upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-09 00:33:28 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Break out API documentation for secret backends

Browse source
This commit is contained in:
Seth Vargo 2017-03-08 18:47:35 -08:00
parent efd532536f
commit 501cf5d065
No known key found for this signature in database
GPG key ID: C921994F9C27E0FF
31 changed files with 5833 additions and 5916 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
website/source/assets/stylesheets/_docs.scss
View file

@ -7,6 +7,7 @@ $docs-font-size: 15px;
body.layout-docs,
body.layout-inner,
body.layout-downloads,
body.layout-http,
body.layout-intro {
>.container {
.col-md-8[role=main] {

4
website/source/docs/http/index.html.md
View file

@ -8,6 +8,8 @@ description: |-
# HTTP API
The Vault HTTP API is a
The Vault HTTP API gives you full access to Vault via HTTP. Every
aspect of Vault can be controlled via this API. The Vault CLI uses
the HTTP API to access Vault.
@ -170,5 +172,5 @@ The following HTTP status codes are used throughout the API.
## Limits
A maximum request size of 32MB is imposed to prevent a denial
A maximum request size of 32MB is imposed to prevent a denial
of service attack with arbitrarily large requests.

357
website/source/docs/http/secret/aws/index.html.md Normal file
View file

@ -0,0 +1,357 @@
---
layout: "http"
page_title: "HTTP API"
sidebar_current: "docs-http-secret-aws"
description: |-
TODO
---
# AWS Secret Backend HTTP API
This is the API documentation for the Vault AWS secret backend. For general
information about the usage and operation of the AWS backend, please see the
[Vault AWS backend documentation](/docs/secrets/aws/index.html).
This documentation assumes the AWS backend is mounted at the `/aws` path in
Vault. Since it is possible to mount secret backends at any location, please
update your API calls accordingly.
## Configure Root IAM Credentials
This endpoint configures the root IAM credentials to communicate with AWS. There
are multiple ways to pass root IAM credentials to the Vault server, specified
below with the highest precedence first. If credentials already exist, this will
overwrite them.
- Static credentials provided to the API as a payload
- Credentials in the `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `AWS_REGION`
environment variables **on the server**
- Querying the EC2 metadata service if the **Vault server** is on EC2 and has
querying capabilities
At present, this endpoint does not confirm that the provided AWS credentials are
valid AWS credentials with proper permissions.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/aws/config/root` | `204 (empty body)` |
### Parameters
- `access_key` `(string: <required>)` Specifies the AWS access key ID.
- `secret_key` `(string: <required>)`  Specifies the AWS secret access key.
- `region` `(string: <required>)`  Specifies the AWS region.
### Sample Payload
```json
{
"access_key": "AKIA...",
"secret_key": "2J+...",
"region": "us-east-1"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/aws/config/root
```
## Configure Lease
This endpoint configures lease settings for the AWS secret backend. It is
optional, as there are default values for `lease` and `lease_max`.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/aws/config/lease` | `204 (empty body)` |
### Parameters
- `lease` `(string: <required>)` Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "30m",
"lease_max": "12h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/aws/config/lease
```
## Read Lease
This endpoint returns the current lease settings for the AWS secret backend.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/aws/config/lease` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/aws/config/lease
```
### Sample Response
```json
{
"data": {
"lease": "30m0s",
"lease_max": "12h0m0s"
}
}
```
## Create/Update Role
This endpoint creates or updates the role with the given `name`. If a role with
the name does not exist, it will be created. If the role exists, it will be
updated with the new attributes.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/aws/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to create. This
is part of the request URL.
- `policy` `(string: <required unless arn provided>)` Specifies the IAM policy
in JSON format.
- `arn` `(string: <required unless policy provided>)`  Specifies the full ARN
reference to the desired existing policy.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/aws/roles/example-role
```
### Sample Payloads
Using an inline IAM policy:
```json
{
"policy": "{\"Version\": \"...\"}",
}
```
Using an ARN:
```json
{
"arn": "arn:aws:iam::123456789012:user/David"
}
```
## Read Role
This endpoint queries an existing role by the given name. If the role does not
exist, a 404 is returned.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/aws/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/aws/roles/example-role
```
### Sample Responses
For an inline IAM policy:
```json
{
"data": {
"policy": "{\"Version\": \"...\"}"
}
}
```
For an ARN:
```json
{
"data": {
"arn": "arn:aws:iam::123456789012:user/David"
}
}
```
## List Roles
This endpoint lists all existing roles in the backend.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/aws/roles` | `200 application/json` |
### Sample Request
```
$ curl
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/aws/roles
```
### Sample Response
```json
{
"data": {
"keys": [
"example-role"
]
}
}
```
## Delete Role
This endpoint deletes an existing role by the given name. If the role does not
exist, a 404 is returned.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELET` | `/aws/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/aws/roles/example-role
```
## Generate IAM Credentials
This endpoint generates dynamic IAM credentials based on the named role. This
role must be created before queried.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/aws/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to generate
credentials againts. This is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/aws/creds/example-role
```
### Sample Response
```json
{
"data": {
"access_key": "AKIA...",
"secret_key": "xlCs...",
"security_token": null
}
}
```
## Generate IAM with STS
This generates a dynamic IAM credential with an STS token based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/aws/sts/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role against which
to create this STS credential. This is part of the request URL.
- `ttl` `(string: "3600s")` Specifies the TTL for the use of the STS token.
This is specified as a string with a duration suffix.
### Sample Payload
```json
{
"ttl": "5m"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/aws/sts/example-role
```
### Sample Response
```json
{
"data": {
"access_key": "AKIA...",
"secret_key": "xlCs...",
"security_token": "429255"
}
}
```

245
website/source/docs/http/secret/cassandra/index.html.md Normal file
View file

@ -0,0 +1,245 @@
---
layout: "http"
page_title: "Cassandra Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-cassandra"
description: |-
TODO
---
# Cassandra Secret Backend HTTP API
This is the API documentation for the Vault Cassandra secret backend. For
general information about the usage and operation of the Cassandra backend,
please see the
[Vault Cassandra backend documentation](/docs/secrets/cassandra/index.html).
This documentation assumes the Cassandra backend is mounted at the `/cassandra`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Configure Connection
This endpoint configures the connection information used to communicate with
Cassandra.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/cassandra/config/connection` | `204 (empty body)` |
### Parameters
- `hosts` `(string: <required>)` Specifies a set of comma-delineated Cassandra
hosts to connect to.
- `username` `(string: <required>)`  Specifies the username to use for
superuser access.
- `password` `(string: <required>)`  Specifies the password corresponding to
the given username.
- `tls` `(bool: true)` Specifies whether to use TLS when connecting to
Cassandra.
- `insecure_tls` `(bool: false)`  Specifies whether to skip verification of the
server certificate when using TLS.
- `pem_bundle` `(string: "")` Specifies concatenated PEM blocks containing a
certificate and private key; a certificate, private key, and issuing CA
certificate; or just a CA certificate.
- `pem_json` `(string: "")`  Specifies JSON containing a certificate and
private key; a certificate, private key, and issuing CA certificate; or just a
CA certificate. For convenience format is the same as the output of the
`issue` command from the `pki` backend; see
[the pki documentation](/docs/secrets/pki/index.html).
- `protocol_version` `(int: 2)`  Specifies the CQL protocol version to use.
- `connect_timeout` `(string: "5s")`  Specifies the connection timeout to use.
TLS works as follows:
- If `tls` is set to true, the connection will use TLS; this happens
automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
- If `insecure_tls` is set to true, the connection will not perform verification
of the server certificate; this also sets `tls` to true
- If only `issuing_ca` is set in `pem_json`, or the only certificate in
`pem_bundle` is a CA certificate, the given CA certificate will be used for
server certificate verification; otherwise the system CA certificates will be
used
- If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`,
client auth will be turned on for the connection
`pem_bundle` should be a PEM-concatenated bundle of a private key + client
certificate, an issuing CA certificate, or both. `pem_json` should contain the
same information; for convenience, the JSON format is the same as that output by
the issue command from the PKI backend.
### Sample Payload
```json
{
"hosts": "cassandra1.local",
"username": "user",
"password": "pass"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/cassandra/config/connection
```
## Create Role
This endpoint creates or updates the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/cassandra/roles/:name` | `204 (empty body)` |
### Parameters
- `creation_cql` `(string: "")`  Specifies the CQL statements executed to
create and configure the new user. Must be a semicolon-separated string, a
base64-encoded semicolon-separated string, a serialized JSON string array, or
a base64-encoded serialized JSON string array. The '{{username}}' and
'{{password}}' values will be substituted; it is required that these
parameters are in single quotes. The default creates a non-superuser user with
no authorization grants.
- `rollback_cql` `(string: "")` Specifies the CQL statements executed to
attempt a rollback if an error is encountered during user creation. The
default is to delete the user. Must be a semicolon-separated string, a
base64-encoded semicolon-separated string, a serialized JSON string array, or
a base64-encoded serialized JSON string array. The '{{username}}' and
'{{password}}' values will be substituted; it is required that these
parameters are in single quotes.
- `lease` `(string: "")`  Specifies the lease value provided as a string
duration with time suffix. "h" hour is the largest suffix.
- `consistency` `(string: "Quorum")`  Specifies the consistency level value
provided as a string. Determines the consistency level used for operations
performed on the Cassandra database.
### Sample Payload
```json
{
"creation_cql": "CREATE USER ..."
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/cassandra/roles/my-role
```
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/cassandra/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to read. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/cassandra/roles/my-role
```
### Sample Response
```json
{
"data": {
"creation_cql": "CREATE USER...",
"rollback_cql": "DROP USER...",
"lease": "12h",
"consistency": "Quorum"
}
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/cassandra/roles/:name` | `204 (no body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/cassandra/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/cassandra/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to create
credentials against. This is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \Z
https://vault.rocks/v1/cassandra/creds/my-role
```
### Sample Response
```json
{
"data": {
"username": "vault-root-1430158508-126",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```

201
website/source/docs/http/secret/consul/index.html.md Normal file
View file

@ -0,0 +1,201 @@
---
layout: "http"
page_title: "Consul Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-consul"
description: |-
TODO
---
# Consul Secret Backend HTTP API
This is the API documentation for the Vault Consul secret backend. For general
information about the usage and operation of the Consul backend, please see the
[Vault Consul backend documentation](/docs/secrets/consul/index.html).
This documentation assumes the Consul backend is mounted at the `/consul` path
in Vault. Since it is possible to mount secret backends at any location, please
update your API calls accordingly.
## Configure Access
This endpoint configures the access information for Consul. This access
information is used so that Vault can communicate with Consul and generate
Consul tokens.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/consul/config/access` | `204 (empty body)` |
### Parameters
- `address` `(string: <required>)`  Specifies the address of the Consul
instance, provided as `"host:port"` like `"127.0.0.1:8500"`.
- `scheme` `(string: "http")`  Specifies the URL scheme to use.
- `token` `(string: <required>)` Specifies the Consul ACL token to use. This
must be a management type token.
### Sample Payload
```json
{
"address": "127.0.0.1:8500",
"scheme": "https",
"token": "adha..."
}
```
### Sample Request
```
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
https://vault.rocks/v1/consul/config/access
```
## Create/Update Role
This endpoint creates or updates the Consul role definition. If the role does
not exist, it will be created. If the role already exists, it will receive
updated attributes.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/consul/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Consul credential. This is part of the request URL.
- `lease` `(string: "")`  Specifies the lease for this role. This is provided
as a string duration with a time suffix like `"30s"` or `"1h"`. If not
provided, the default Vault lease is used.
- `policy` `(string: <required>)` Specifies the base64 encoded ACL policy. The
ACL format can be found in the [Consul ACL
documentation](https://www.consul.io/docs/internals/acl.html). This is
required unless the `token_type` is `management`.
- `token_type` `(string: "client")` - Specifies the type of token to create when
using this role. Valid values are `"client"` or `"management"`.
### Sample Payload
To create management tokens:
```json
{
"token_type": "management"
}
```
To create a client token with a custom policy:
```json
{
"policy": "abd2...=="
}
```
### Sample Request
```
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
https://vault.rocks/v1/consul/roles/example-role
```
## Read Role
This endpoint queries for information about a Consul role with the given name.
If no role exists with that name, a 404 is returned.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/consul/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to query. This
is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/consul/roles/example-role
```
### Sample Response
```json
{
"data": {
"policy": "abd2...==",
"lease": "1h0m0s",
"token_type": "client"
}
}
```
## Delete Role
This endpoint deletes a Consul role with the given name. Even if the role does
not exist, this endpoint will still return a successful response.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/consul/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the role to delete. This
is part of the request URL.
### Sample Request
```
$ curl \
--request DELETE \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/consul/roles/example-role
```
## Generate Credential
This endpoint generates a dynamic Consul token based on the given role
definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/consul/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of an existing role against
which to create this Consul credential. This is part of the request URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/consul/creds/example-role
```
### Sample Response
```json
{
"data": {
"token": "973a31ea-1ec4-c2de-0f63-623f477c2510"
}
}
```

155
website/source/docs/http/secret/cubbyhole/index.html.md Normal file
View file

@ -0,0 +1,155 @@
---
layout: "http"
page_title: "Cubbyhole Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-cubbyhole"
description: |-
TODO
---
# Cubbyhole Secret Backend HTTP API
This is the API documentation for the Vault Cubbyhole secret backend. For
general information about the usage and operation of the Cubbyhole backend,
please see the
[Vault Cubbyhole backend documentation](/docs/secrets/cubbyhole/index.html).
This documentation assumes the Cubbyhole backend is mounted at the `/cubbyhole`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Read Secret
This endpoint retrieves the secret at the specified location.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/cubbyhole/:path` | `200 application/json` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secret to read.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/cubbyhole/my-secret
```
### Sample Response
```json
{
"auth": null,
"data": {
"foo": "bar"
},
"lease_duration": 0,
"lease_id": "",
"renewable": false
}
```
## List Secrets
This endpoint returns a list of secret entries at the specified location.
Folders are suffixed with `/`. The input must be a folder; list on a file will
not return a value. The values themselves are not accessible via this command.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `List` | `/cubbyhole/:path` | `200 application/json` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secrets to list.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/cubbyhole/my-secret
```
### Sample Response
The example below shows output for a query path of `cubbyhole/` when there are
secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the
two entries.
```json
{
"auth": null,
"data": {
"keys": ["foo", "foo/"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## Create/Update Secret
This endpoint stores a secret at the specified location.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/cubbyhole/:path` | `204 (empty body)` |
| `PUT` | `/cubbyhole/:path` | `204 (empty body)` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secrets to
create/update. This is specified as part of the URL.
- `:key` `(string: "")`  Specifies a key, paired with an associated value, to
be held at the given location. Multiple key/value pairs can be specified, and
all will be returned on a read operation. A key called `ttl` will trigger some
special behavior; see above for details.
### Sample Payload
```json
{
"foo": "bar",
"zip": "zap"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/cubbyhole/my-secret
```
## Delete Secret
This endpoint deletes the secret at the specified location.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/cubbyhole/:path` | `204 (empty body)` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/cubbyhole/my-secret
```

159
website/source/docs/http/secret/generic/index.html.md Normal file
View file

@ -0,0 +1,159 @@
---
layout: "http"
page_title: "Generic Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-generic"
description: |-
TODO
---
# Generic Secret Backend HTTP API
This is the API documentation for the Vault Generic secret backend. For general
information about the usage and operation of the Generic backend, please see
the [Vault Generic backend documentation](/docs/secrets/generic/index.html).
This documentation assumes the Generic backend is mounted at the `/secret`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Read Secret
This endpoint retrieves the secret at the specified location.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/secret/:path` | `200 application/json` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secret to read.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/secret/my-secret
```
### Sample Response
```json
{
"auth": null,
"data": {
"foo": "bar"
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## List Secrets
This endpoint returns a list of key names at the specified location. Folders are
suffixed with `/`. The input must be a folder; list on a file will not return a
value. Note that no policy-based filtering is performed on keys; do not encode
sensitive information in key names. The values themselves are not accessible via
this command.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/secret/:path` | `200 application/json` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secrets to list.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/secret/my-secret
```
### Sample Response
The example below shows output for a query path of `secret/` when there are
secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
entries.
```json
{
"auth": null,
"data": {
"keys": ["foo", "foo/"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## Create/Update Secret
This endpoint stores a secret at the specified location. If the value does not
yet exist, the calling token must have an ACL policy granting the `create`
capability. If the value already exists, the calling token must have an ACL
policy granting the `update` capability.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/secret/:path` | `204 (empty body)` |
| `PUT` | `/secret/:path` | `204 (empty body)` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secrets to
create/update. This is specified as part of the URL.
- `:key` `(string: "")`  Specifies a key, paired with an associated value, to
be held at the given location. Multiple key/value pairs can be specified, and
all will be returned on a read operation. A key called `ttl` will trigger some
special behavior; see above for details.
### Sample Payload
```json
{
"foo": "bar",
"zip": "zap"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/secret/my-secret
```
## Delete Secret
This endpoint deletes the secret at the specified location.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/secret/:path` | `204 (empty body)` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the secret to delete.
This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/secret/my-secret
```

19
website/source/docs/http/secret/index.html.md Normal file
View file

@ -0,0 +1,19 @@
---
layout: "http"
page_title: "HTTP API"
sidebar_current: "docs-http-secret"
description: |-
Each secret backend publishes its own set of API paths and methods. These
endpoints are documented in this section.
---
# Secret Backends
Each secret backend publishes its own set of API paths and methods. These
endpoints are documented in this section. Secret backends are mounted at a path,
but the documentation will assume the default mount points for simplicity. If
you are mounting at a different path, you should adjust your API calls
accordingly.
For the API documentation for a specific secret backend, please choose a secret
backend from the navigation.

344
website/source/docs/http/secret/mongodb/index.html.md Normal file
View file

@ -0,0 +1,344 @@
---
layout: "http"
page_title: "MongoDB Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-mongodb"
description: |-
TODO
---
# MongoDB Secret Backend HTTP API
This is the API documentation for the Vault MongoDB secret backend. For general
information about the usage and operation of the MongoDB backend, please see
the [Vault MongoDB backend documentation](/docs/secrets/mongodb/index.html).
This documentation assumes the MongoDB backend is mounted at the `/mongodb`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Configure Connection
This endpoint configures the standard connection string (URI) used to
communicate with MongoDB.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mongodb/config/connection` | `200 application/json` |
### Parameters
- `url` `(string: <required>)` Specifies the MongoDB standard connection
string (URI).
- `verify_connection` `(bool: true)`  Specifies if the connection is verified
during initial configuration.
### Sample Payload
```json
{
"url": "mongodb://db1.example.net,db2.example.net:2500/?replicaSet=test"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mongodb/config/connection
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any."
],
"auth": null
}
```
## Read Connection
This endpoint queries the connection configuration. Access to this endpoint
should be controlled via ACLs as it will return the connection URI as it is,
including passwords, if any.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mongodb/config/connection` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mongodb/config/connection
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"uri": "mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Configure Lease
This endpoint configures the default lease TTL settings for credentials
generated by the mongodb backend.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mongodb/config/lease` | `204 (empty body)` |
### Parameters
- `lease` `(string: <required>)`  Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "12h",
"lease_max": "24h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mongodb/config/lease
```
## Read Lease
This endpoint queries the lease configuration.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mongodb/config/lease` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mongodb/config/lease
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"max_ttl": 60,
"ttl": 60
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Create Role
This endpoint creates or updates a role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mongodb/roles/:name` | `204 (empty body)` |
### Parameters
- `db` `(string: <required>)` Specifies the name of the database users should
be created in for this role.
- `roles` `(string: "")`  Specifies the MongoDB roles to assign to the users
generated for this role.
### Sample Payload
```json
{
"db": "my-db",
"roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mongodb/roles/my-role
```
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mongodb/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mongodb/roles/my-role
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"db": "foo",
"roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## List Roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/mongodb/roles` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/mongodb/roles
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"dev",
"prod"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/mongodb/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/mongodb/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mongodb/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mongodb/creds/my-role
```
### Sample Response
```json
{
"lease_id": "mongodb/creds/readonly/e64e79d8-9f56-e379-a7c5-373f9b4ee3d8",
"renewable": true,
"lease_duration": 3600,
"data": {
"db": "foo",
"password": "de0f7b50-d700-54e5-4e81-5c3724283999",
"username": "vault-token-b32098cb-7ff2-dcf5-83cd-d5887cedf81b"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```

244
website/source/docs/http/secret/mssql/index.html.md Normal file
View file

@ -0,0 +1,244 @@
---
layout: "http"
page_title: "MSSQL Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-mssql"
description: |-
TODO
---
# MSSQL Secret Backend HTTP API
This is the API documentation for the Vault MSSQL secret backend. For general
information about the usage and operation of the MSSQL backend, please see
the [Vault MSSQL backend documentation](/docs/secrets/mssql/index.html).
This documentation assumes the MSSQL backend is mounted at the `/mssql`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Configure Connection
This endpoint configures the connection DSN used to communicate with Microsoft
SQL Server.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mssql/config/connection` | `204 (empty body)` |
### Parameters
- `connection_string` `(string: <required>)`  Specifies the MSSQL DSN.
- `max_open_connections` `(int: 2)`  Specifies the maximum number of open
connections to the database.
- `max_idle_connections` `(int: 0)`  Specifies the maximum number of idle
connections to the database. A zero uses the value of `max_open_connections`
and a negative value disables idle connections. If larger than
`max_open_connections` it will be reduced to be equal.
### Sample Payload
```json
{
"connection_string": "Server=myServerAddress;Database=myDataBase;User Id=myUsername; Password=myPassword;"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mssql/config/connection
```
## Configure Lease
This endpoint configures the lease settings for generated credentials.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mysql/config/lease` | `204 (empty body)` |
### Parameters
- `lease` `(string: <required>)`  Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "12h",
"lease_max": "24h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mssql/config/lease
```
## Create Role
This endpoint creates or updates the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mssql/roles/:name` | `204 (empty body)` |
### Parameters
- `sql` `(string: <required>)`  Specifies the SQL statements executed to create
and configure the role. The '{{name}}' and '{{password}}' values will be
substituted. Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array.
### Sample Payload
```json
{
"sql": "CREATE LOGIN ..."
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mssql/roles/my-role
```
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mssql/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mssql/roles/my-role
```
### Sample Response
```json
{
"data": {
"sql": "CREATE LOGIN..."
}
}
```
## List Roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/mssql/roles` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/mssql/roles
```
### Sample Response
```json
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/mssql/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/mssql/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mssql/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mssql/creds/my-role
```
### Sample Response
```json
{
"data": {
"username": "root-a147d529-e7d6-4a16-8930-4c3e72170b19",
"password": "ee202d0d-e4fd-4410-8d14-2a78c5c8cb76"
}
}
```

265
website/source/docs/http/secret/mysql/index.html.md Normal file
View file

@ -0,0 +1,265 @@
---
layout: "http"
page_title: "MySQL Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-mysql"
description: |-
TODO
---
# MySQL Secret Backend HTTP API
This is the API documentation for the Vault MySQL secret backend. For general
information about the usage and operation of the MySQL backend, please see
the [Vault MySQL backend documentation](/docs/secrets/mysql/index.html).
This documentation assumes the MySQL backend is mounted at the `/mysql`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Configure Connection
This endpoint configures the connection DSN used to communicate with MySQL.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mysql/config/connection` | `204 (empty body)` |
### Parameters
- `connection_url` `(string: <required>)`  Specifies the MySQL DSN.
- `max_open_connections` `(int: 2)`  Specifies the maximum number of open
connections to the database.
- `max_idle_connections` `(int: 0)`  Specifies the maximum number of idle
connections to the database. A zero uses the value of `max_open_connections`
and a negative value disables idle connections. If larger than
`max_open_connections` it will be reduced to be equal.
- `verify_connection` `(bool: true)`  Specifies if the connection is verified
during initial configuration.
### Sample Payload
```json
{
"connection_url": "mysql:host=localhost;dbname=testdb"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mysql/config/connection
```
## Configure Lease
This endpoint configures the lease settings for generated credentials. If not
configured, leases default to 1 hour. This is a root protected endpoint.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mysql/config/lease` | `204 (empty body)` |
### Parameters
- `lease` `(string: <required>)`  Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "12h",
"lease_max": "24h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mysql/config/lease
```
## Create Role
This endpoint creates or updates the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/mysql/roles/:name` | `204 (empty body)` |
### Parameters
- `sql` `(string: <required>)`  Specifies the SQL statements executed to create
and configure a user. Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array. The '{{name}}' and
'{{password}}' values will be substituted.
- `revocation_sql` `(string: "")` Specifies the SQL statements executed to
revoke a user. Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array. The '{{name}}' value will be
substituted.
- `rolename_length` `(int: 4)`  Specifies how many characters from the role
name will be used to form the mysql username interpolated into the '{{name}}'
field of the sql parameter.
- `displayname_length` `(int: 4)`  Specifies how many characters from the token
display name will be used to form the mysql username interpolated into the
'{{name}}' field of the sql parameter.
- `username_length` `(int: 16)`  Specifies the maximum total length in
characters of the mysql username interpolated into the '{{name}}' field of the
sql parameter.
### Sample Payload
```json
{
"sql": "CREATE USER ..."
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/mysql/roles/my-role
```
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mysql/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mysql/roles/my-role
```
### Sample Response
```json
{
"data": {
"sql": "CREATE USER..."
}
}
```
## List Roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/mysql/roles` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/mysql/roles
```
### Sample Response
```json
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/mysql/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/mysql/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/mysql/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/mysql/creds/my-role
```
### Sample Response
```json
{
"data": {
"username": "user-role-aefa63",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```

1456
website/source/docs/http/secret/pki/index.html.md Normal file
View file

File diff suppressed because it is too large Load diff

259
website/source/docs/http/secret/postgresql/index.html.md Normal file
View file

@ -0,0 +1,259 @@
---
layout: "http"
page_title: "PostgreSQL Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-postgresql"
description: |-
TODO
---
# PostgreSQL Secret Backend HTTP API
This is the API documentation for the Vault PostgreSQL secret backend. For
general information about the usage and operation of the PostgreSQL backend,
please see the
[Vault PostgreSQL backend documentation](/docs/secrets/postgresql/index.html).
This documentation assumes the PostgreSQL backend is mounted at the
`/postgresql` path in Vault. Since it is possible to mount secret backends at
any location, please update your API calls accordingly.
## Configure Connection
This endpoint configures the connection string used to communicate with
PostgreSQL.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/postgresql/config/connection` | `204 (empty body)` |
### Parameters
- `connection_url` `(string: <required>)`  Specifies the PostgreSQL connection
URL or PG-style string, for example `"user=foo host=bar"`.
- `max_open_connections` `(int: 2)`  Specifies the maximum number of open
connections to the database. A negative value means unlimited.
- `max_idle_connections` `(int: 0)`  Specifies the maximum number of idle
connections to the database. A zero uses the value of `max_open_connections`
and a negative value disables idle connections. If this is larger than
`max_open_connections` it will be reduced to be equal.
- `verify_connection` `(bool: true)`  Specifies if the connection is verified
during initial configuration.
### Sample Payload
```json
{
"connection_url": "postgresql://user:pass@localhost/my-db"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/postgresql/config/connection
```
## Configure Lease
This configures the lease settings for generated credentials. If not configured,
leases default to 1 hour. This is a root protected endpoint.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/postgresql/config/lease` | `204 (empty body)` |
### Parameters
- `lease` `(string: <required>)`  Specifies the lease value provided as a
string duration with time suffix. "h" (hour) is the largest suffix.
- `lease_max` `(string: <required>)`  Specifies the maximum lease value
provided as a string duration with time suffix. "h" (hour) is the largest
suffix.
### Sample Payload
```json
{
"lease": "12h",
"lease_max": "24h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/postgresql/config/lease
```
## Create Role
This endpoint creates or updates a role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/postgresql/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create. This
is specified as part of the URL.
- `sql` `(string: <required>)`  Specifies the SQL statements executed to create
and configure the role. Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array. The '{{name}}', '{{password}}'
and '{{expiration}}' values will be substituted.
- `revocation_sql` `(string: "")`  Specifies the SQL statements to be executed
to revoke a user. Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array. The '{{name}}' value will be
substituted.
### Sample Payload
```json
{
"sql": "CREATE USER WITH ROLE {{name}}"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/postgresql/roles/my-role
```
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/postgresql/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/postgresql/roles/my-role
```
### Sample Response
```json
{
"data": {
"sql": "CREATE USER..."
}
}
```
## List Roles
This endpoint returns a list of available roles. Only the role names are
returned, not any values.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/postgresql/roles` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/postgresql/roles
```
### Sample Response
```json
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/postgresql/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/postgresql/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/postgresql/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/postgresql/creds/my-role
```
### Sample Response
```json
{
"data": {
"username": "root-1430158508-126",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```

218
website/source/docs/http/secret/rabbitmq/index.html.md Normal file
View file

@ -0,0 +1,218 @@
---
layout: "http"
page_title: "RabbitMQ Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-rabbitmq"
description: |-
TODO
---
# RabbitMQ Secret Backend HTTP API
This is the API documentation for the Vault RabbitMQ secret backend. For general
information about the usage and operation of the RabbitMQ backend, please see
the [Vault RabbitMQ backend documentation](/docs/secrets/rabbitmq/index.html).
This documentation assumes the RabbitMQ backend is mounted at the `/rabbitmq`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Configure Connection
This endpoint configures the connection string used to communicate with
RabbitMQ.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/rabbitmq/config/connection` | `204 (empty body)` |
### Parameters
- `connection_uri` `(string: <required>)`  Specifies the RabbitMQ connection
URI.
- `username` `(string: <required>)` Specifies the RabbitMQ management
administrator username.
- `password` `(string: <required>)`  Specifies the RabbitMQ management
administrator password.
- `verify_connection` `(bool: true)`  Specifies whether to verify connection
URI, username, and password.
### Sample Payload
```json
{
"connection_uri": "https://...",
"username": "user",
"password": "password"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/rabbitmq/config/connection
```
## Configure Lease
This endpoint configures the lease settings for generated credentials. This is
endpoint requires sudo privileges.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/rabbitmq/config/lease` | `204 (empty body)` |
### Parameters
- `ttl` `(int: 0)`  Specifies the lease ttl provided in seconds.
- `max_ttl` `(int: 0)` Specifies the maximum ttl provided in seconds.
### Sample Payload
```json
{
"ttl": 1800,
"max_ttl": 3600
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/rabbitmq/config/lease
```
## Create Role
This endpoint creates or updates the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/rabbitmq/roles/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create. This
is specified as part of the URL.
- `tags` `(string: "")`  Specifies a comma-separated RabbitMQ management tags.
- `vhost` `(string: "")`  Specifies a map of virtual hosts to
permissions.
### Sample Payload
```json
{
"tags": "tag1,tag2",
"vhost": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/rabbitmq/roles/my-role
```
## Read Role
This endpoint queries the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/rabbitmq/roles/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to read. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/rabbitmq/roles/my-role
```
### Sample Response
```json
{
"data": {
"tags": "",
"vhost": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}"
}
}
```
## Delete Role
This endpoint deletes the role definition.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/rabbitmq/roles/:namer` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to delete. This
is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/rabbitmq/roles/my-role
```
## Generate Credentials
This endpoint generates a new set of dynamic credentials based on the named
role.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/rabbitmq/creds/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the role to create
credentials against. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/rabbitmq/creds/my-role
```
### Sample Response
```json
{
"data": {
"username": "root-4b95bf47-281d-dcb5-8a60-9594f8056092",
"password": "e1b6c159-ca63-4c6a-3886-6639eae06c30"
}
}
```

861
website/source/docs/http/secret/ssh/index.html.md Normal file
View file

@ -0,0 +1,861 @@
---
layout: "http"
page_title: "SSH Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-ssh"
description: |-
TODO
---
# SSH Secret Backend HTTP API
This is the API documentation for the Vault SSH secret backend. For general
information about the usage and operation of the SSH backend, please see the
[Vault SSH backend documentation](/docs/secrets/ssh/index.html).
This documentation assumes the SSH backend is mounted at the `/ssh` path in
Vault. Since it is possible to mount secret backends at any location, please
update your API calls accordingly.
### /ssh/keys/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a named key.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/keys/<key name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">key</span>
<span class="param-flags">required</span>
(String)
SSH private key with appropriate privileges on remote hosts.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named key.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/keys/<key name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a named role.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">key</span>
<span class="param-flags">required for Dynamic Key type, N/A for
OTP type, N/A for CA type</span>
(String)
Name of the registered key in Vault. Before creating the role, use
the `keys/` endpoint to create a named key.
</li>
<li>
<span class="param">admin_user</span>
<span class="param-flags">required for Dynamic Key type, N/A for OTP
type, N/A for CA type</span>
(String)
Admin user at remote host. The shared key being registered should be
for this user and should have root or sudo privileges. Every time a
dynamic credential is generated for a client, Vault uses this admin
username to login to remote host and install the generated
credential.
</li>
<li>
<span class="param">default_user</span>
<span class="param-flags">required for Dynamic Key type, required
for OTP type, optional for CA type</span>
(String)
Default username for which a credential will be generated. When the
endpoint 'creds/' is used without a username, this value will be used
as default username. Its recommended to create individual roles for
each username to ensure absolute isolation between usernames.
For the CA type, if you wish this to be a valid principal, it must
also be in `allowed_users`.
</li>
<li>
<span class="param">cidr_list</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(String)
Comma separated list of CIDR blocks for which the role is applicable
for. CIDR blocks can belong to more than one role.
</li>
<li>
<span class="param">exclude_cidr_list</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(String)
Comma-separated list of CIDR blocks. IP addresses belonging to these
blocks are not accepted by the role. This is particularly useful when
big CIDR blocks are being used by the role and certain parts need to
be kept out.
</li>
<li>
<span class="param">port</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(Integer)
Port number for SSH connection. The default is '22'. Port number
does not play any role in OTP generation. For the 'otp' backend
type, this is just a way to inform the client about the port number
to use. The port number will be returned to the client by Vault
along with the OTP.
</li>
<li>
<span class="param">key_type</span>
<span class="param-flags">required for all types</span>
(String)
Type of credentials generated by this role. Can be either `otp`,
`dynamic` or `ca`.
</li>
<li>
<span class="param">key_bits</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(Integer)
Length of the RSA dynamic key in bits; can be either 1024 or 2048.
1024 the default.
</li>
<li>
<span class="param">install_script</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(String)
Script used to install and uninstall public keys in the target
machine. Defaults to the built-in script.
</li>
<li>
<span class="param">allowed_users</span>
<span class="param-flags">optional for all types</span>
(String)
If this option is not specified, client can request for a credential
for any valid user at the remote host, including the admin user. If
only certain usernames are to be allowed, then this list enforces it.
If this field is set, then credentials can only be created for
`default_user` and usernames present in this list. Setting this
option will enable all the users with access this role to fetch
credentials for all other usernames in this list. Use with caution.
</li>
<li>
<span class="param">allowed_domains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
(String)
If this option is not specified, client can request for a signed certificate for any
valid host. If only certain domains are allowed, then this list enforces it.
If this option is explicitly set to `*`, then credentials can be created
for any domain.
</li>
<li>
<span class="param">key_option_specs</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(String)
Comma separated option specification which will be prefixed to RSA
keys in the remote host's authorized_keys file. N.B.: Vault does
not check this string for validity.
</li>
<li>
<span class="param">ttl</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
The Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix. If not set, uses the system default value
or the value of `max_ttl`, whichever is shorter.
</li>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
The maximum Time To Live provided as a string duration with time
suffix. Hour is the largest suffix. If not set, defaults to the system
maximum lease TTL.
</li>
<li>
<span class="param">allowed_critical_options</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A comma-separated list of critical options that certificates can have when
signed. To allow any critical options, set this to an empty string. Will
default to allowing any critical options.
</li>
<li>
<span class="param">allowed_extensions</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A comma-separated list of extensions that certificates can have when
signed. To allow any critical options, set this to an empty string. Will
default to allowing any extensions.
</li>
<li>
<span class="param">default_critical_options</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A map of critical options certificates should have if none are provided
when signing. This field takes in key value pairs in JSON format. Note
that these are not restricted by `allowed_critical_options`. Defaults
to none.
</li>
<li>
<span class="param">default_extensions</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A map of extensions certificates should have if none are provided when
signing. This field takes in key value pairs in JSON format. Note that
these are not restricted by `allowed_extensions`. Defaults to none.
</li>
<li>
<span class="param">allow_user_certificates</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, certificates are allowed to be signed for use as a 'user'.
Defaults to false.
</li>
<li>
<span class="param">allow_host_certificates</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, certificates are allowed to be signed for use as a 'host'.
Defaults to false.
</li>
<li>
<span class="param">allow_bare_domains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, host certificates that are requested are allowed to use the base
domains listed in "allowed_users", e.g. "example.com". This
is a separate option as in some cases this can be considered a security
threat. Defaults to false.
</li>
<li>
<span class="param">allow_subdomains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, host certificates that are requested are allowed to use
subdomains of those listed in "allowed_users". Defaults
to false.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries a named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>Note: these are examples only. For a dynamic key role:
```json
{
"admin_user": "username",
"cidr_list": "x.x.x.x/y",
"default_user": "username",
"key": "<key name>",
"key_type": "dynamic",
"port": 22
}
```
</dd>
<dd>For an OTP role:
```json
{
"cidr_list": "x.x.x.x/y",
"default_user": "username",
"key_type": "otp",
"port": 22
}
```
</dd>
<dd>For a CA role:
```json
{
"allow_bare_domains": false,
"allow_host_certificates": true,
"allow_subdomains": false,
"allow_user_certificates": true,
"allowed_critical_options": "",
"allowed_extensions": "",
"default_critical_options": {},
"default_extensions": {},
"max_ttl": "768h",
"ttl": "4h"
}
```
</dd>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/ssh/roles` (LIST) or `/ssh/roles?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```json
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named role.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/config/zeroaddress
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Returns the list of configured zero-address roles.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"roles":[
"otp_key_role"
]
},
"warnings":null,
"auth":null
}
```
</dd>
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures zero-address roles.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">roles</span>
<span class="param-flags">required</span>
A string containing comma separated list of role names which allows credentials to be requested
for any IP address. CIDR blocks previously registered under these roles will be ignored.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the zero-address roles configuration.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/creds/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates credentials for a specific username and IP with the
parameters defined in the given role.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/creds/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">username</span>
<span class="param-flags">optional</span>
(String)
Username on the remote host.
</li>
<li>
<span class="param">ip</span>
<span class="param-flags">required</span>
(String)
IP of the remote host.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>For a dynamic key role:
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"admin_user": "rajanadar",
"allowed_users": "",
"cidr_list": "x.x.x.x/y",
"default_user": "rajanadar",
"exclude_cidr_list": "x.x.x.x/y",
"install_script": "pretty_large_script",
"key": "5d9ee6a1-c787-47a9-9738-da243f4f69bf",
"key_bits": 1024,
"key_option_specs": "",
"key_type": "dynamic",
"port": 22
},
"warnings": null,
"auth": null
}
```
</dd>
<dd>For an OTP role:
```json
{
"lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
"renewable": false,
"lease_duration": 2764800,
"data": {
"ip": "127.0.0.1",
"key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
"key_type": "otp",
"port": 22,
"username": "rajanadar"
},
"warnings": null,
"auth": null
}
```
</dd>
### /ssh/lookup
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Lists all of the roles with which the given IP is associated.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/lookup`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ip</span>
<span class="param-flags">required</span>
(String)
IP of the remote host.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>An array of roles as a secret structure.
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"roles": ["fe6f61b7-7e4a-46a6-b2c8-0d530b8513df", "6d6411fd-f622-ea0a-7e2c-989a745cbbb2"]
},
"warnings": null,
"auth": null
}
```
</dd>
### /ssh/verify
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Verifies if the given OTP is valid. This is an unauthenticated
endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/verify`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">otp</span>
<span class="param-flags">required</span>
(String)
One-Time-Key that needs to be validated.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>A `200` response code for a valid OTP.
```json
{
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"ip":"127.0.0.1",
"username":"rajanadar"
},
"warnings":null,
"auth":null
}
```
</dd>
<dd>A `400` BadRequest response code with 'OTP not found' message, for an invalid OTP.</dd>
### /ssh/config/ca
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Allows submitting the CA information for the backend via an SSH key pair.
_If you have already set a certificate and key, they will be overridden._<br /><br />
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/config/ca`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">private_key</span>
<span class="param-flags">optional</span>
The private key part the SSH CA key pair; required if generate_signing_key is false.
</li>
<li>
<span class="param">public_key</span>
<span class="param-flags">optional</span>
The public key part of the SSH CA key pair; required if generate_signing_key is false.
</li>
<li>
<span class="param">generate_signing_key</span>
<span class="param-flags">optional</span>
Generate the signing key pair interally if true, otherwise use the private_key and public_key fields.
The generated public key will be returned so you can add it to your configuration.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code. And if generate_signing_key was true:
</dd>
<dd>
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
},
"warnings": null
}
```
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Reads the configured/generated public key.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/config/ca`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
},
"warnings": null
}
```
</dd>
</dl>
### /ssh/sign
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Signs an SSH public key based on the supplied parameters, subject to the
restrictions contained in the role named in the endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/sign/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">public_key</span>
<span class="param-flags">required</span>
SSH public key that should be signed.
</li>
<li>
<span class="param">ttl</span>
<span class="param-flags">optional</span>
Requested Time To Live. Cannot be greater than the role's `max_ttl`
value. If not provided, the role's `ttl` value will be used. Note that
the role values default to system values if not explicitly set.
</li>
<li>
<span class="param">valid_principals</span>
<span class="param-flags">optional</span>
Valid principals, either usernames or hostnames, that the certificate
should be signed for. Defaults to none.
</li>
<li>
<span class="param">cert_type</span>
<span class="param-flags">optional</span>
Type of certificate to be created; either "user" or "host". Defaults to
"user".
</li>
<li>
<span class="param">key_id</span>
<span class="param-flags">optional</span>
Key id that the created certificate should have. If not specified,
the display name of the token will be used.
</li>
<li>
<span class="param">critical_options</span>
<span class="param-flags">optional</span>
A map of the critical options that the certificate should be signed for.
Defaults to none.
</li>
<li>
<span class="param">extensions</span>
<span class="param-flags">optional</span>
A map of the extensions that the certificate should be signed for.
Defaults to none
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id": "ssh/sign/example/097bf207-96dd-0041-0e83-b23bd1923993",
"renewable": false,
"lease_duration": 21600,
"data": {
"serial_number": "f65ed2fd21443d5c",
"signed_key": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...\n"
},
"auth": null
}
```
</dd>
</dl>
=======
The SSH secret backend has a full HTTP API. Please see the
[SSH secret backend API](/docs/http/secret/ssh/index.html) for more
details.
>>>>>>> e54ffcd1... Break out API documentation for secret backends

859
website/source/docs/http/secret/transit/index.html.md Normal file
View file

@ -0,0 +1,859 @@
---
layout: "http"
page_title: "Transit Secret Backend - HTTP API"
sidebar_current: "docs-http-secret-transit"
description: |-
TODO
---
# Transit Secret Backend HTTP API
This is the API documentation for the Vault Transit secret backend. For general
information about the usage and operation of the Transit backend, please see the
[Vault Transit backend documentation](/docs/secrets/transit/index.html).
This documentation assumes the Transit backend is mounted at the `/transit`
path in Vault. Since it is possible to mount secret backends at any location,
please update your API calls accordingly.
## Create Key
This endpoint creates a new named encryption key of the specified type. The
values set here cannot be changed after key creation.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/keys/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
create. This is specified as part of the URL.
- `convergent_encryption` `(bool: false)` If enabled, the key will support
convergent encryption, where the same plaintext creates the same ciphertext.
This requires _derived_ to be set to `true`. When enabled, each
encryption(/decryption/rewrap/datakey) operation will derive a `nonce` value
rather than randomly generate it. Note that while this is useful for
particular situations, all nonce values used with a given context value **must
be unique** or it will compromise the security of your key, and the key space
for nonces is 96 bit -- not as large as the AES key itself.
- `derived` `(bool: false)`  Specifies if key derivation kist be used. If
enabled, all encrypt/decrypt requests to this named key must provide a context
which is used for key derivation.
- `exportable` `(bool: false)`  Specifies if the raw key is exportable.
- `type` `(string: "aes256-gcm96")`  Specifies the type of key to create. The
currently-supported types are:
- `aes256-gcm96` AES-256 wrapped with GCM using a 12-byte nonce size (symmetric)
- `ecdsa-p256` ECDSA using the P-256 elliptic curve (asymmetric)
### Sample Payload
```json
{
"type": "ecdsa-p256",
"derived": true
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/keys/my-key
```
## Read Key
This endpoint returns information about a named encryption key. The `keys`
object shows the creation time of each key version; the values are not the keys
themselves. Depending on the type of key, different information may be returned,
e.g. an asymmetric key will return its public key in a standard format for the
type.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/transit/keys/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
read. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/transit/keys/my-key
```
### Sample Response
```json
{
"data": {
"type": "aes256-gcm96",
"deletion_allowed": false,
"derived": false,
"exportable": false,
"keys": {
"1": 1442851412
},
"min_decryption_version": 0,
"name": "foo",
"supports_encryption": true,
"supports_decryption": true,
"supports_derivation": true,
"supports_signing": false
}
}
```
## List Keys
This endpoint returns a list of keys. Only the key names are returned (not the
actual keys themselves).
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `LIST` | `/transit/keys` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://vault.rocks/v1/transit/keys
```
### Sample Response
```json
{
"data": {
"keys": ["foo", "bar"]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false
}
```
## Delete Key
This endpoint deletes a named encryption key. It will no longer be possible to
decrypt any data encrypted with the named key. Because this is a potentially
catastrophic operation, the `deletion_allowed` tunable must be set in the key's
`/config` endpoint.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/transit/keys/:name` | `204 (empty body)` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
delete. This is specified as part of the URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://vault.rocks/v1/transit/keys/my-key
```
#### Update Key Configuration
This endpoint allows tuning configuration values for a given key. (These values
are returned during a read operation on the named key.)
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/keys/:name/config` | `204 (empty body)` |
### Parameters
- `min_decryption_version` `(int: 0)`  Specifies the minimum version of
ciphertext allowed to be decrypted. Adjusting this as part of a key rotation
policy can prevent old copies of ciphertext from being decrypted, should they
fall into the wrong hands. For signatures, this value controls the minimum
version of signature that can be verified against. For HMACs, this controls
the minimum version of a key allowed to be used as the key for the HMAC
function.
- `deletion_allowed` `(bool: false)`- Specifies if the key is allowed to be
deleted.
### Sample Payload
```json
{
"deletion_allowed": true
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/keys/my-key/config
```
## Rotate Key
This endpoint rotates the version of the named key. After rotation, new
plaintext requests will be encrypted with the new version of the key. To upgrade
ciphertext to be encrypted with the latest version of the key, use the `rewrap`
endpoint. This is only supported with keys that support encryption and
decryption operations.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/keys/:name/rotate` | `204 (empty body)` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://vault.rocks/v1/transit/keys/my-key/rotate
```
## Read Key
This endpoint returns the named key. The `keys` object shows the value of the
key for each version. If `version` is specified, the specific version will be
returned. If `latest` is provided as the version, the current key will be
provided. Depending on the type of key, different information may be returned.
The key must be exportable to support this operation and the version must still
be valid.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/transit/export/:key_type/:name(/:version)` | `200 application/json` |
### Parameters
- `key_type` `(string: <required>)`  Specifies the type of the key to export.
This is specified as part of the URL. Valid values are:
- `encryption-key`
- `signing-key`
- `hmac-key`
- `name` `(string: <required>)` Specifies the name of the key to read
information about. This is specified as part of the URL.
- `version` `(int: "")`  Specifies the version of the key to read. If omitted,
all versions of the key will be returned. This is specified as part of the
URL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
https://vault.rocks/v1/transit/export/encryption-key/my-key/1
```
### Sample Response
```json
{
"data": {
"name": "foo",
"keys": {
"1": "eyXYGHbTmugUJn6EtYD/yVEoF6pCxm4R/cMEutUm3MY=",
"2": "Euzymqx6iXjS3/NuGKDCiM2Ev6wdhnU+rBiKnJ7YpHE="
}
}
}
```
## Encrypt Data
This endpoint encrypts the provided plaintext using the named key. Currently,
this only supports symmetric keys. This path supports the `create` and `update`
policy capabilities as follows: if the user has the `create` capability for this
endpoint in their policies, and the key does not exist, it will be upserted with
default values (whether the key requires derivation depends on whether the
context parameter is empty or not). If the user only has `update` capability and
the key does not exist, an error will be returned.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/encrypt/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
encrypt against. This is specified as part of the URL.
- `plaintext` `(string: <required>)` Specifies **base64 encoded** plaintext to
be encoded.
- `context` `(string: "")`  Specifies the **base64 encoded** context for key
derivation. This is required if key derivation is enabled for this key.
- `nonce` `(string: "")` Specifies the **base64 encoded** nonce value. This
must be provided if convergent encryption is enabled for this key and the key
was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
value must be exactly 96 bits (12 bytes) long and the user must ensure that
for any given context (and thus, any given encryption key) this nonce value is
**never reused**.
- `batch_input` `(array<object>: nil)`  Specifies a list of items to be
encrypted in a single batch. When this parameter is set, if the parameters
'plaintext', 'context' and 'nonce' are also set, they will be ignored. The
format for the input is:
```json
[
{
"context": "c2FtcGxlY29udGV4dA==",
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
},
]
```
- `type` `(string: "aes256-gcm96")` This parameter is required when encryption
key is expected to be created. When performing an upsert operation, the type
of key to create. Currently, "aes256-gcm96" (symmetric) is the only type
supported.
- `convergent_encryption` `(string: "")`  This parameter will only be used when
a key is expected to be created. Whether to support convergent encryption.
This is only supported when using a key with key derivation enabled and will
require all requests to carry both a context and 96-bit (12-byte) nonce. The
given nonce will be used in place of a randomly generated nonce. As a result,
when the same context and nonce are supplied, the same ciphertext is
generated. It is _very important_ when using this mode that you ensure that
all nonces are unique for a given context. Failing to do so will severely
impact the ciphertext's security.
### Sample Payload
```json
{
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/encrypt/my-key
```
### Sample Response
```json
{
"data": {
"ciphertext": "vault:v1:abcdefgh"
}
}
```
## Decrypt Data
This endpoint decrypts the provided ciphertext using the named key. Currently,
this only supports symmetric keys.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/decrypt/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
decrypt against. This is specified as part of the URL.
- `ciphertext` `(string: <required>)`  Specifies the ciphertext to decrypt.
- `context` `(string: "")` Specifies the **base64 encoded** context for key
derivation. This is required if key derivation is enabled.
- `nonce` `(string: "")`  Specifies a base64 encoded nonce value used during
encryption. Must be provided if convergent encryption is enabled for this key
and the key was generated with Vault 0.6.1. Not required for keys created in
0.6.2+.
- `batch_input` `(array<object>: nil)`  Specifies a list of items to be
decrypted in a single batch. When this parameter is set, if the parameters
'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
for the input goes like this:
```json
[
{
"context": "c2FtcGxlY29udGV4dA==",
"ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
},
]
```
### Sample Payload
```json
{
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/decrypt/my-key
```
### Sample Response
```json
{
"data": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
## Rewrap Data
This endpoint rewrapw the provided ciphertext using the latest version of the
named key. Because this never returns plaintext, it is possible to delegate this
functionality to untrusted users or scripts.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/rewrap/:name` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
re-encrypt against. This is specified as part of the URL.
- `ciphertext` `(string: <required>)`  Specifies the ciphertext to re-encrypt.
- `context` `(string: "")` Specifies the **base64 encoded** context for key
derivation. This is required if key derivation is enabled.
- `nonce` `(string: "")`  Specifies a base64 encoded nonce value used during
encryption. Must be provided if convergent encryption is enabled for this key
and the key was generated with Vault 0.6.1. Not required for keys created in
0.6.2+.
- `batch_input` `(array<object>: nil)`  Specifies a list of items to be
decrypted in a single batch. When this parameter is set, if the parameters
'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format
for the input goes like this:
```json
[
{
"context": "c2FtcGxlY29udGV4dA==",
"ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
},
]
```
### Sample Payload
```json
{
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/rewrap/my-key
```
### Sample Response
```json
{
"data": {
"ciphertext": "vault:v2:abcdefgh"
}
}
```
## Generate Data Key
This endpoint generates a new high-entropy key and the value encrypted with the
named key. Optionally return the plaintext of the key as well. Whether plaintext
is returned depends on the path; as a result, you can use Vault ACL policies to
control whether a user is allowed to retrieve the plaintext value of a key. This
is useful if you want an untrusted user or operation to generate keys that are
then made available to trusted users.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/datakey/:type/:name` | `200 application/json` |
### Parameters
- `type` `(string: <required>)`  Specifies the type of key to generate. If
`plaintext`, the plaintext key will be returned along with the ciphertext. If
`wrapped`, only the ciphertext value will be returned. This is specified as
part of the URL.
- `name` `(string: <required>)` Specifies the name of the encryption key to
re-encrypt against. This is specified as part of the URL.
- `context` `(string: "")`  Specifies the key derivation context, provided as a
base64-encoded string. This must be provided if derivation is enabled.
- `nonce` `(string: "")`  Specifies a nonce value, provided as base64 encoded.
Must be provided if convergent encryption is enabled for this key and the key
was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The
value must be exactly 96 bits (12 bytes) long and the user must ensure that
for any given context (and thus, any given encryption key) this nonce value is
**never reused**.
- `bits` `(int: 256)`  Specifies the number of bits in the desired key. Can be
128, 256, or 512.
### Sample Payload
```json
{
"context": "Ab3=="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/datakey/plaintext/my-key
```
### Sample Response
```json
{
"data": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
"ciphertext": "vault:v1:abcdefgh"
}
}
```
## Generate Random Bytes
This endpoint returns high-quality random bytes of the specified length.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/random(/:bytes)` | `200 application/json` |
### Parameters
- `bytes` `(int: 32)`  Specifies the number of bytes to return. This value can
be specified either in the request body, or as a part of the URL.
- `format` `(string: "base64")` Specifies the output encoding. Valid options
are `hex` or `base64`.
### Sample Payload
```json
{
"format": "hex"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/random/164
```
### Sample Response
```json
{
"data": {
"random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
## Hash Data
This endpoint returns the cryptographic hash of given data using the specified
algorithm.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/hash(/:algorithm)` | `200 application/json` |
### Parameters
- `algorithm` `(string: "sha2-256")` Specifies the hash algorithm to use. This
can also be specified as part of the URL. Currently-supported algorithms are:
- `sha2-224`
- `sha2-256`
- `sha2-384`
- `sha2-512`
- `input` `(string: <required>)`  Specifies the **base64 encoded** input data.
- `format` `(string: "hex")`  Specifies the output encoding. This can be either
`hex` or `base64`.
### Sample Payload
```json
{
"input": "adba32=="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/hash/sha2-512
```
### Sample Response
```json
{
"data": {
"sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
## Generate HMAC with Key
This endpoint returns the digest of given data using the specified hash
algorithm and the named key. The key can be of any type supported by `transit`;
the raw key will be marshaled into bytes to be used for the HMAC function. If
the key is of a type that supports rotation, the latest (current) version will
be used.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/hmac/:name(/:algorithm)` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
generate hmac against. This is specified as part of the URL.
- `algorithm` `(string: "sha2-256")` Specifies the hash algorithm to use. This
can also be specified as part of the URL. Currently-supported algorithms are:
- `sha2-224`
- `sha2-256`
- `sha2-384`
- `sha2-512`
- `input` `(string: <required>)`  Specifies the **base64 encoded** input data.
- `format` `(string: "hex")`  Specifies the output encoding. This can be either
`hex` or `base64`.
### Sample Payload
```json
{
"input": "adba32=="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/hmac/my-key/sha2-512
```
### Sample Response
```json
{
"data": {
"hmac": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
## Sign Data with Key
This endpoint returns the cryptographic signature of the given data using the
named key and the specified hash algorithm. The key must be of a type that
supports signing.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/sign/:name(/:algorithm)` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
generate hmac against. This is specified as part of the URL.
- `algorithm` `(string: "sha2-256")` Specifies the hash algorithm to use. This
can also be specified as part of the URL. Currently-supported algorithms are:
- `sha2-224`
- `sha2-256`
- `sha2-384`
- `sha2-512`
- `input` `(string: <required>)`  Specifies the **base64 encoded** input data.
- `format` `(string: "hex")`  Specifies the output encoding. This can be either
`hex` or `base64`.
### Sample Payload
```json
{
"input": "adba32=="
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/sign/my-key/sha2-512
```
### Sample Response
```json
{
"data": {
"signature": "vault:v1:MEUCIQCyb869d7KWuA0hBM9b5NJrmWzMW3/pT+0XYCM9VmGR+QIgWWF6ufi4OS2xo1eS2V5IeJQfsi59qeMWtgX0LipxEHI="
}
}
```
## Verify Data with Key
This endpoint returns whether the provided signature is valid for the given
data.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/transit/verify/:name(/:algorithm)` | `200 application/json` |
### Parameters
- `name` `(string: <required>)` Specifies the name of the encryption key to
generate hmac against. This is specified as part of the URL.
- `algorithm` `(string: "sha2-256")` Specifies the hash algorithm to use. This
can also be specified as part of the URL. Currently-supported algorithms are:
- `sha2-224`
- `sha2-256`
- `sha2-384`
- `sha2-512`
- `input` `(string: <required>)`  Specifies the **base64 encoded** input data.
- `format` `(string: "hex")`  Specifies the output encoding. This can be either
`hex` or `base64`.
- `signature` `(string: "")`  Specifies the signature output from the
`/transit/sign` function. Either this must be supplied or `hmac` must be
supplied.
- `hmac` `(string: "")`  Specifies the signature output from the
`/transit/hmac` function. Either this must be supplied or `signature` must be
supplied.
### Sample Payload
```json
{
"input": "abcd13==",
"signature": "vault:v1:MEUCIQCyb869d7KWuA..."
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://vault.rocks/v1/transit/verify/my-key/sha2-512
```
### Sample Response
```json
{
"data": {
"valid": true
}
}
```

