP generated by the MFA device configured on the IAM user and set
- on the Vault role. This is optional based on whether the Vault role has the `mfa_serial_number`
- field set or not. Only required if the Vault role has the `mfa_serial_number` set on it.
-
-### Sample AssumeRole request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/aws/creds/example-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "AKIA...",
- "secret_key": "xlCs...",
- "session_token": null,
- "arn": "arn:aws:sts::123456789012:assumed-role/DeveloperRole/some-user-supplied-role-session-name"
- }
-}
-```
-
-### Sample Session Token request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- http://127.0.0.1:8200/v1/aws/creds/example-role?mfa_code=123456
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "access_key": "AKIA...",
- "secret_key": "xlCs...",
- "session_token": "FwoG..."
- }
-}
-```
-
-## Create/Update static role
-This endpoint creates or updates static role definitions. A static role is a 1-to-1 mapping
-with an AWS IAM User, which will be adopted and managed by Vault, including rotating it according
-to the configured `rotation_period`.
-
-In addition, this endpoint supports cross-account management.
-Vault will use the credentials obtained by assuming a role in another AWS account to perform AWS operations.
-Make sure that the IAM role configured in Vault has the necessary permissions to manage the IAM user within the target account.
-
-
-
- Vault will create a new credential upon configuration, and if the maximum number of access keys already exist,
- Vault will rotate the oldest one. Vault must do this to know the credential. At each rotation period, Vault will
- continue to prioritize rotating the oldest-existing credential.
-
- For example, if an IAM User has no access keys when onboarded into Vault, then Vault will generate its first access
- key for the user. On the first rotation, Vault will generate a second access key for the user. It is only upon the
- next rotation cycle that the first access key will now be rotated.
-
-
-
-| Method | Path |
-| :----- | :------------------------ |
-| `POST` | `/aws/static-roles/:name` |
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the role to create. This
-is specified as part of the URL.
-
-- `username` `(string: )` – Specifies the username of the IAM user to be managed.
-
-- `rotation_period` `(string/int: )` – Specifies the amount of time
-Vault should wait before rotating the password. The minimum is 1 minute. Can be
-specified in either `24h` or `86400` format (see [duration format strings](/vault/docs/concepts/duration-format)).
-Updating the rotation period will 'reset' the next rotation to occur at `now` + `rotation_period`.
-
-- `assume_role_arn` `(string)` – Specifies the ARN of the IAM role in the target AWS account that Vault should assume.
-When provided, Vault uses the assumed IAM role to generate temporary credentials.
-When set, `assume_role_session_name` must also be provided.
-
-- `assume_role_session_name` `(string)` – Specifies the session name to use when assuming the role.
-When set, `assume_role_arn` must also be provided.
-
-- `external_id` `(string)` – Specifies the external ID to use when assuming the role, if one was set on the IAM role.
-
-### Sample payload
-
-```json
-{
- "username": "example-user",
- "rotation_period": "11h30m"
-}
-```
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request POST \
- --data @payload.json \
- http://127.0.0.1:8200/v1/aws/static-roles/my-static-role
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "assume_role_arn": "",
- "assume_role_session_name": "",
- "external_id": "",
- "id": "AIDA...",
- "name": "my-static-role",
- "rotation_period": 41400,
- "username": "example-user"
- }
-}
-```
-
-## Read static role
-
-This endpoint queries the static role definition.
-
-| Method | Path |
-| :----- | :------------------------ |
-| `GET` | `/aws/static-roles/:name` |
-
-### Parameters
-
-- `name` `(string: )` – Specifies the name of the static role to read.
-This is specified as part of the URL.
-
-### Sample request
-
-```shell-session
-$ curl \
- --header "X-Vault-Token: ..." \
- --request GET \
- http://127.0.0.1:8200/v1/aws/static-roles/my-static-role
-```
-### Sample response
-
-```json
-{
- "name": "my-static-role",
- "username": "example-user",
- "rotation_period": "11h30m"
-}
-```
-
-## List static roles
-
-Use the list static roles endpoint to fetch all existing static roles in the secrets engine.
-
-| Method | Path |
-| :----- | :------------------ |
-| `LIST` | `/aws/static-roles` |
-
-### Sample request
-
-```shell-session
-$ curl
- --header "X-Vault-Token: ..." \
- --request LIST \
- http://127.0.0.1:8200/v1/aws/static-roles
-```
-
-### Sample response
-
-```json
-{
- "data": {
- "keys": ["example-role"]
- }
-}
-```
-
-## Delete static role
-
-This endpoint deletes the static role definition. The user, having been defined externally,
-must be cleaned up manually.
-
-| Method | Path |
-| :------- | :------------------------ |
-| `DELETE` | `/aws/static-roles/:name` |
-
-### Parameters
-
-- `name` `(string: