HTTP API that gives you full access to Vault. All API routes are prefixed with /v1/
.
deleteAdConfig
Configure the AD server to connect to, along with password options.
This operation has no parameters
deleteAdLibraryName
Delete a library set.
Parameters
name (required)
Name of the set.
Type: string
deleteAdRolesName
Manage roles to build links between Vault and Active Directory service accounts.
Parameters
name (required)
Name of the role
Type: string
deleteAlicloudConfig
Configure the access key and secret to use for RAM and STS calls.
This operation has no parameters
deleteAlicloudRoleName
Read, write and reference policies and roles that API keys or STS credentials can be made for.
Parameters
name (required)
The name of the role.
Type: string
deleteAuthTokenRolesRole_name
Parameters
role_name (required)
Name of the role
Type: string
deleteAwsRolesName
Read, write and reference IAM policies that access keys can be made for.
Parameters
name (required)
Name of the policy
Type: string
deleteAzureConfig
Configure the Azure Secret backend.
This operation has no parameters
deleteAzureRolesName
Manage the Vault roles used to generate Azure credentials.
Parameters
name (required)
Name of the role.
Type: string
deleteConsulRolesName
Parameters
name (required)
Name of the role
Type: string
deleteCubbyholePath
Deletes the secret at the specified location.
Parameters
path (required)
Specifies the path of the secret.
Type: string
deleteDatabaseConfigName
Configure connection details to a database plugin.
Parameters
name (required)
Name of this database connection
Type: string
deleteDatabaseRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
deleteDatabaseStaticRolesName
Manage the static roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
deleteGcpRolesetName
Parameters
name (required)
Required. Name of the role.
Type: string
deleteGcpkmsConfig
Configure the GCP KMS secrets engine
This operation has no parameters
deleteGcpkmsKeysDeregisterKey
Deregister an existing key in Vault
Parameters
key (required)
Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.
Type: string
deleteGcpkmsKeysKey
Interact with crypto keys in Vault and Google Cloud KMS
Parameters
key (required)
Name of the key in Vault.
Type: string
deleteGcpkmsKeysTrimKey
Delete old crypto key versions from Google Cloud KMS
Parameters
key (required)
Name of the key in Vault.
Type: string
deleteIdentityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
deleteIdentityEntityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
deleteIdentityEntityIdId
Update, read or delete an entity using entity ID
Parameters
id (required)
ID of the entity. If set, updates the corresponding existing entity.
Type: string
deleteIdentityEntityNameName
Update, read or delete an entity using entity name
Parameters
name (required)
Name of the entity
Type: string
deleteIdentityGroupAliasIdId
Parameters
id (required)
ID of the group alias.
Type: string
deleteIdentityGroupIdId
Update or delete an existing group using its ID.
Parameters
id (required)
ID of the group. If set, updates the corresponding existing group.
Type: string
deleteIdentityGroupNameName
Parameters
name (required)
Name of the group.
Type: string
deleteIdentityOidcKeyName
CRUD operations for OIDC keys.
Parameters
name (required)
Name of the key
Type: string
deleteIdentityOidcRoleName
CRUD operations on OIDC Roles
Parameters
name (required)
Name of the role
Type: string
deleteIdentityPersonaIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the persona
Type: string
deleteNomadConfigAccess
This operation has no parameters
deleteNomadConfigLease
Configure the lease parameters for generated tokens
This operation has no parameters
deleteNomadRoleName
Parameters
name (required)
Name of the role
Type: string
deletePkiRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role
Type: string
deletePkiRoot
Deletes the root CA key to allow a new one to be generated.
This operation has no parameters
deleteRabbitmqRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
deleteSecretDataPath
Write, Read, and Delete data in the Key-Value Store.
Parameters
path (required)
Location of the secret.
Type: string
deleteSecretMetadataPath
Configures settings for the KV store
Parameters
path (required)
Location of the secret.
Type: string
deleteSshConfigCa
Set the SSH private key used for signing certificates.
This operation has no parameters
deleteSshConfigZeroaddress
Assign zero address as default CIDR block for select roles.
This operation has no parameters
deleteSshKeysKey_name
Register a shared private key with Vault.
Parameters
key_name (required)
[Required] Name of the key
Type: string
deleteSshRolesRole
Manage the 'roles' that can be created with this backend.
Parameters
role (required)
[Required for all types] Name of the role being created.
Type: string
deleteSysAuditPath
Disable the audit device at the given path.
Parameters
path (required)
The name of the backend. Cannot be delimited. Example: "mysql"
Type: string
deleteSysAuthPath
Disable the auth method at the given auth path
Parameters
path (required)
The path to mount to. Cannot be delimited. Example: "user"
Type: string
deleteSysConfigAuditingRequestHeadersHeader
Disable auditing of the given request header.
Parameters
header (required)
Type: string
deleteSysConfigCors
Remove any CORS settings.
This operation has no parameters
deleteSysConfigUiHeadersHeader
Remove a UI header.
Parameters
header (required)
The name of the header.
Type: string
deleteSysGenerateRoot
Cancels any in-progress root generation attempt.
This operation has no parameters
deleteSysGenerateRootAttempt
Cancels any in-progress root generation attempt.
This operation has no parameters
deleteSysMountsPath
Disable the mount point specified at the given path.
Parameters
path (required)
The path to mount to. Example: "aws/east"
Type: string
deleteSysPluginsCatalogName
Remove the plugin with the given name.
Parameters
name (required)
The name of the plugin
Type: string
deleteSysPluginsCatalogTypeName
Remove the plugin with the given name.
Parameters
name (required)
The name of the plugin
Type: string
type (required)
The type of the plugin, may be auth, secret, or database
Type: string
deleteSysPoliciesAclName
Delete the ACL policy with the given name.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
deleteSysPolicyName
Delete the policy with the given name.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
deleteSysRaw
Delete the key with given path.
This operation has no parameters
deleteSysRawPath
Delete the key with given path.
Parameters
path (required)
Type: string
deleteSysRekeyBackup
Delete the backup copy of PGP-encrypted unseal keys.
This operation has no parameters
deleteSysRekeyInit
This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.
This operation has no parameters
deleteSysRekeyRecoveryKeyBackup
Allows fetching or deleting the backup of the rotated unseal keys.
This operation has no parameters
deleteSysRekeyVerify
This clears any progress made and resets the nonce. Unlike a DELETE
against sys/rekey/init
, this only resets the current verification operation, not the entire rekey atttempt.
This operation has no parameters
deleteTotpKeysName
Manage the keys that can be created with this backend.
Parameters
name (required)
Name of the key.
Type: string
deleteTransitKeysName
Managed named encryption keys
Parameters
name (required)
Name of the key
Type: string
getAdConfig
Configure the AD server to connect to, along with password options.
This operation has no parameters
getAdCredsName
Retrieve a role's creds by role name.
Parameters
name (required)
Name of the role
Type: string
getAdLibrary
Parameters
list
Return a list if true
Type: string
getAdLibraryName
Read a library set.
Parameters
name (required)
Name of the set.
Type: string
getAdLibraryNameStatus
Check the status of the service accounts in a library set.
Parameters
name (required)
Name of the set.
Type: string
getAdRoles
List the name of each role currently stored.
Parameters
list
Return a list if true
Type: string
getAdRolesName
Manage roles to build links between Vault and Active Directory service accounts.
Parameters
name (required)
Name of the role
Type: string
getAdRotateRoot
Request to rotate the root credentials.
This operation has no parameters
getAlicloudConfig
Configure the access key and secret to use for RAM and STS calls.
This operation has no parameters
getAlicloudCredsName
Generate an API key or STS credential using the given role's configuration.'
Parameters
name (required)
The name of the role.
Type: string
getAlicloudRole
List the existing roles in this backend.
Parameters
list
Return a list if true
Type: string
getAlicloudRoleName
Read, write and reference policies and roles that API keys or STS credentials can be made for.
Parameters
name (required)
The name of the role.
Type: string
getAuthTokenAccessors
List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'.
Parameters
list
Return a list if true
Type: string
getAuthTokenLookup
This endpoint will lookup a token and its properties.
This operation has no parameters
getAuthTokenLookupSelf
This endpoint will lookup a token and its properties.
This operation has no parameters
getAuthTokenRoles
This endpoint lists configured roles.
Parameters
list
Return a list if true
Type: string
getAuthTokenRolesRole_name
Parameters
role_name (required)
Name of the role
Type: string
getAwsConfigLease
Configure the default lease information for generated credentials.
This operation has no parameters
getAwsConfigRoot
Configure the root credentials that are used to manage IAM.
This operation has no parameters
getAwsCreds
Generate AWS credentials from a specific Vault role.
This operation has no parameters
getAwsRoles
List the existing roles in this backend
Parameters
list
Return a list if true
Type: string
getAwsRolesName
Read, write and reference IAM policies that access keys can be made for.
Parameters
name (required)
Name of the policy
Type: string
getAwsStsName
Generate AWS credentials from a specific Vault role.
Parameters
name (required)
Name of the role
Type: string
getAzureConfig
Configure the Azure Secret backend.
This operation has no parameters
getAzureCredsRole
Request Service Principal credentials for a given Vault role.
Parameters
role (required)
Name of the Vault role
Type: string
getAzureRoles
List existing roles.
Parameters
list
Return a list if true
Type: string
getAzureRolesName
Manage the Vault roles used to generate Azure credentials.
Parameters
name (required)
Name of the role.
Type: string
getConsulConfigAccess
This operation has no parameters
getConsulCredsRole
Parameters
role (required)
Name of the role
Type: string
getConsulRoles
Parameters
list
Return a list if true
Type: string
getConsulRolesName
Parameters
name (required)
Name of the role
Type: string
getCubbyholePath
Retrieve the secret at the specified location.
Parameters
path (required)
Specifies the path of the secret.
Type: string
list
Return a list if true
Type: string
getDatabaseConfig
Configure connection details to a database plugin.
Parameters
list
Return a list if true
Type: string
getDatabaseConfigName
Configure connection details to a database plugin.
Parameters
name (required)
Name of this database connection
Type: string
getDatabaseCredsName
Request database credentials for a certain role.
Parameters
name (required)
Name of the role.
Type: string
getDatabaseRoles
Manage the roles that can be created with this backend.
Parameters
list
Return a list if true
Type: string
getDatabaseRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
getDatabaseStaticCredsName
Request database credentials for a certain static role. These credentials are rotated periodically.
Parameters
name (required)
Name of the static role.
Type: string
getDatabaseStaticRoles
Manage the static roles that can be created with this backend.
Parameters
list
Return a list if true
Type: string
getDatabaseStaticRolesName
Manage the static roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
getGcpConfig
This operation has no parameters
getGcpKeyRoleset
Parameters
roleset (required)
Required. Name of the role set.
Type: string
getGcpRoleset
Parameters
list
Return a list if true
Type: string
getGcpRolesetName
Parameters
name (required)
Required. Name of the role.
Type: string
getGcpRolesets
Parameters
list
Return a list if true
Type: string
getGcpTokenRoleset
Parameters
roleset (required)
Required. Name of the role set.
Type: string
getGcpkmsConfig
Configure the GCP KMS secrets engine
This operation has no parameters
getGcpkmsKeys
List named keys
Parameters
list
Return a list if true
Type: string
getGcpkmsKeysConfigKey
Configure the key in Vault
Parameters
key (required)
Name of the key in Vault.
Type: string
getGcpkmsKeysKey
Interact with crypto keys in Vault and Google Cloud KMS
Parameters
key (required)
Name of the key in Vault.
Type: string
getGcpkmsPubkeyKey
Retrieve the public key associated with the named key
Parameters
key (required)
Name of the key for which to get the public key. This key must already exist in Vault and Google Cloud KMS.
Type: string
getIdentityAliasId
List all the alias IDs.
Parameters
list
Return a list if true
Type: string
getIdentityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
getIdentityEntityAliasId
List all the alias IDs.
Parameters
list
Return a list if true
Type: string
getIdentityEntityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
getIdentityEntityId
List all the entity IDs
Parameters
list
Return a list if true
Type: string
getIdentityEntityIdId
Update, read or delete an entity using entity ID
Parameters
id (required)
ID of the entity. If set, updates the corresponding existing entity.
Type: string
getIdentityEntityName
List all the entity names
Parameters
list
Return a list if true
Type: string
getIdentityEntityNameName
Update, read or delete an entity using entity name
Parameters
name (required)
Name of the entity
Type: string
getIdentityGroupAliasId
List all the group alias IDs.
Parameters
list
Return a list if true
Type: string
getIdentityGroupAliasIdId
Parameters
id (required)
ID of the group alias.
Type: string
getIdentityGroupId
List all the group IDs.
Parameters
list
Return a list if true
Type: string
getIdentityGroupIdId
Update or delete an existing group using its ID.
Parameters
id (required)
ID of the group. If set, updates the corresponding existing group.
Type: string
getIdentityGroupName
Parameters
list
Return a list if true
Type: string
getIdentityGroupNameName
Parameters
name (required)
Name of the group.
Type: string
getIdentityOidcConfig
OIDC configuration
This operation has no parameters
getIdentityOidcKey
List OIDC keys
Parameters
list
Return a list if true
Type: string
getIdentityOidcKeyName
CRUD operations for OIDC keys.
Parameters
name (required)
Name of the key
Type: string
getIdentityOidcRole
List configured OIDC roles
Parameters
list
Return a list if true
Type: string
getIdentityOidcRoleName
CRUD operations on OIDC Roles
Parameters
name (required)
Name of the role
Type: string
getIdentityOidcTokenName
Generate an OIDC token
Parameters
name (required)
Name of the role
Type: string
getIdentityOidcWellKnownKeys
Retrieve public keys
This operation has no parameters
getIdentityOidcWellKnownOpenidConfiguration
Query OIDC configurations
This operation has no parameters
getIdentityPersonaId
List all the alias IDs.
Parameters
list
Return a list if true
Type: string
getIdentityPersonaIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the persona
Type: string
getNomadConfigAccess
This operation has no parameters
getNomadConfigLease
Configure the lease parameters for generated tokens
This operation has no parameters
getNomadCredsName
Parameters
name (required)
Name of the role
Type: string
getNomadRole
Parameters
list
Return a list if true
Type: string
getNomadRoleName
Parameters
name (required)
Name of the role
Type: string
getPkiCa
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCaPem
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCa_chain
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCertCa_chain
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCertCrl
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCertSerial
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
Parameters
serial (required)
Certificate serial number, in colon- or hyphen-separated octal
Type: string
getPkiCerts
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
Parameters
list
Return a list if true
Type: string
getPkiConfigCrl
Configure the CRL expiration.
This operation has no parameters
getPkiConfigUrls
Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.
This operation has no parameters
getPkiCrl
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCrlPem
Fetch a CA, CRL, CA Chain, or non-revoked certificate.
This operation has no parameters
getPkiCrlRotate
Force a rebuild of the CRL.
This operation has no parameters
getPkiRoles
List the existing roles in this backend
Parameters
list
Return a list if true
Type: string
getPkiRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role
Type: string
getRabbitmqConfigLease
Configure the lease parameters for generated credentials
This operation has no parameters
getRabbitmqCredsName
Request RabbitMQ credentials for a certain role.
Parameters
name (required)
Name of the role.
Type: string
getRabbitmqRoles
Manage the roles that can be created with this backend.
Parameters
list
Return a list if true
Type: string
getRabbitmqRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
getSecretConfig
Read the backend level settings.
This operation has no parameters
getSecretDataPath
Write, Read, and Delete data in the Key-Value Store.