345
website/source/docs/secrets/aws/index.html.md
View file

@ -45,7 +45,7 @@ The following parameters are required:
credentials.
- `region` the AWS region for API calls.
Note: the client uses the official AWS SDK and will use environment variable or IAM
Note: the client uses the official AWS SDK and will use environment variable or IAM
role-provided credentials if available.
The next step is to configure a role. A role is a logical name that maps
@ -159,7 +159,7 @@ Here is an example IAM policy that would grant these permissions:
```
Note that this policy example is unrelated to the policy you wrote to `aws/roles/deploy`.
This policy example should be applied to the IAM user (or role) associated with
This policy example should be applied to the IAM user (or role) associated with
the root credentials that you wrote to `aws/config/root`. You have to apply it
yourself in IAM. The policy you wrote to `aws/roles/deploy` is the policy you
want the AWS secret backend to apply to the temporary credentials it returns
@ -364,341 +364,6 @@ errors for exceeding the AWS limit of 32 characters on STS token names.
## API
### /aws/config/root
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the root IAM credentials used.
If static credentials are not provided using
this endpoint, then the credentials will be retrieved from the
environment variables `AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and `AWS_REGION`
respectively. If the credentials are still not found and if the
backend is configured on an EC2 instance with metadata querying
capabilities, the credentials are fetched automatically.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/aws/config/root`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">access_key</span>
<span class="param-flags">required</span>
The AWS Access Key
</li>
<li>
<span class="param">secret_key</span>
<span class="param-flags">required</span>
The AWS Secret Key
</li>
<li>
<span class="param">region</span>
<span class="param-flags">required</span>
The AWS region for API calls
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /aws/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the lease settings for generated credentials.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/aws/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">lease</span>
<span class="param-flags">required</span>
The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">lease_max</span>
<span class="param-flags">required</span>
The maximum lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /aws/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a named role.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/aws/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">policy</span>
<span class="param-flags">required (unless arn specified)</span>
The IAM policy in JSON format.
</li>
<li>
<span class="param">arn</span>
<span class="param-flags">required (unless policy specified)</span>
The full ARN reference to the desired existing policy
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries a named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/aws/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"policy": "..."
}
}
```
```javascript
{
"data": {
"arn": "..."
}
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named role.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/aws/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of existing roles in the backend
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/aws/roles` (LIST) or `/aws/roles/?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": [
"devrole",
"prodrole",
"testrole"
]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
</dd>
</dl>
### /aws/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a dynamic IAM credential based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/aws/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"access_key": "...",
"secret_key": "...",
"security_token": null
}
}
```
</dd>
</dl>
### /aws/sts/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a dynamic IAM credential with an STS token based on the named
role. The TTL will be 3600 seconds (one hour).
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/aws/sts/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"access_key": "...",
"secret_key": "...",
"security_token": "..."
}
}
```
</dd>
</dl>
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Generates a dynamic IAM credential with an STS token based on the named
role and the given TTL (defaults to 3600 seconds, or one hour).
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/aws/sts/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ttl</span>
<span class="param-flags">optional</span>
The TTL to use for the STS token.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"access_key": "...",
"secret_key": "...",
"security_token": "..."
}
}
```
</dd>
</dl>
The AWS secret backend has a full HTTP API. Please see the
[AWS secret backend API](/docs/http/secret/aws/index.html) for more
details.

262
website/source/docs/secrets/cassandra/index.html.md
View file

@ -94,262 +94,6 @@ subpath for interactive help output.
## API
### /cassandra/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the connection information used to communicate with Cassandra.
TLS works as follows:<br /><br />
<ul>
<li>
• If `tls` is set to true, the connection will use TLS; this happens
automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
</li>
<li>
• If `insecure_tls` is set to true, the connection will not perform
verification of the server certificate; this also sets `tls` to true
</li>
<li>
• If only `issuing_ca` is set in `pem_json`, or the only certificate in
`pem_bundle` is a CA certificate, the given CA certificate will be used
for server certificate verification; otherwise the system CA
certificates will be used
</li>
<li>
• If `certificate` and `private_key` are set in `pem_bundle` or
`pem_json`, client auth will be turned on for the connection
</li>
</ul>
`pem_bundle` should be a PEM-concatenated bundle of a private key + client
certificate, an issuing CA certificate, or both. `pem_json` should contain
the same information; for convenience, the JSON format is the same as that
output by the issue command from the PKI backend.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/cassandra/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">hosts</span>
<span class="param-flags">required</span>
A set of comma-deliniated Cassandra hosts to connect to.
</li>
<li>
<span class="param">username</span>
<span class="param-flags">required</span>
The username to use for superuser access.
</li>
<li>
<span class="param">password</span>
<span class="param-flags">required</span>
The password corresponding to the given username.
</li>
<li>
<span class="param">tls</span>
<span class="param-flags">optional</span>
Whether to use TLS when connecting to Cassandra.
</li>
<li>
<span class="param">insecure_tls</span>
<span class="param-flags">optional</span>
Whether to skip verification of the server certificate when using TLS.
</li>
<li>
<span class="param">pem_bundle</span>
<span class="param-flags">optional</span>
Concatenated PEM blocks containing a certificate and private key;
a certificate, private key, and issuing CA certificate; or just a CA
certificate.
</li>
<li>
<span class="param">pem_json</span>
<span class="param-flags">optional</span>
JSON containing a certificate and private key;
a certificate, private key, and issuing CA certificate; or just a CA
certificate. For convenience format is the same as the output of the
`issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html).
</li>
<li>
<span class="param">protocol_version</span>
<span class="param-flags">optional</span>
The CQL protocol version to use. Defaults to 2.
</li>
<li>
<span class="param">connect_timeout</span>
<span class="param-flags">optional</span>
The connection timeout to use. Defaults to 5 seconds.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /cassandra/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/cassandra/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">creation_cql</span>
<span class="param-flags">optional</span>
The CQL statements executed to create and configure the new user. Must
be a semicolon-separated string, a base64-encoded semicolon-separated
string, a serialized JSON string array, or a base64-encoded serialized
JSON string array. The '{{username}}' and '{{password}}' values will be
substituted; it is required that these parameters are in single quotes.
The default creates a non-superuser user with no authorization grants.
</li>
<li>
<span class="param">rollback_cql</span>
<span class="param-flags">optional</span>
The CQL statements executed to attempt a rollback if an error is
encountered during user creation. The default is to delete the user.
Must be a semicolon-separated string, a base64-encoded
semicolon-separated string, a serialized JSON string array, or a
base64-encoded serialized JSON string array. The '{{username}}' and
'{{password}}' values will be substituted; it is required that these
parameters are in single quotes.
</li>
<li>
<span class="param">lease</span>
<span class="param-flags">optional</span>
The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">consistency</span>
<span class="param-flags">optional</span>
The consistency level value provided as a string. Determines the
consistency level used for operations performed on the Cassandra
database. Defaults to a consistency level of Quorum.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/cassandra/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"creation_cql": "CREATE USER...",
"rollback_cql": "DROP USER...",
"lease": "12h",
"consistency": "Quorum"
}
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/cassandra/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /cassandra/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/cassandra/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"username": "vault-root-1430158508-126",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```
</dd>
</dl>
The Cassandra secret backend has a full HTTP API. Please see the
[Cassandra secret backend API](/docs/http/secret/cassandra/index.html) for more
details.

184
website/source/docs/secrets/consul/index.html.md
View file

@ -98,184 +98,6 @@ Permission denied
## API
### /consul/config/access
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the access information for Consul.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/consul/config/access`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">address</span>
<span class="param-flags">required</span>
The address of the Consul instance, provided as host:port
</li>
<li>
<span class="param">scheme</span>
<span class="param-flags">optional</span>
The URL scheme to use. Defaults to HTTP, as Consul does not expose HTTPS by default.
</li>
<li>
<span class="param">token</span>
<span class="param-flags">required</span>
The Consul ACL token to use. Must be a management type token.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /consul/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the Consul role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/consul/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">policy</span>
<span class="param-flags">required</span>
The base64 encoded Consul ACL policy. This is documented in [more
detail here](https://www.consul.io/docs/internals/acl.html). Required
unless the `token_type` is `management`.
</li>
<li>
<span class="param">token_type</span>
<span class="param-flags">optional</span>
The type of token to create using this role: `client` or `management`.
If `management`, the `policy` parameter is not required.
</li>
<li>
<span class="param">lease</span>
<span class="param-flags">optional</span>
The lease value provided as a string duration with time suffix. Hour is
the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries a Consul role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/consul/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"policy": "abcdef=",
"lease": "1h0m0s",
"token_type": "client"
}
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a Consul role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/consul/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /consul/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a dynamic Consul token based on the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/consul/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"token": "973a31ea-1ec4-c2de-0f63-623f477c2510"
}
}
```
</dd>
</dl>
The Consul secret backend has a full HTTP API. Please see the
[Consul secret backend API](/docs/http/secret/consul/index.html) for more
details.

139
website/source/docs/secrets/cubbyhole/index.html.md
View file

@ -89,139 +89,6 @@ As expected, the value previously set is returned to us.
## API
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Retrieves the secret at the specified location.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/cubbyhole/<path>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"data": {
"foo": "bar"
},
"lease_duration": 0,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of secret entries at the specified location. Folders are
suffixed with `/`. The input must be a folder; list on a file will not
return a value. The values themselves are not accessible via this command.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/cubbyhole/<path>` (LIST) or `/cubbyhole/<path>?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
The example below shows output for a query path of `cubbyhole/` when there
are secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference
in the two entries.
```javascript
{
"auth": null,
"data": {
"keys": ["foo", "foo/"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### POST/PUT
<dl class="api">
<dt>Description</dt>
<dd>
Stores a secret at the specified location.
</dd>
<dt>Method</dt>
<dd>POST/PUT</dd>
<dt>URL</dt>
<dd>`/cubbyhole/<path>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">(key)</span>
<span class="param-flags">optional</span>
A key, paired with an associated value, to be held at the
given location. Multiple key/value pairs can be specified,
and all will be returned on a read operation.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the secret at the specified location.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/cubbyhole/<path>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
The Cubbyhole secret backend has a full HTTP API. Please see the
[Cubbyhole secret backend API](/docs/http/secret/cubbyhole/index.html) for more
details.

145
website/source/docs/secrets/generic/index.html.md
View file

@ -70,145 +70,6 @@ seconds (one hour) as specified.
## API
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Retrieves the secret at the specified location.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/secret/<path>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"data": {
"foo": "bar"
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of key names at the specified location. Folders are
suffixed with `/`. The input must be a folder; list on a file will not
return a value. Note that no policy-based filtering is performed on keys;
do not encode sensitive information in key names. The values themselves
are not accessible via this command.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/secret/<path>` (LIST) or `/secret/<path>?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
The example below shows output for a query path of `secret/` when there are
secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
entries.
```javascript
{
"auth": null,
"data": {
"keys": ["foo", "foo/"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### POST/PUT
<dl class="api">
<dt>Description</dt>
<dd>
Stores a secret at the specified location. If the value does not yet exist,
the calling token must have an ACL policy granting the `create` capability.
If the value already exists, the calling token must have an ACL policy
granting the `update` capability.
</dd>
<dt>Method</dt>
<dd>POST/PUT</dd>
<dt>URL</dt>
<dd>`/secret/<path>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">(key)</span>
<span class="param-flags">optional</span>
A key, paired with an associated value, to be held at the given
location. Multiple key/value pairs can be specified, and all will be
returned on a read operation. A key called `ttl` will trigger some
special behavior; see above for details.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the secret at the specified location.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/secret/<path>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
The Generic secret backend has a full HTTP API. Please see the
[Generic secret backend API](/docs/http/secret/generic/index.html) for more
details.

368
website/source/docs/secrets/mongodb/index.html.md
View file

@ -120,368 +120,6 @@ applications are restricted in the credentials they are allowed to read.
## API
### /mongodb/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the standard connection string (URI) used to communicate with MongoDB.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mongodb/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">uri</span>
<span class="param-flags">required</span>
The MongoDB standard connection string (URI)
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">verify_connection</span>
<span class="param-flags">optional</span>
If set, uri is verified by actually connecting to the database.
Defaults to true.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `200` response code.
</dd>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any."
],
"auth": null
}
```
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the connection configuration. Access to this endpoint should be controlled via ACLs as it will return the
connection URI as it is, including passwords, if any.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mongodb/config/connection`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"uri": "mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
</dd>
</dl>
### /mongodb/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the default lease TTL settings for credentials generated by the mongodb backend.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mongodb/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ttl</span>
<span class="param-flags">optional</span>
The ttl value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">optional</span>
The maximum ttl value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the lease configuration.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mongodb/config/lease`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"max_ttl": 60,
"ttl": 60
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
</dd>
</dl>
### /mongodb/roles/\<name\>
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mongodb/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">db</span>
<span class="param-flags">required</span>
The name of the database users should be created in for this role.
</li>
<li>
<span class="param">roles</span>
<span class="param-flags">optional</span>
MongoDB roles to assign to the users generated for this role.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mongodb/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"db": "foo",
"roles": "[\"readWrite\",{\"db\":\"bar\",\"role\":\"read\"}]"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/mongodb/roles` (LIST) or `/mongodb/roles/?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"dev",
"prod"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/mongodb/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mongodb/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mongodb/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "mongodb/creds/readonly/e64e79d8-9f56-e379-a7c5-373f9b4ee3d8",
"renewable": true,
"lease_duration": 3600,
"data": {
"db": "foo",
"password": "de0f7b50-d700-54e5-4e81-5c3724283999",
"username": "vault-token-b32098cb-7ff2-dcf5-83cd-d5887cedf81b"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
</dd>
</dl>
The MongoDB secret backend has a full HTTP API. Please see the
[MongoDB secret backend API](/docs/http/secret/mongodb/index.html) for more
details.

301
website/source/docs/secrets/mssql/index.html.md
View file

@ -110,301 +110,6 @@ allowed to read.
## API
### /mssql/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the connection DSN used to communicate with Sql Server.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mssql/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">connection_string</span>
<span class="param-flags">required</span>
The MSSQL DSN
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">max_open_connections</span>
<span class="param-flags">optional</span>
Maximum number of open connections to the database.
Defaults to 2.
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">verify_connection</span>
<span class="param-flags">optional</span>
If set, connection_string is verified by actually connecting to the database.
Defaults to true.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mssql/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the lease settings for generated credentials.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mssql/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ttl</span>
<span class="param-flags">required</span>
The ttl value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">required</span>
The maximum ttl value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the lease configuration.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mssql/config/lease`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"max_ttl": "5h",
"ttl": "1h",
"ttl_max": "5h"
},
"wrap_info": null,
"warnings": ["The field ttl_max is deprecated and will be removed in a future release. Use max_ttl instead."],
"auth": null
}
```
</dd>
</dl>
### /mssql/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mssql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">sql</span>
<span class="param-flags">required</span>
The SQL statements executed to create and configure the role. The
'{{name}}' and '{{password}}' values will be substituted. Must be a
semicolon-separated string, a base64-encoded semicolon-separated
string, a serialized JSON string array, or a base64-encoded serialized
JSON string array.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mssql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"sql": "CREATE LOGIN..."
}
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/mssql/roles` (LIST) or `/mssql/roles/?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/mssql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mssql/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mssql/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"username": "root-a147d529-e7d6-4a16-8930-4c3e72170b19",
"password": "ee202d0d-e4fd-4410-8d14-2a78c5c8cb76"
}
}
```
</dd>
</dl>
The MSSQL secret backend has a full HTTP API. Please see the
[MSSQL secret backend API](/docs/http/secret/mssql/index.html) for more
details.

311
website/source/docs/secrets/mysql/index.html.md
View file

@ -109,7 +109,7 @@ allowed to read.
Optionally, you may configure both the number of characters from the role name
that are truncated to form the display name portion of the mysql username
interpolated into the `{{name}}` field: the default is 10.
interpolated into the `{{name}}` field: the default is 10.
You may also configure the total number of characters allowed in the entire
generated username (the sum of the display name and uuid portions); the
@ -119,309 +119,6 @@ the default on versions prior to that.
## API
### /mysql/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the connection DSN used to communicate with MySQL.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mysql/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">connection_url</span>
<span class="param-flags">required</span>
The MySQL DSN
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">value</span>
<span class="param-flags">optional</span>
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">max_open_connections</span>
<span class="param-flags">optional</span>
Maximum number of open connections to the database.
Defaults to 2.
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">max_idle_connections</span>
<span class="param-flags">optional</span>
Maximum number of idle connections to the database. A zero uses the value of `max_open_connections` and a negative value disables idle connections. If larger than `max_open_connections` it will be reduced to be equal.
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">verify_connection</span>
<span class="param-flags">optional</span>
If set, connection_url is verified by actually connecting to the database.
Defaults to true.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mysql/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the lease settings for generated credentials.
If not configured, leases default to 1 hour. This is a root
protected endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mysql/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">lease</span>
<span class="param-flags">required</span>
The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">lease_max</span>
<span class="param-flags">required</span>
The maximum lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mysql/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/mysql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">sql</span>
<span class="param-flags">required</span>
The SQL statements executed to create and configure a user. Must be a
semicolon-separated string, a base64-encoded semicolon-separated
string, a serialized JSON string array, or a base64-encoded serialized
JSON string array. The '{{name}}' and '{{password}}' values will be
substituted.
</li>
<li>
<span class="param">revocation_sql</span>
<span class="param-flags">optional</span>
The SQL statements executed to revoke a user. Must be a
semicolon-separated string, a base64-encoded semicolon-separated
string, a serialized JSON string array, or a base64-encoded serialized
JSON string array. The '{{name}}' value will be substituted.
</li>
<li>
<span class="param">rolename_length</span>
<span class="param-flags">optional</span>
Determines how many characters from the role name will be used
to form the mysql username interpolated into the '{{name}}' field
of the sql parameter. The default is 4.
</li>
<li>
<span class="param">displayname_length</span>
<span class="param-flags">optional</span>
Determines how many characters from the token display name will be used
to form the mysql username interpolated into the '{{name}}' field
of the sql parameter. The default is 4.
</li>
<li>
<span class="param">username_length</span>
<span class="param-flags">optional</span>
Determines the maximum total length in characters of the
mysql username interpolated into the '{{name}}' field
of the sql parameter. The default is 16.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mysql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"sql": "CREATE USER..."
}
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/mysql/roles` (LIST) or `/mysql/roles/?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/mysql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /mysql/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/mysql/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"username": "user-role-aefa63",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```
</dd>
</dl>
The MySQL secret backend has a full HTTP API. Please see the
[MySQL secret backend API](/docs/http/secret/mysql/index.html) for more
details.

