diff --git a/website/source/api/auth/alicloud/index.html.md b/website/source/api/auth/alicloud/index.html.md.erb similarity index 87% rename from website/source/api/auth/alicloud/index.html.md rename to website/source/api/auth/alicloud/index.html.md.erb index 53a3c7b4fc..d12416d7af 100644 --- a/website/source/api/auth/alicloud/index.html.md +++ b/website/source/api/auth/alicloud/index.html.md.erb @@ -30,18 +30,8 @@ will be able to perform the login operation. - `role` `(string: )` - Name of the role. Must correspond with the name of the role reflected in the arn. - `arn` `(string: )` - The role's arn. -- `policies` `(array: [])` - Policies to be set on tokens issued using this - role. -- `ttl` `(string: "")` - The TTL period of tokens issued using this role, - provided as "1h", where hour is the largest suffix. -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using - this role. -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. -- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the - roles to client IPs falling within the range of the specified CIDR(s). + +<%=partial("partials/tokenfields")%> ### Sample Payload @@ -224,4 +214,4 @@ $ curl \ "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a" } } -``` \ No newline at end of file +``` diff --git a/website/source/api/auth/approle/index.html.md b/website/source/api/auth/approle/index.html.md.erb similarity index 92% rename from website/source/api/auth/approle/index.html.md rename to website/source/api/auth/approle/index.html.md.erb index 7586629656..efd6440ca9 100644 --- a/website/source/api/auth/approle/index.html.md +++ b/website/source/api/auth/approle/index.html.md.erb @@ -73,37 +73,17 @@ enabled while creating or updating a role. - `secret_id_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation. -- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR - blocks; if set, specifies blocks of IP addresses which can use the auth tokens - generated by this role. -- `policies` `(array: [])` - Comma-separated list of policies set on tokens - issued via this AppRole. - `secret_id_num_uses` `(integer: 0)` - Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses. - `secret_id_ttl` `(string: "")` - Duration in either an integer number of seconds (`3600`) or an integer time unit (`60m`) after which any SecretID expires. -- `token_num_uses` `(integer: 0)` - Number of times issued tokens can be used. - A value of 0 means unlimited uses. -- `token_ttl` `(string: "")` - Duration in either an integer number of seconds - (`3600`) or an integer time unit (`60m`) to set as the TTL for issued tokens - and at renewal time. -- `token_max_ttl` `(string: "")` - Duration in either an integer number of - seconds (`3600`) or an integer time unit (`60m`) after which the issued token - can no longer be renewed. -- `period` `(string: "")` - Duration in either an integer number of seconds - (`3600`) or an integer time unit (`60m`). If set, the token generated using - this AppRole is a _periodic_ token; so long as it is renewed it never expires, - but the TTL set on the token at each renewal is fixed to the value specified - here. If this value is modified, the token will pick up the new value at its - next renewal. - `enable_local_secret_ids` `(bool: false)` - If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later. -- `token_type` `(string: "")` - The type of token that should be generated via - this role. Can be `service`, `batch`, or `default` to use the mount's default - (which unless changed will be `service` tokens). + +<%=partial("partials/tokenfields")%> ### Sample Payload diff --git a/website/source/api/auth/aws/index.html.md b/website/source/api/auth/aws/index.html.md.erb similarity index 98% rename from website/source/api/auth/aws/index.html.md rename to website/source/api/auth/aws/index.html.md.erb index ab91334155..22edc05fb9 100644 --- a/website/source/api/auth/aws/index.html.md +++ b/website/source/api/auth/aws/index.html.md.erb @@ -737,16 +737,6 @@ list in order to satisfy that constraint. `resolve_aws_unique_ids` is `false`, you **must** specify a `bound_iam_principal_arn` of `arn:aws:iam::123456789012:role/MyRoleName` for authentication to work. -- `ttl` `(string: "")` - The TTL period of tokens issued using this role, - provided as "1h", where hour is the largest suffix. -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using - this role. -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. -- `policies` `(array: [])` - Policies to be set on tokens issued using this - role. - `allow_instance_migration` `(bool: false)` - If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check @@ -761,6 +751,8 @@ list in order to satisfy that constraint. This only applies to authentications via the ec2 auth method. This is mutually exclusive with `allow_instance_migration`. +<%=partial("partials/tokenfields")%> + ### Sample Payload ```json diff --git a/website/source/api/auth/azure/index.html.md b/website/source/api/auth/azure/index.html.md.erb similarity index 93% rename from website/source/api/auth/azure/index.html.md rename to website/source/api/auth/azure/index.html.md.erb index 5d44e54439..a43bfdc83e 100644 --- a/website/source/api/auth/azure/index.html.md +++ b/website/source/api/auth/azure/index.html.md.erb @@ -118,16 +118,6 @@ entities attempting to login. ### Parameters - `name` `(string: )` - Name of the role. -- `policies` `(array: [])` - Policies to be set on tokens issued using this - role. -- `ttl` `(string: "")` - The TTL period of tokens issued using this role in - seconds. -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens - issued in seconds using this role. -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. - `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs that login is restricted to. - `bound_group_ids` `(array: [])` - The list of group ids that login is restricted @@ -140,6 +130,8 @@ entities attempting to login. - `bound_scale_sets` `(array: [])` - The list of scale set names that the login is restricted to. +<%= partial "partials/tokenfields" %> + ### Sample Payload ```json diff --git a/website/source/api/auth/cert/index.html.md b/website/source/api/auth/cert/index.html.md.erb similarity index 90% rename from website/source/api/auth/cert/index.html.md rename to website/source/api/auth/cert/index.html.md.erb index 9e4d35ccbb..d7c2b517a9 100644 --- a/website/source/api/auth/cert/index.html.md +++ b/website/source/api/auth/cert/index.html.md.erb @@ -67,24 +67,11 @@ Sets a CA cert and associated parameters in a role name. string or array of `oid:value`. Expects the extension value to be some type of ASN1 encoded string. All conditions _must_ be met. Supports globbing on `value`. -- `policies` `(string: "")` - A comma-separated list of policies to set on - tokens issued when authenticating against this CA certificate. - `display_name` `(string: "")` - The `display_name` to set on tokens issued when authenticating against this CA certificate. If not set, defaults to the name of the role. -- `ttl` `(string: "")` - The TTL of the token, provided in either number of - seconds (`3600`) or a time duration (`1h`). If not provided, the token is - valid for the the mount or system default TTL time, in that order. -- `max_ttl` `(string: "")` - Duration in either number of seconds (`3600`) or a - time duration (`1h`) after which the issued token can no longer be renewed. -- `period` `(string: "")` - Duration in either number of seconds (`3600`) or a - time duration (`1h`). If set, the generated token is a periodic token; so long - as it is renewed it never expires unless `max_ttl` is also set, but the TTL - set on the token at each renewal is fixed to the value specified here. If this - value is modified, the token will pick up the new value at its next renewal. -- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the - certificates to client IPs falling within the range of the specified - CIDR(s). + +<%= partial "partials/tokenfields" %> ### Sample Payload diff --git a/website/source/api/auth/gcp/index.html.md b/website/source/api/auth/gcp/index.html.md.erb similarity index 93% rename from website/source/api/auth/gcp/index.html.md rename to website/source/api/auth/gcp/index.html.md.erb index 08695ceabd..83627c3d97 100644 --- a/website/source/api/auth/gcp/index.html.md +++ b/website/source/api/auth/gcp/index.html.md.erb @@ -111,23 +111,6 @@ entities attempting to login. correspond to specific roles and will be rejected otherwise. Please see below for more information. -- `ttl` `(string: "")` - The TTL period of tokens issued using this role. This - can be specified as an integer number of seconds or as a duration value like - "5m". - -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued in - seconds using this role. This can be specified as an integer number of seconds - or as a duration value like "5m". - -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. This can be specified as an integer number of seconds - or as a duration value like "5m". - -- `policies` `(array: [default])` - The list of policies to be set on tokens - issued using this role. - - `bound_service_accounts` `(array: )` - An array of service account emails or IDs that login is restricted to, either directly or through an associated instance. If set to @@ -142,6 +125,8 @@ entities attempting to login. `project-$PROJECT_ID`, `folder-$PROJECT_ID`, and `organization-$ORG_ID` for the entities project and all its folder or organization ancestors. This requires Vault to have IAM permission `resourcemanager.projects.get`. + +<%= partial "partials/tokenfields" %> #### `iam`-only Parameters diff --git a/website/source/api/auth/github/index.html.md