1435
website/source/docs/secrets/pki/index.html.md
View file

File diff suppressed because it is too large Load diff

290
website/source/docs/secrets/postgresql/index.html.md
View file

@ -109,290 +109,6 @@ subpath for interactive help output.
## API
### /postgresql/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the connection string used to communicate with PostgreSQL.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/postgresql/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">connection_url</span>
<span class="param-flags">required</span>
The PostgreSQL connection URL or PG style string. e.g. "user=foo host=bar"
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">value</span>
<span class="param-flags">optional</span>
The PostgreSQL connection URL or PG style string. e.g. "user=foo host=bar". Use `connection_url` instead.
</li>
</ul>
</dd>
<dd>
<ul>
<li>
<span class="param">max_open_connections</span>
<span class="param-flags">optional</span>
Maximum number of open connections to the database. A zero uses the
default value of 2 and a negative value means unlimited.
</li>
</ul>
</dd>
<dd>
<ul>
<span class="param">max_idle_connections</span>
<span class="param-flags">optional</span>
Maximum number of idle connections to the database. A zero uses the
value of `max_open_connections` and a negative value disables idle
connections. If larger than `max_open_connections` it will be reduced
to be equal.
</ul>
</dd>
<dd>
<ul>
<span class="param">verify_connection</span>
<span class="param-flags">optional</span>
If set, connection_url is verified by actually connecting to the database.
Defaults to true.
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /postgresql/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the lease settings for generated credentials.
If not configured, leases default to 1 hour. This is a root
protected endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/postgresql/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">lease</span>
<span class="param-flags">required</span>
The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
<li>
<span class="param">lease_max</span>
<span class="param-flags">required</span>
The maximum lease value provided as a string duration
with time suffix. Hour is the largest suffix.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /postgresql/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/postgresql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">sql</span>
<span class="param-flags">required</span>
The SQL statements executed to create and configure the role. Must be
a semicolon-separated string, a base64-encoded semicolon-separated
string, a serialized JSON string array, or a base64-encoded serialized
JSON string array. The '{{name}}', '{{password}}' and '{{expiration}}'
values will be substituted.
</li>
</ul>
<ul>
<li>
<span class="param">revocation_sql</span>
<span class="param-flags">optional</span>
SQL statements to be executed to revoke a user. Must be a semicolon-separated
string, a base64-encoded semicolon-separated string, a serialized JSON string
array, or a base64-encoded serialized JSON string array. The '{{name}}' value
will be substituted.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/postgresql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"sql": "CREATE USER..."
}
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/postgresql/roles` (LIST) or `/postgresql/roles/?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/postgresql/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /postgresql/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/postgresql/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"username": "root-1430158508-126",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
}
}
```
</dd>
</dl>
The PostgreSQL secret backend has a full HTTP API. Please see the
[PostgreSQL secret backend API](/docs/http/secret/postgresql/index.html) for more
details.

219
website/source/docs/secrets/rabbitmq/index.html.md
View file

@ -110,219 +110,6 @@ subpath for interactive help output.
## API
### /rabbitmq/config/connection
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the connection string used to communicate with RabbitMQ.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/rabbitmq/config/connection`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">connection_uri</span>
<span class="param-flags">required</span>
The RabbitMQ management connection URI.
</li>
<li>
<span class="param">username</span>
<span class="param-flags">required</span>
The RabbitMQ management administrator username.
</li>
<li>
<span class="param">password</span>
<span class="param-flags">required</span>
The RabbitMQ management administrator password.
</li>
<li>
<span class="param">verify_connection</span>
<span class="param-flags">optional</span>
Whether to verify connection URI, username, and password.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /rabbitmq/config/lease
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures the lease settings for generated credentials. This is a root
protected endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/rabbitmq/config/lease`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ttl</span>
<span class="param-flags">optional</span>
The lease ttl provided in seconds.
</li>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">optional</span>
The maximum ttl provided in seconds.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /rabbitmq/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates the role definition.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/rabbitmq/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">tags</span>
<span class="param-flags">optional</span>
Comma-separated RabbitMQ management tags.
</li>
<li>
<span class="param">vhost</span>
<span class="param-flags">optional</span>
A map of virtual hosts to permissions.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries the role definition.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/rabbitmq/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"tags": "",
"vhost": "{\"/\": {\"configure\:".*", \"write\:".*", \"read\": \".*\"}}"
}
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the role definition.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/rabbitmq/roles/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /rabbitmq/creds/
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Generates a new set of dynamic credentials based on the named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/rabbitmq/creds/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"username": "root-4b95bf47-281d-dcb5-8a60-9594f8056092",
"password": "e1b6c159-ca63-4c6a-3886-6639eae06c30"
}
}
```
</dd>
</dl>
The RabbitMQ secret backend has a full HTTP API. Please see the
[RabbitMQ secret backend API](/docs/http/secret/rabbitmq/index.html) for more
details.