b/website/source/api/auth/github/index.html.md.erb similarity index 97% rename from website/source/api/auth/github/index.html.md rename to website/source/api/auth/github/index.html.md.erb index c7b6d240bc..fe88c8c6f2 100644 --- a/website/source/api/auth/github/index.html.md +++ b/website/source/api/auth/github/index.html.md.erb @@ -32,9 +32,8 @@ distinction between the `create` and `update` capabilities inside ACL policies. of. - `base_url` `(string: "")` - The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. -- `ttl` `(string: "")` - Duration after which authentication will be expired. -- `max_ttl` `(string: "")` - Maximum duration after which authentication will - be expired. + +<%= partial "partials/tokenfields" %> ### Sample Payload diff --git a/website/source/api/auth/jwt/index.html.md b/website/source/api/auth/jwt/index.html.md.erb similarity index 94% rename from website/source/api/auth/jwt/index.html.md rename to website/source/api/auth/jwt/index.html.md.erb index edb17cb126..daf5d2a23e 100644 --- a/website/source/api/auth/jwt/index.html.md +++ b/website/source/api/auth/jwt/index.html.md.erb @@ -109,15 +109,6 @@ entities attempting to login. At least one of the bound values must be set. - `user_claim` `(string: )` - The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string. -- `policies` `(array: )` - Policies to be set on tokens issued using - this role. -- `ttl` `(int: )` - The initial/renewal TTL of tokens issued using - this role, in seconds. -- `max_ttl` `(int: )` - The maximum allowed lifetime of tokens issued - using this role, in seconds. -- `period` `(int: )` - If set, indicates that the token generated - using this role should never expire, but instead always use the value set - here as the TTL for every renewal. - `clock_skew_leeway` `(int: )` - The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`. Only applicable with "jwt" roles. @@ -127,13 +118,8 @@ entities attempting to login. At least one of the bound values must be set. - `not_before_leeway` `(int: )` - The amount of leeway to add to not before (`nbf`) claims to account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`. Only applicable with "jwt" roles. -- `num_uses` `(int: )` - If set, puts a use-count limitation on the - issued token. - `bound_subject` `(string: )` - If set, requires that the `sub` claim matches this value. -- `bound_cidrs` `(array: )` - If set, a list of CIDRs valid as the - source address for login requests. This value is also encoded into any - resulting token. - `bound_claims` `(map: )` - If set, a map of claims/values to match against. The expected value may be a single string or a list of strings. - `groups_claim` `(string: )` - The claim to use to uniquely identify @@ -147,6 +133,8 @@ entities attempting to login. At least one of the bound values must be set. - `allowed_redirect_uris` `(list: )` - The list of allowed values for redirect_uri during OIDC logins. +<%= partial "partials/tokenfields" %> + ### Sample Payload ```json diff --git a/website/source/api/auth/kubernetes/index.html.md b/website/source/api/auth/kubernetes/index.html.md.erb similarity index 93% rename from website/source/api/auth/kubernetes/index.html.md rename to website/source/api/auth/kubernetes/index.html.md.erb index e954be7dc7..d31dc16e7e 100644 --- a/website/source/api/auth/kubernetes/index.html.md +++ b/website/source/api/auth/kubernetes/index.html.md.erb @@ -107,16 +107,8 @@ entities attempting to login. - `bound_service_account_namespaces` `(array: )` - List of namespaces allowed to access this role. If set to "\*" all namespaces are allowed, both this and bound_service_account_names can not be set to "\*". -- `ttl` `(string: "")` - The TTL period of tokens issued using this role in - seconds. -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens - issued in seconds using this role. -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. -- `policies` `(array: [])` - Policies to be set on tokens issued using this - role. + +<%= partial "partials/tokenfields" %> ### Sample Payload diff --git a/website/source/api/auth/ldap/index.html.md b/website/source/api/auth/ldap/index.html.md.erb similarity index 99% rename from website/source/api/auth/ldap/index.html.md rename to website/source/api/auth/ldap/index.html.md.erb index a2c0770a46..5fc96434f0 100644 --- a/website/source/api/auth/ldap/index.html.md +++ b/website/source/api/auth/ldap/index.html.md.erb @@ -77,6 +77,8 @@ This endpoint configures the LDAP auth method. groupfilter queries returning _group_ objects, use: `cn`. For queries returning _user_ objects, use: `memberOf`. The default is `cn`. +<%= partial "partials/tokenfields" %> + ### Sample Request ``` diff --git a/website/source/api/auth/okta/index.html.md b/website/source/api/auth/okta/index.html.md.erb similarity index 97% rename from website/source/api/auth/okta/index.html.md