852
website/source/docs/secrets/ssh/index.html.md
View file

@ -329,7 +329,7 @@ sign an SSH public key, we simply write to the `sign` end point with that role
name: Vault is now configured to create and manage SSH certificates!
```text
$ cat dummy.pub | vault write ssh/sign/example public_key=-
$ cat dummy.pub | vault write ssh/sign/example public_key=-
Key Value
--- -----
lease_id ssh/sign/example/3c3740ee-6066-55c0-4a5d-82a544a474a3
@ -352,850 +352,6 @@ username@<IP of remote host>:~$
----------------------------------------------------
## API
### /ssh/keys/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a named key.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/keys/<key name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">key</span>
<span class="param-flags">required</span>
(String)
SSH private key with appropriate privileges on remote hosts.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named key.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/keys/<key name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/roles/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates or updates a named role.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">key</span>
<span class="param-flags">required for Dynamic Key type, N/A for
OTP type, N/A for CA type</span>
(String)
Name of the registered key in Vault. Before creating the role, use
the `keys/` endpoint to create a named key.
</li>
<li>
<span class="param">admin_user</span>
<span class="param-flags">required for Dynamic Key type, N/A for OTP
type, N/A for CA type</span>
(String)
Admin user at remote host. The shared key being registered should be
for this user and should have root or sudo privileges. Every time a
dynamic credential is generated for a client, Vault uses this admin
username to login to remote host and install the generated
credential.
</li>
<li>
<span class="param">default_user</span>
<span class="param-flags">required for Dynamic Key type, required
for OTP type, optional for CA type</span>
(String)
Default username for which a credential will be generated. When the
endpoint 'creds/' is used without a username, this value will be used
as default username. Its recommended to create individual roles for
each username to ensure absolute isolation between usernames.
For the CA type, if you wish this to be a valid principal, it must
also be in `allowed_users`.
</li>
<li>
<span class="param">cidr_list</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(String)
Comma separated list of CIDR blocks for which the role is applicable
for. CIDR blocks can belong to more than one role.
</li>
<li>
<span class="param">exclude_cidr_list</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(String)
Comma-separated list of CIDR blocks. IP addresses belonging to these
blocks are not accepted by the role. This is particularly useful when
big CIDR blocks are being used by the role and certain parts need to
be kept out.
</li>
<li>
<span class="param">port</span>
<span class="param-flags">optional for Dynamic Key type, optional for
OTP type, N/A for CA type</span>
(Integer)
Port number for SSH connection. The default is '22'. Port number
does not play any role in OTP generation. For the 'otp' backend
type, this is just a way to inform the client about the port number
to use. The port number will be returned to the client by Vault
along with the OTP.
</li>
<li>
<span class="param">key_type</span>
<span class="param-flags">required for all types</span>
(String)
Type of credentials generated by this role. Can be either `otp`,
`dynamic` or `ca`.
</li>
<li>
<span class="param">key_bits</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(Integer)
Length of the RSA dynamic key in bits; can be either 1024 or 2048.
1024 the default.
</li>
<li>
<span class="param">install_script</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(String)
Script used to install and uninstall public keys in the target
machine. Defaults to the built-in script.
</li>
<li>
<span class="param">allowed_users</span>
<span class="param-flags">optional for all types</span>
(String)
If this option is not specified, client can request for a credential
for any valid user at the remote host, including the admin user. If
only certain usernames are to be allowed, then this list enforces it.
If this field is set, then credentials can only be created for
`default_user` and usernames present in this list. Setting this
option will enable all the users with access this role to fetch
credentials for all other usernames in this list. Use with caution.
</li>
<li>
<span class="param">allowed_domains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
(String)
If this option is not specified, client can request for a signed certificate for any
valid host. If only certain domains are allowed, then this list enforces it.
If this option is explicitly set to `*`, then credentials can be created
for any domain.
</li>
<li>
<span class="param">key_option_specs</span>
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
N/A for CA type</span>
(String)
Comma separated option specification which will be prefixed to RSA
keys in the remote host's authorized_keys file. N.B.: Vault does
not check this string for validity.
</li>
<li>
<span class="param">ttl</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
The Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix. If not set, uses the system default value
or the value of `max_ttl`, whichever is shorter.
</li>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
The maximum Time To Live provided as a string duration with time
suffix. Hour is the largest suffix. If not set, defaults to the system
maximum lease TTL.
</li>
<li>
<span class="param">allowed_critical_options</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A comma-separated list of critical options that certificates can have when
signed. To allow any critical options, set this to an empty string. Will
default to allowing any critical options.
</li>
<li>
<span class="param">allowed_extensions</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A comma-separated list of extensions that certificates can have when
signed. To allow any critical options, set this to an empty string. Will
default to allowing any extensions.
</li>
<li>
<span class="param">default_critical_options</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A map of critical options certificates should have if none are provided
when signing. This field takes in key value pairs in JSON format. Note
that these are not restricted by `allowed_critical_options`. Defaults
to none.
</li>
<li>
<span class="param">default_extensions</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
A map of extensions certificates should have if none are provided when
signing. This field takes in key value pairs in JSON format. Note that
these are not restricted by `allowed_extensions`. Defaults to none.
</li>
<li>
<span class="param">allow_user_certificates</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, certificates are allowed to be signed for use as a 'user'.
Defaults to false.
</li>
<li>
<span class="param">allow_host_certificates</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, certificates are allowed to be signed for use as a 'host'.
Defaults to false.
</li>
<li>
<span class="param">allow_bare_domains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, host certificates that are requested are allowed to use the base
domains listed in "allowed_users", e.g. "example.com". This
is a separate option as in some cases this can be considered a security
threat. Defaults to false.
</li>
<li>
<span class="param">allow_subdomains</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If set, host certificates that are requested are allowed to use
subdomains of those listed in "allowed_users". Defaults
to false.
</li>
<li>
<span class="param">allow_user_key_ids</span>
<span class="param-flags">N/A for Dynamic Key type, N/A for OTP type,
optional for CA type</span>
If true, users can override the key ID for a signed certificate with the "key_id" field.
When false, the key ID will always be the token display name.
The key ID is logged by the SSH server and can be useful for auditing.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Queries a named role.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>Note: these are examples only. For a dynamic key role:
```json
{
"admin_user": "username",
"cidr_list": "x.x.x.x/y",
"default_user": "username",
"key": "<key name>",
"key_type": "dynamic",
"port": 22
}
```
</dd>
<dd>For an OTP role:
```json
{
"cidr_list": "x.x.x.x/y",
"default_user": "username",
"key_type": "otp",
"port": 22
}
```
</dd>
<dd>For a CA role:
```json
{
"allow_bare_domains": false,
"allow_host_certificates": true,
"allow_subdomains": false,
"allow_user_key_ids": false,
"allow_user_certificates": true,
"allowed_critical_options": "",
"allowed_extensions": "",
"default_critical_options": {},
"default_extensions": {},
"max_ttl": "768h",
"ttl": "4h"
}
```
</dd>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of available roles. Only the role names are returned, not
any values.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/ssh/roles` (LIST) or `/ssh/roles?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```json
{
"auth": null,
"data": {
"keys": ["dev", "prod"]
},
"lease_duration": 2764800,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named role.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/roles/<role name>`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/config/zeroaddress
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Returns the list of configured zero-address roles.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"roles":[
"otp_key_role"
]
},
"warnings":null,
"auth":null
}
```
</dd>
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Configures zero-address roles.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">roles</span>
<span class="param-flags">required</span>
A string containing comma separated list of role names which allows credentials to be requested
for any IP address. CIDR blocks previously registered under these roles will be ignored.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the zero-address roles configuration.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/ssh/config/zeroaddress`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
### /ssh/creds/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates credentials for a specific username and IP with the
parameters defined in the given role.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/creds/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">username</span>
<span class="param-flags">optional</span>
(String)
Username on the remote host.
</li>
<li>
<span class="param">ip</span>
<span class="param-flags">required</span>
(String)
IP of the remote host.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>For a dynamic key role:
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"admin_user": "rajanadar",
"allowed_users": "",
"cidr_list": "x.x.x.x/y",
"default_user": "rajanadar",
"exclude_cidr_list": "x.x.x.x/y",
"install_script": "pretty_large_script",
"key": "5d9ee6a1-c787-47a9-9738-da243f4f69bf",
"key_bits": 1024,
"key_option_specs": "",
"key_type": "dynamic",
"port": 22
},
"warnings": null,
"auth": null
}
```
</dd>
<dd>For an OTP role:
```json
{
"lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
"renewable": false,
"lease_duration": 2764800,
"data": {
"ip": "127.0.0.1",
"key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
"key_type": "otp",
"port": 22,
"username": "rajanadar"
},
"warnings": null,
"auth": null
}
```
</dd>
### /ssh/lookup
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Lists all of the roles with which the given IP is associated.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/lookup`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ip</span>
<span class="param-flags">required</span>
(String)
IP of the remote host.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>An array of roles as a secret structure.
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"roles": ["fe6f61b7-7e4a-46a6-b2c8-0d530b8513df", "6d6411fd-f622-ea0a-7e2c-989a745cbbb2"]
},
"warnings": null,
"auth": null
}
```
</dd>
### /ssh/verify
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Verifies if the given OTP is valid. This is an unauthenticated
endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/verify`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">otp</span>
<span class="param-flags">required</span>
(String)
One-Time-Key that needs to be validated.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>A `200` response code for a valid OTP.
```json
{
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"ip":"127.0.0.1",
"username":"rajanadar"
},
"warnings":null,
"auth":null
}
```
</dd>
<dd>A `400` BadRequest response code with 'OTP not found' message, for an invalid OTP.</dd>
### /ssh/config/ca
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Allows submitting the CA information for the backend via an SSH key pair.
_If you have already set a certificate and key, they will be overridden._<br /><br />
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/config/ca`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">private_key</span>
<span class="param-flags">optional</span>
The private key part the SSH CA key pair; required if generate_signing_key is false.
</li>
<li>
<span class="param">public_key</span>
<span class="param-flags">optional</span>
The public key part of the SSH CA key pair; required if generate_signing_key is false.
</li>
<li>
<span class="param">generate_signing_key</span>
<span class="param-flags">optional</span>
Generate the signing key pair interally if true, otherwise use the private_key and public_key fields.
The generated public key will be returned so you can add it to your configuration.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code. And if generate_signing_key was true:
</dd>
<dd>
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
},
"warnings": null
}
```
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Reads the configured/generated public key.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/ssh/config/ca`</dd>
<dt>Parameters</dt>
<dd>None</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
},
"warnings": null
}
```
</dd>
</dl>
### /ssh/sign
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Signs an SSH public key based on the supplied parameters, subject to the
restrictions contained in the role named in the endpoint.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/ssh/sign/<role name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">public_key</span>
<span class="param-flags">required</span>
SSH public key that should be signed.
</li>
<li>
<span class="param">ttl</span>
<span class="param-flags">optional</span>
Requested Time To Live. Cannot be greater than the role's `max_ttl`
value. If not provided, the role's `ttl` value will be used. Note that
the role values default to system values if not explicitly set.
</li>
<li>
<span class="param">valid_principals</span>
<span class="param-flags">optional</span>
Valid principals, either usernames or hostnames, that the certificate
should be signed for. Defaults to none.
</li>
<li>
<span class="param">cert_type</span>
<span class="param-flags">optional</span>
Type of certificate to be created; either "user" or "host". Defaults to
"user".
</li>
<li>
<span class="param">key_id</span>
<span class="param-flags">optional</span>
Key id that the created certificate should have. If not specified,
the display name of the token will be used.
</li>
<li>
<span class="param">critical_options</span>
<span class="param-flags">optional</span>
A map of the critical options that the certificate should be signed for.
Defaults to none.
</li>
<li>
<span class="param">extensions</span>
<span class="param-flags">optional</span>
A map of the extensions that the certificate should be signed for.
Defaults to none
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```json
{
"lease_id": "ssh/sign/example/097bf207-96dd-0041-0e83-b23bd1923993",
"renewable": false,
"lease_duration": 21600,
"data": {
"serial_number": "f65ed2fd21443d5c",
"signed_key": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...\n"
},
"auth": null
}
```
</dd>
</dl>
The SSH secret backend has a full HTTP API. Please see the
[SSH secret backend API](/docs/http/secret/ssh/index.html) for more
details.

927
website/source/docs/secrets/transit/index.html.md
View file

@ -98,7 +98,7 @@ supports_derivation true
supports_encryption true
supports_signing false
type aes256-gcm96
````
```
Now, if we wanted to encrypt a piece of plain text, we use the encrypt
endpoint using our named key:
@ -131,925 +131,6 @@ only encrypt or decrypt using the named keys they need access to.
## API
### /transit/keys/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Creates a new named encryption key of the specified type. The values set
here cannot be changed after key creation.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/keys/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">type</span>
<span class="param-flags">required</span>
The type of key to create. The currently-supported types are:
<ul>
<li>`aes256-gcm96`: AES-256 wrapped with GCM using a 12-byte nonce size (symmetric)</li>
<li>`ecdsa-p256`: ECDSA using the P-256 elliptic curve (asymmetric)</li>
</ul>
Defaults to `aes256-gcm96`.
</li>
<li>
<span class="param">derived</span>
<span class="param-flags">optional</span>
Boolean flag indicating if key derivation MUST be used. If enabled, all
encrypt/decrypt requests to this named key must provide a context
which is used for key derivation. Defaults to false.
</li>
<li>
<span class="param">convergent_encryption</span>
<span class="param-flags">optional</span>
If set, the key will support convergent encryption, where the same
plaintext creates the same ciphertext. This requires _derived_ to be
set to `true`. When enabled, each
encryption(/decryption/rewrap/datakey) operation will derive a `nonce`
value rather than randomly generate it. Note that while this is useful
for particular situations, all nonce values used with a given context
value **must be unique** or it will compromise the security of your
key, and the key space for nonces is 96 bit -- not as large as the AES
key itself. Defaults to false.
</li>
<li>
<span class="param">exportable</span>
<span class="param-flags">optional</span>
Boolean flag indicating if the key is exportable. Defaults to false.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Returns information about a named encryption key. The `keys` object shows
the creation time of each key version; the values are not the keys
themselves. Depending on the type of key, different information may be
returned, e.g. an asymmetric key will return its public key in a standard
format for the type.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/transit/keys/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"type": "aes256-gcm96",
"deletion_allowed": false,
"derived": false,
"exportable": false,
"keys": {
"1": 1442851412
},
"min_decryption_version": 0,
"name": "foo",
"supports_encryption": true,
"supports_decryption": true,
"supports_derivation": true,
"supports_signing": false
}
}
```
</dd>
</dl>
#### LIST
<dl class="api">
<dt>Description</dt>
<dd>
Returns a list of keys. Only the key names are returned.
</dd>
<dt>Method</dt>
<dd>LIST/GET</dd>
<dt>URL</dt>
<dd>`/transit/keys` (LIST) or `/transit/keys?list=true` (GET)</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"keys": ["foo", "bar"]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false
}
```
</dd>
</dl>
#### DELETE
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a named encryption key.
It will no longer be possible to decrypt any data encrypted with the
named key. Because this is a potentially catastrophic operation, the
`deletion_allowed` tunable must be set in the key's `/config` endpoint.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/transit/keys/<name>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /transit/keys/config
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Allows tuning configuration values for a given key. (These values are
returned during a read operation on the named key.)
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/keys/<name>/config`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">min_decryption_version</span>
<span class="param-flags">optional</span>
The minimum version of ciphertext allowed to be decrypted. Adjusting
this as part of a key rotation policy can prevent old copies of
ciphertext from being decrypted, should they fall into the wrong hands.
For signatures, this value controls the minimum version of signature
that can be verified against. For HMACs, this controls the minimum
version of a key allowed to be used as the key for the HMAC function.
Defaults to 0.
</li>
<li>
<span class="param">deletion_allowed</span>
<span class="param-flags">optional</span>
When set, the key is allowed to be deleted. Defaults to false.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /transit/keys/rotate/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Rotates the version of the named key. After rotation, new plaintext
requests will be encrypted with the new version of the key. To upgrade
ciphertext to be encrypted with the latest version of the key, use the
`rewrap` endpoint. This is only supported with keys that support encryption
and decryption operations.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/keys/<name>/rotate`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
A `204` response code.
</dd>
</dl>
### /transit/export/encryption-key/\<name\>(/\<version\>)
### /transit/export/signing-key/\<name\>(/\<version\>)
### /transit/export/hmac-key/\<name\>(/\<version\>)
#### GET
<dl class="api">
<dt>Description</dt>
<dd>
Returns the named key. The `keys` object shows the value of the key for
each version. If `version` is specified, the specific version will be
returned. If `latest` is provided as the version, the current key will be
provided. Depending on the type of key, different information may be
returned. The key must be exportable to support this operation and the
version must still be valid.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/transit/export/<key-type>/<name>/<version>`</dd>
<dt>Parameters</dt>
<dd>
None
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"name": "foo",
"keys": {
"1": "eyXYGHbTmugUJn6EtYD/yVEoF6pCxm4R/cMEutUm3MY=",
"2": "Euzymqx6iXjS3/NuGKDCiM2Ev6wdhnU+rBiKnJ7YpHE="
}
}
}
```
</dd>
</dl>
### /transit/encrypt/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Encrypts the provided plaintext using the named key. Currently, this only
supports symmetric keys. This path supports the `create` and `update`
policy capabilities as follows: if the user has the `create` capability for
this endpoint in their policies, and the key does not exist, it will be
upserted with default values (whether the key requires derivation depends
on whether the context parameter is empty or not). If the user only has
`update` capability and the key does not exist, an error will be returned.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/encrypt/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">plaintext</span>
<span class="param-flags">required</span>
Base64 encoded plaintext value to be encrypted.
</li>
</ul>
<ul>
<li>
<span class="param">context</span>
<span class="param-flags">optional</span>
Base64 encoded context for key derivation. Required if key derivation
is enabled.
</li>
</ul>
<ul>
<li>
<span class="param">nonce</span>
<span class="param-flags">optional</span>
Base64 encoded nonce value. Must be provided if convergent encryption is
enabled for this key and the key was generated with Vault 0.6.1. Not required
for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long
and the user must ensure that for any given context (and thus, any given
encryption key) this nonce value is **never reused**.
</li>
</ul>
<ul>
<li>
<span class="param">batch_input</span>
<span class="param-flags">optional</span>
List of items to be encrypted in a single batch. When
this parameter is set, if the parameters 'plaintext', 'context' and
'nonce' are also set, they will be ignored. Format for the input
goes like this:
```javascript
[
{
"context": "c2FtcGxlY29udGV4dA==",
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="
},
...
]
```
</li>
</ul>
<ul>
<li>
<span class="param">type</span>
<span class="param-flags">optional</span>
This parameter is required when encryption key is expected to be created.
When performing an upsert operation, the type of key to create. Currently,
"aes256-gcm96" (symmetric) is the only type supported. Defaults to
"aes256-gcm96".
</li>
</ul>
<ul>
<li>
<span class="param">convergent_encryption</span>
<span class="param-flags">optional</span>
This parameter will only be used when a key is expected to be created. Whether
to support convergent encryption. This is only supported when using a key with
key derivation enabled and will require all requests to carry both a context
and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly
generated nonce. As a result, when the same context and nonce are supplied, the
same ciphertext is generated. It is *very important* when using this mode that
you ensure that all nonces are unique for a given context. Failing to do so
will severely impact the ciphertext's security.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"ciphertext": "vault:v1:abcdefgh"
}
}
```
</dd>
</dl>
### /transit/decrypt/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Decrypts the provided ciphertext using the named key. Currently, this only
supports symmetric keys.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/decrypt/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ciphertext</span>
<span class="param-flags">required</span>
The ciphertext to decrypt, provided as returned by encrypt.
</li>
<li>
<span class="param">context</span>
<span class="param-flags">optional</span>
Base64 encoded context for key derivation. Required if key derivation is
enabled.
</li>
<li>
<span class="param">nonce</span>
<span class="param-flags">optional</span>
Base64 encoded nonce value used during encryption. Must be provided if
convergent encryption is enabled for this key and the key was generated with
Vault 0.6.1. Not required for keys created in 0.6.2+.
</li>
</ul>
<ul>
<li>
<span class="param">batch_input</span>
<span class="param-flags">optional</span>
List of items to be decrypted in a single batch. When this parameter is
set, if the parameters 'ciphertext', 'context' and 'nonce' are also
set, they will be ignored. Format for the input goes like this:
```javascript
[
{
"context": "c2FtcGxlY29udGV4dA==",
"ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
},
...
]
```
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
</dd>
</dl>
### /transit/rewrap/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Rewrap the provided ciphertext using the latest version of the named key.
Because this never returns plaintext, it is possible to delegate this
functionality to untrusted users or scripts.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/rewrap/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">ciphertext</span>
<span class="param-flags">required</span>
The ciphertext to decrypt, provided as returned by encrypt.
</li>
<li>
<span class="param">context</span>
<span class="param-flags">optional</span>
Base64 encoded context for key derivation. Required for derived keys.
</li>
<li>
<span class="param">nonce</span>
<span class="param-flags">optional</span>
The nonce value used during encryption, provided as base64 encoded.
Must be provided if convergent encryption is enabled for this key and
the key was created with Vault 0.6.1. Not required for keys created in
0.6.2+.
</li>
<li>
<span class="param">batch_input</span>
<span class="param-flags">optional</span>
List of items to be rewrapped in a single batch. When this parameter is
set, if the parameters 'ciphertext', 'context' and 'nonce' are also
set, they will be ignored. Format for the input goes like this:
```javascript
[
{
"context": "c2FtcGxlY29udGV4dA==",
"ciphertext": "vault:v1:/DupSiSbX/ATkGmKAmhqD0tvukByrx6gmps7dVI="
},
{
"context": "YW5vdGhlcnNhbXBsZWNvbnRleHQ=",
"ciphertext": "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA="
},
...
]
```
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"ciphertext": "vault:v2:abcdefgh"
}
}
```
</dd>
</dl>
### /transit/datakey/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Generate a new high-entropy key and the value encrypted with the named
key. Optionally return the plaintext of the key as well. Whether plaintext
is returned depends on the path; as a result, you can use Vault ACL
policies to control whether a user is allowed to retrieve the plaintext
value of a key. This is useful if you want an untrusted user or operation
to generate keys that are then made available to trusted users.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/datakey/<plaintext|wrapped>/<name>`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">plaintext|wrapped (path parameter)</span>
<span class="param-flags">required</span>
If `plaintext`, the plaintext key will be returned along with the
ciphertext. If `wrapped`, only the ciphertext value will be returned.
</li>
<li>
<span class="param">context</span>
<span class="param-flags">optional</span>
The key derivation context, provided as a base64-encoded string.
Must be provided if derivation is enabled.
</li>
<li>
<span class="param">nonce</span>
<span class="param-flags">optional</span>
The nonce value, provided as base64 encoded. Must be provided if
convergent encryption is enabled for this key and the key was generated
with Vault 0.6.1. Not required for keys created in 0.6.2+. The value
must be exactly 96 bits (12 bytes) long and the user must ensure that
for any given context (and thus, any given encryption key) this nonce
value is **never reused**.
</li>
<li>
<span class="param">bits</span>
<span class="param-flags">optional</span>
The number of bits in the desired key. Can be 128, 256, or 512; if not
given, defaults to 256.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
"ciphertext": "vault:v1:abcdefgh"
}
}
```
</dd>
</dl>
### /transit/random
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Return high-quality random bytes of the specified length.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/random(/<bytes>)`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">bytes</span>
<span class="param-flags">optional</span>
The number of bytes to return. Defaults to 32 (256 bits). This value
can be specified either in the request body, or as a part of the URL
with a format like `/transit/random/48`.
</li>
<li>
<span class="param">format</span>
<span class="param-flags">optional</span>
The output encoding; can be either `hex` or `base64`. Defaults to
`base64`.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
</dd>
</dl>
### /transit/hash
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Returns the hash of given data using the specified algorithm. The algorithm
can be specified as part of the URL or given via a parameter; the URL value
takes precedence if both are set.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/hash(/<algorithm>)`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">input</span>
<span class="param-flags">required</span>
The base64-encoded input data.
</li>
<li>
<span class="param">algorithm</span>
<span class="param-flags">optional</span>
The hash algorithm to use. This can also be specified in the URL.
Currently-supported algorithms are:
<ul>
<li>`sha2-224`</li>
<li>`sha2-256`</li>
<li>`sha2-384`</li>
<li>`sha2-512`</li>
</ul>
Defaults to `sha2-256`.
</li>
<li>
<span class="param">format</span>
<span class="param-flags">optional</span>
The output encoding; can be either `hex` or `base64`. Defaults to
`hex`.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"sum": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
</dd>
</dl>
### /transit/hmac/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Returns the digest of given data using the specified hash algorithm and the
named key. The key can be of any type supported by `transit`; the raw key
will be marshalled into bytes to be used for the HMAC function. If the key
is of a type that supports rotation, the latest (current) version will be
used.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/hmac/<name>(/<algorithm>)`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">input</span>
<span class="param-flags">required</span>
The base64-encoded input data.
</li>
<li>
<span class="param">algorithm</span>
<span class="param-flags">optional</span>
The hash algorithm to use. This can also be specified in the URL.
Currently-supported algorithms are:
<ul>
<li>`sha2-224`</li>
<li>`sha2-256`</li>
<li>`sha2-384`</li>
<li>`sha2-512`</li>
</ul>
Defaults to `sha2-256`.
</li>
<li>
<span class="param">format</span>
<span class="param-flags">optional</span>
The output encoding; can be either `hex` or `base64`. Defaults to
`hex`.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"hmac": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
```
</dd>
</dl>
### /transit/sign/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Returns the cryptographic signature of the given data using the named key
and the specified hash algorithm. The key must be of a type that supports
signing.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/sign/<name>(/<algorithm>)`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">input</span>
<span class="param-flags">required</span>
The base64-encoded input data.
</li>
<li>
<span class="param">algorithm</span>
<span class="param-flags">optional</span>
The hash algorithm to use. This can also be specified in the URL.
Currently-supported algorithms are:
<ul>
<li>`sha2-224`</li>
<li>`sha2-256`</li>
<li>`sha2-384`</li>
<li>`sha2-512`</li>
</ul>
Defaults to `sha2-256`.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"signature": "vault:v1:MEUCIQCyb869d7KWuA0hBM9b5NJrmWzMW3/pT+0XYCM9VmGR+QIgWWF6ufi4OS2xo1eS2V5IeJQfsi59qeMWtgX0LipxEHI="
}
}
```
</dd>
</dl>
### /transit/verify/
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Returns whether the provided signature is valid for the given data.
</dd>
<dt>Method</dt>
<dd>POST</dd>
<dt>URL</dt>
<dd>`/transit/verify/<name>(/<algorithm>)`</dd>
<dt>Parameters</dt>
<dd>
<ul>
<li>
<span class="param">input</span>
<span class="param-flags">required</span>
The base64-encoded input data.
</li>
<li>
<span class="param">signature</span>
<span class="param-flags">required</span>
The signature output from the `/transit/sign` function. Either this must be supplied or `hmac` must be supplied.
</li>
<li>
<span class="param">hmac</span>
<span class="param-flags">required</span>
The signature output from the `/transit/hmac` function. Either this must be supplied or `signature` must be supplied.
</li>
<li>
<span class="param">algorithm</span>
<span class="param-flags">optional</span>
The hash algorithm to use. This can also be specified in the URL.
Currently-supported algorithms are:
<ul>
<li>`sha2-224`</li>
<li>`sha2-256`</li>
<li>`sha2-384`</li>
<li>`sha2-512`</li>
</ul>
Defaults to `sha2-256`.
</li>
</ul>
</dd>
<dt>Returns</dt>
<dd>
```javascript
{
"data": {
"valid": true
}
}
```
</dd>
</dl>
The Transit secret backend has a full HTTP API. Please see the
[Transit secret backend API](/docs/http/secret/transit/index.html) for more
details.

8
website/source/layouts/docs.erb
View file

@ -154,10 +154,6 @@
</ul>
</li>
<li<%= sidebar_current("docs-http") %>>
<a href="/docs/http/index.html">API &amp; Libraries</a>
</li>
<hr>
<li<%= sidebar_current("docs-secrets") %>>
@ -289,6 +285,10 @@
<hr>
<li<%= sidebar_current("docs-http") %>>
<a href="/docs/http/index.html">API &amp; Libraries</a>
</li>
<li<%= sidebar_current("docs-guides") %>>
<a href="/docs/guides/index.html">Guides</a>
<ul class="nav">

316
website/source/layouts/http.erb
View file

@ -5,193 +5,155 @@
<li<%= sidebar_current("docs-http-overview") %>>
<a href="/docs/http/index.html">Overview</a>
</li>
<li<%= sidebar_current("docs-http-libraries") %>>
<a href="/docs/http/libraries.html">Libraries</a>
<a href="/docs/http/libraries.html">Client Libraries</a>
</li>
<li<%= sidebar_current("docs-http-sys-init") %>>
<a href="#">Initialization/Recovery</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-sys-init") %>>
<a href="/docs/http/sys-init.html">/sys/init</a>
</li>
<li<%= sidebar_current("docs-http-sys-generate-root") %>>
<a href="/docs/http/sys-generate-root.html">/sys/generate-root</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-seal") %>>
<a href="#">Seal/Unseal</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-seal-status") %>>
<a href="/docs/http/sys-seal-status.html">/sys/seal-status</a>
</li>
<li<%= sidebar_current("docs-http-seal-seal") %>>
<a href="/docs/http/sys-seal.html">/sys/seal</a>
</li>
<li<%= sidebar_current("docs-http-seal-unseal") %>>
<a href="/docs/http/sys-unseal.html">/sys/unseal</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-config") %>>
<a href="#">Core Configuration</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-config-auditing") %>>
<a href="/docs/http/sys-config-auditing.html">/sys/config/auditing</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-mounts") %>>
<a href="#">Secret Mounts</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-mounts-mounts") %>>
<a href="/docs/http/sys-mounts.html">/sys/mounts</a>
</li>
<li<%= sidebar_current("docs-http-mounts-remount") %>>
<a href="/docs/http/sys-remount.html">/sys/remount</a>
</li>
</ul>
</li>
<hr>
<li<%= sidebar_current("docs-http-auth") %>>
<a href="#">Auth &amp; ACLs</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-auth-auth") %>>
<a href="/docs/http/sys-auth.html">/sys/auth</a>
</li>
<li<%= sidebar_current("docs-http-auth-policy") %>>
<a href="/docs/http/sys-policy.html">/sys/policy</a>
</li>
<li<%= sidebar_current("docs-http-auth-capabilities") %>>
<a href="/docs/http/sys-capabilities.html">/sys/capabilities</a>
</li>
<li<%= sidebar_current("docs-http-auth-capabilities-self") %>>
<a href="/docs/http/sys-capabilities-self.html">/sys/capabilities-self</a>
</li>
<li<%= sidebar_current("docs-http-auth-capabilities-accessor") %>>
<a href="/docs/http/sys-capabilities-accessor.html">/sys/capabilities-accessor</a>
</li>
</ul>
<a href="#">Auth Backends</a>
</li>
<li<%= sidebar_current("docs-http-audits") %>>
<a href="#">Audit Backends</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-audits-audits") %>>
<a href="/docs/http/sys-audit.html">/sys/audit</a>
</li>
<li<%= sidebar_current("docs-http-audits-hash") %>>
<a href="/docs/http/sys-audit-hash.html">/sys/audit-hash</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-lease") %>>
<a href="#">Leases</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-lease-renew") %>>
<a href="/docs/http/sys-renew.html">/sys/renew</a>
</li>
<li<%= sidebar_current("docs-http-lease-revoke-single") %>>
<a href="/docs/http/sys-revoke.html">/sys/revoke</a>
</li>
<li<%= sidebar_current("docs-http-lease-revoke-prefix") %>>
<a href="/docs/http/sys-revoke-prefix.html">/sys/revoke-prefix</a>
</li>
<li<%= sidebar_current("docs-http-lease-revoke-force") %>>
<a href="/docs/http/sys-revoke-force.html">/sys/revoke-force</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-wrapping") %>>
<a href="#">Response Wrapping</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-wrapping-lookup") %>>
<a href="/docs/http/sys-wrapping-lookup.html">/sys/wrapping/lookup</a>
</li>
<li<%= sidebar_current("docs-http-wrapping-rewrap") %>>
<a href="/docs/http/sys-wrapping-rewrap.html">/sys/wrapping/rewrap</a>
</li>
<li<%= sidebar_current("docs-http-wrapping-unwrap") %>>
<a href="/docs/http/sys-wrapping-unwrap.html">/sys/wrapping/unwrap</a>
</li>
<li<%= sidebar_current("docs-http-wrapping-wrap") %>>
<a href="/docs/http/sys-wrapping-wrap.html">/sys/wrapping/wrap</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-ha") %>>
<a href="#">High Availability</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-ha-leader") %>>
<a href="/docs/http/sys-leader.html">/sys/leader</a>
</li>
<li<%= sidebar_current("docs-http-ha-step-down") %>>
<a href="/docs/http/sys-step-down.html">/sys/step-down</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-rotate") %>>
<a href="#">Key Rotation</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-rotate-key-status") %>>
<a href="/docs/http/sys-key-status.html">/sys/key-status</a>
</li>
<li<%= sidebar_current("docs-http-rotate-rekey") %>>
<a href="/docs/http/sys-rekey.html">/sys/rekey/</a>
</li>
<li<%= sidebar_current("docs-http-rotate-rotate") %>>
<a href="/docs/http/sys-rotate.html">/sys/rotate</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-debug") %>>
<a href="#">Debug</a>
<ul class="nav nav-visible">
<li<%= sidebar_current("docs-http-debug-raw") %>>
<a href="/docs/http/sys-raw.html">/sys/raw</a>
</li>
<li<%= sidebar_current("docs-http-debug-health") %>>
<a href="/docs/http/sys-health.html">/sys/health</a>
</li>
</ul>
</li>
<hr>
<li<%= sidebar_current("docs-http-secret") %>>
<a href="/docs/secrets/index.html">Secret Backends</a>
<a href="/docs/http/secret/index.html">Secret Backends</a>
<ul class="nav">
<li<%= sidebar_current("docs-http-secret-aws") %>>
<a href="/docs/http/secret/aws/index.html">AWS</a>
</li>
<li<%= sidebar_current("docs-http-secret-cassandra") %>>
<a href="/docs/http/secret/cassandra/index.html">Cassandra</a>
</li>
<li<%= sidebar_current("docs-http-secret-consul") %>>
<a href="/docs/http/secret/consul/index.html">Consul</a>
</li>
<li<%= sidebar_current("docs-http-secret-cubbyhole") %>>
<a href="/docs/http/secret/cubbyhole/index.html">Cubbyhole</a>
</li>
<li<%= sidebar_current("docs-http-secret-generic") %>>
<a href="/docs/http/secret/generic/index.html">Generic</a>
</li>
<li<%= sidebar_current("docs-http-secret-mongodb") %>>
<a href="/docs/http/secret/mongodb/index.html">MongoDB</a>
</li>
<li<%= sidebar_current("docs-http-secret-mssql") %>>
<a href="/docs/http/secret/mssql/index.html">MSSQL</a>
</li>
<li<%= sidebar_current("docs-http-secret-mysql") %>>
<a href="/docs/http/secret/mysql/index.html">MySQL</a>
</li>
<li<%= sidebar_current("docs-http-secret-pki") %>>
<a href="/docs/http/secret/pki/index.html">PKI</a>
</li>
<li<%= sidebar_current("docs-http-secret-postgresql") %>>
<a href="/docs/http/secret/postgresql/index.html">PostgreSQL</a>
</li>
<li<%= sidebar_current("docs-http-secret-rabbitmq") %>>
<a href="/docs/http/secret/rabbitmq/index.html">RabbitMQ</a>
</li>
<li<%= sidebar_current("docs-http-secret-ssh") %>>
<a href="/docs/http/secret/ssh/index.html">SSH</a>
</li>
<li<%= sidebar_current("docs-http-secret-transit") %>>
<a href="/docs/http/secret/transit/index.html">Transit</a>
</li>
</ul>
</li>
<li<%= sidebar_current("docs-http-authbackends") %>>
<a href="/docs/auth/index.html">Auth Backends</a>
</li>
<li<%= sidebar_current("docs-http-auditbackends") %>>
<a href="/docs/audit/index.html">Audit Backends</a>
<li<%= sidebar_current("docs-http-system")%>>
<a href="/docs/http/system/index.html">System Backend</a>
<ul class="nav">
<li<%= sidebar_current("docs-http-system-audit/") %>>
<a href="/docs/http/system/audit.html"><tt>/sys/audit</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-audit-hash") %>>
<a href="/docs/http/system/audit-hash.html"><tt>/sys/audit-hash</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-auth") %>>
<a href="/docs/http/system/auth.html"><tt>/sys/auth</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-capabilities/") %>>
<a href="/docs/http/system/capabilities.html"><tt>/sys/capabilities</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-capabilities-accessor") %>>
<a href="/docs/http/system/capabilities-accessor.html"><tt>/sys/capabilities-accessor</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-capabilities-self") %>>
<a href="/docs/http/system/capabilities-self.html"><tt>/sys/capabilities-self</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-config-auditing") %>>
<a href="/docs/http/system/config-auditing.html"><tt>/sys/config/auditing</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-generate-root") %>>
<a href="/docs/http/system/generate-root.html"><tt>/sys/generate-root</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-health") %>>
<a href="/docs/http/system/health.html"><tt>/sys/health</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-init") %>>
<a href="/docs/http/system/init.html"><tt>/sys/init</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-key-status") %>>
<a href="/docs/http/system/key-status.html"><tt>/sys/key-status</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-leader") %>>
<a href="/docs/http/system/leader.html"><tt>/sys/leader</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-mounts") %>>
<a href="/docs/http/system/mounts.html"><tt>/sys/mounts</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-policy") %>>
<a href="/docs/http/system/policy.html"><tt>/sys/policy</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-raw") %>>
<a href="/docs/http/system/raw.html"><tt>/sys/raw</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-rekey") %>>
<a href="/docs/http/system/rekey.html"><tt>/sys/rekey</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-remount") %>>
<a href="/docs/http/system/remount.html"><tt>/sys/remount</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-renew") %>>
<a href="/docs/http/system/renew.html"><tt>/sys/renew</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-revoke/") %>>
<a href="/docs/http/system/revoke.html"><tt>/sys/revoke</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-revoke-force") %>>
<a href="/docs/http/system/revoke-force.html"><tt>/sys/revoke-force</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-revoke-prefix") %>>
<a href="/docs/http/system/revoke-prefix.html"><tt>/sys/revoke-prefix</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-rotate") %>>
<a href="/docs/http/system/rotate.html"><tt>/sys/rotate</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-seal/") %>>
<a href="/docs/http/system/seal.html"><tt>/sys/seal</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-seal-status") %>>
<a href="/docs/http/system/seal-status.html"><tt>/sys/seal-status</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-step-down") %>>
<a href="/docs/http/system/step-down.html"><tt>/sys/step-down</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-unseal") %>>
<a href="/docs/http/system/unseal.html"><tt>/sys/unseal</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-wrapping-lookup") %>>
<a href="/docs/http/system/wrapping-lookup.html"><tt>/sys/wrapping/lookup</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-wrapping-rewrap") %>>
<a href="/docs/http/system/wrapping-rewrap.html"><tt>/sys/wrapping/rewrap</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-wrapping-unwrap") %>>
<a href="/docs/http/system/wrapping-unwrap.html"><tt>/sys/wrapping/unwrap</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-wrapping-wrap") %>>
<a href="/docs/http/system/wrapping-wrap.html"><tt>/sys/wrapping/wrap</tt></a>
</li>
</ul>
</li>
</ul>
</div>