rename to website/source/api/auth/okta/index.html.md.erb index 988d86febe..76d6b9414d 100644 --- a/website/source/api/auth/okta/index.html.md +++ b/website/source/api/auth/okta/index.html.md.erb @@ -35,13 +35,12 @@ distinction between the `create` and `update` capabilities inside ACL policies. groups will be enabled. - `base_url` `(string: "")` - If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com. -- `ttl` `(string: "")` - Duration after which authentication will be expired. -- `max_ttl` `(string: "")` - Maximum duration after which authentication will - be expired. - `bypass_okta_mfa` `(bool: false)` - Whether to bypass an Okta MFA request. Useful if using one of Vault's built-in MFA mechanisms, but this will also cause certain other statuses to be ignored, such as `PASSWORD_EXPIRED`. +<%= partial "partials/tokenfields" %> + ### Sample Payload ```json diff --git a/website/source/api/auth/pcf/index.html.md b/website/source/api/auth/pcf/index.html.md.erb similarity index 93% rename from website/source/api/auth/pcf/index.html.md rename to website/source/api/auth/pcf/index.html.md.erb index acabb56878..1879bfb50e 100644 --- a/website/source/api/auth/pcf/index.html.md +++ b/website/source/api/auth/pcf/index.html.md.erb @@ -146,21 +146,12 @@ an instance must be a member of to qualify as a member of this role. Please note every time you use `cf push` on an app, its instance ID changes. Also, instance IDs are not verifiable as being presently alive using the PCF API. Thus, we recommend against using this setting for most use cases. -- `bound_cidrs` `(array: [])` - Comma separated string or list of CIDR blocks. -If set, specifies the blocks of IP addresses which can perform the login operation. -- `policies` `(array: [])` - Policies to be set on tokens issued using this role. - `disable_ip_matching` `(bool: false)` - If set to true, disables the default behavior that logging in must be performed from an acceptable IP address described by the certificate presented. Should only be set to true if required, generally when a proxy is used to perform logins. -- `ttl` `(string: "")` - The TTL period of tokens issued using this role, - provided as "1h", where hour is the largest suffix. -- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using - this role. -- `period` `(string: "")` - If set, indicates that the token generated using - this role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. + +<%= partial "partials/tokenfields" %> ### Sample Payload diff --git a/website/source/api/auth/radius/index.html.md b/website/source/api/auth/radius/index.html.md.erb similarity index 99% rename from website/source/api/auth/radius/index.html.md rename to website/source/api/auth/radius/index.html.md.erb index 8371c3cfca..89fe98c962 100644 --- a/website/source/api/auth/radius/index.html.md +++ b/website/source/api/auth/radius/index.html.md.erb @@ -40,6 +40,8 @@ RADIUS. - `nas_port` `(integer: 10)` - The NAS-Port attribute of the RADIUS request. Defaults is 10. +<%= partial "partials/tokenfields" %> + ### Sample Payload ```json diff --git a/website/source/api/auth/token/index.html.md b/website/source/api/auth/token/index.html.md.erb similarity index 92% rename from website/source/api/auth/token/index.html.md rename to website/source/api/auth/token/index.html.md.erb index 5ffc0f33c5..40a3d20ef0 100644 --- a/website/source/api/auth/token/index.html.md +++ b/website/source/api/auth/token/index.html.md.erb @@ -678,19 +678,9 @@ tokens created against a role to be revoked using the - `orphan` `(bool: false)` - If `true`, tokens created against this policy will be orphan tokens (they will have no parent). As such, they will not be automatically revoked by the revocation of any other token. -- `period` `(string: "")` - If specified, the token will be periodic; it will have - no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal - will use the given period. Requires a root/sudo token to use. - `renewable` `(bool: true)` - Set to `false` to disable the ability of the token to be renewed past its initial TTL. Setting the value to `true` will allow the token to be renewable up to the system/mount maximum TTL. -- `explicit_max_ttl` `(int: 0)` - Provides a maximum lifetime for any - tokens issued against this role, including periodic tokens. Unlike direct - token creation, where the value for an explicit max TTL is stored in the - token, for roles this check will always use the current value set in the - role. The main use of this is to provide a hard upper bound on periodic - tokens, which otherwise can live forever as long as they are renewed. This is - an integer number of seconds. - `path_suffix` `(string: "")` - If set, tokens created against this role will have the given suffix as part of their path in addition to the role name. This can be useful in certain scenarios, such as keeping the same role name in the @@ -698,22 +688,12 @@ tokens created against a role to be revoked using the The suffix can be changed, allowing new callers to have the new suffix as part of their path, and then tokens with the old suffix can be revoked via `/sys/leases/revoke-prefix`. -- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the - generated token to client IPs falling within the range of the specified - CIDR(s). Unlike most other role parameters, this is not reevaluated from the - current role value at each usage; it is set on the token itself. Root tokens - with no TTL will not be bound by these CIDRs; root tokens with TTLs will be - bound by these CIDRs. -- `token_type` `(string: "")` – Specifies the type of tokens that should be - returned by the role. If either `service` or `batch` is specified, that kind - of token will always be returned. If `default-service`, `service` tokens will - be returned unless the client requests a `batch` type token at token creation - time. If `default-batch`, `batch` tokens will be returned unless the client - requests a `service` type token at token creation time. - `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing. +<%= partial "partial/tokenstorefields" %> + ### Sample Payload ```json diff --git a/website/source/api/auth/userpass/index.html.md b/website/source/api/auth/userpass/index.html.md.erb similarity index 91% rename from website/source/api/auth/userpass/index.html.md rename to website/source/api/auth/userpass/index.html.md.erb index 849ce52d05..8d98ae4316 100644 --- a/website/source/api/auth/userpass/index.html.md +++ b/website/source/api/auth/userpass/index.html.md.erb @@ -31,13 +31,8 @@ Create a new user or update an existing user. This path honors the distinction b - `username` `(string: )` – The username for the user. - `password` `(string: )` - The password for the user. Only required when creating the user. -- `policies` `(string: "")` – Comma-separated list of policies. If set to empty - string, only the `default` policy will be applicable to the user. -- `ttl` `(string: "")` - The lease duration which decides login expiration. -- `max_ttl` `(string: "")` - Maximum duration after which login should expire. -- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the - login and token to client IPs falling within the range of the specified - CIDR(s). + +<%= partial "partials/tokenfields" %> ### Sample Payload diff --git a/website/source/partials/_tokenfields.html.md.erb b/website/source/partials/_tokenfields.html.md.erb new file mode 100644 index 0000000000..e97fd626d7 --- /dev/null +++ b/website/source/partials/_tokenfields.html.md.erb @@ -0,0 +1,11 @@ +- `token_ttl` `(integer: 0 or string: "")` - The incremental lifetime for +generated tokens. This current value of this will be referenced at renewal +time. +- `token_max_ttl` `(integer: 0 or string: "")` - The maximum lifetime for +generated tokens. This current value of this will be referenced at renewal +time. +- `token_policies` `(array: [] or comma-delimited string: "")` - List of +policies to encode onto generated tokens. Depending on the auth method, this +list may be supplemented by user/group/other values. + +<%= partial "partials/tokenstorefields" %> diff --git a/website/source/partials/_tokenstorefields.html.md.erb b/website/source/partials/_tokenstorefields.html.md.erb new file mode 100644 index 0000000000..c91f2bf393 --- /dev/null +++ b/website/source/partials/_tokenstorefields.html.md.erb @@ -0,0 +1,22 @@ +- `token_bound_cidrs` `(array: [] or comma-delimited string: "")` - List of + CIDR blocks; if set, specifies blocks of IP addresses which can authenticate + successfully, and ties the resulting token to these blocks as well. +- `token_explicit_max_ttl` `(integer: 0 or string: "")` - If set, will encode +an [explicit max +TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) +onto the token. This is a hard cap even if `token_ttl` and `token_max_ttl` +would otherwise allow a renewal. +- `token_no_default_policy` `(bool: false)` - If set, the `default` policy will +not be set on generated tokens; otherwise it will be added to the policies set +in `token_policies`. +- `token_num_uses` `(integer: 0)` - The maximum number of times a generated +token may be used (within its lifetime); 0 means unlimited. +- `token_period` `(integer: 0 or string: "")` - The +[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), +if any, to set on the token. +- `token_type` `(string: "")` - The type of token that should be generated. Can +be `service`, `batch`, or `default` to use the mount's tuned default (which +unless changed will be `service` tokens). For token store roles, there are two +additional possibilities: `default-service` and `default-batch` which specify +the type to return unless the client requests a different type at generation +time.