Parameters
path (required)
Location of the secret.
Type: string
getSecretMetadataPath
Configures settings for the KV store
Parameters
path (required)
Location of the secret.
Type: string
list
Return a list if true
Type: string
getSshConfigCa
Set the SSH private key used for signing certificates.
This operation has no parameters
getSshConfigZeroaddress
Assign zero address as default CIDR block for select roles.
This operation has no parameters
getSshPublic_key
Retrieve the public key.
This operation has no parameters
getSshRoles
Manage the 'roles' that can be created with this backend.
Parameters
list
Return a list if true
Type: string
getSshRolesRole
Manage the 'roles' that can be created with this backend.
Parameters
role (required)
[Required for all types] Name of the role being created.
Type: string
getSysAudit
List the enabled audit devices.
This operation has no parameters
getSysAuth
List the currently enabled credential backends.
This operation has no parameters
getSysAuthPathTune
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Parameters
path (required)
Tune the configuration parameters for an auth path.
Type: string
getSysConfigAuditingRequestHeaders
List the request headers that are configured to be audited.
This operation has no parameters
getSysConfigAuditingRequestHeadersHeader
List the information for the given request header.
Parameters
header (required)
Type: string
getSysConfigCors
Return the current CORS settings.
This operation has no parameters
getSysConfigStateSanitized
The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.
This operation has no parameters
getSysConfigUiHeaders
Return a list of configured UI headers.
Parameters
list
Return a list if true
Type: string
getSysConfigUiHeadersHeader
Return the given UI header's configuration
Parameters
header (required)
The name of the header.
Type: string
getSysGenerateRoot
Read the configuration and progress of the current root generation attempt.
This operation has no parameters
getSysGenerateRootAttempt
Read the configuration and progress of the current root generation attempt.
This operation has no parameters
getSysHealth
Returns the health status of Vault.
This operation has no parameters
getSysHostInfo
Information about the host instance that this Vault server is running on. The information that gets collected includes host hardware information, and CPU, disk, and memory utilization
This operation has no parameters
getSysInit
Returns the initialization status of Vault.
This operation has no parameters
getSysInternalSpecsOpenapi
Generate an OpenAPI 3 document of all mounted paths.
This operation has no parameters
getSysInternalUiMounts
Lists all enabled and visible auth and secrets mounts.
This operation has no parameters
getSysInternalUiMountsPath
Return information about the given mount.
Parameters
path (required)
The path of the mount.
Type: string
getSysKeyStatus
Provides information about the backend encryption key.
This operation has no parameters
getSysLeader
Returns the high availability status and current leader instance of Vault.
This operation has no parameters
getSysLeasesLookup
Returns a list of lease ids.
Parameters
list
Return a list if true
Type: string
getSysLeasesLookupPrefix
Returns a list of lease ids.
Parameters
prefix (required)
The path to list leases under. Example: "aws/creds/deploy"
Type: string
list
Return a list if true
Type: string
getSysMetrics
Export the metrics aggregated for telemetry purpose.
Parameters
format
Format to export metrics into. Currently accepts only "prometheus".
Type: string
getSysMounts
List the currently mounted backends.
This operation has no parameters
getSysMountsPathTune
Tune backend configuration parameters for this mount.
Parameters
path (required)
The path to mount to. Example: "aws/east"
Type: string
getSysPluginsCatalog
Lists all the plugins known to Vault
This operation has no parameters
getSysPluginsCatalogName
Return the configuration data for the plugin with the given name.
Parameters
name (required)
The name of the plugin
Type: string
getSysPluginsCatalogType
List the plugins in the catalog.
Parameters
type (required)
The type of the plugin, may be auth, secret, or database
Type: string
list
Return a list if true
Type: string
getSysPluginsCatalogTypeName
Return the configuration data for the plugin with the given name.
Parameters
name (required)
The name of the plugin
Type: string
type (required)
The type of the plugin, may be auth, secret, or database
Type: string
getSysPoliciesAcl
List the configured access control policies.
Parameters
list
Return a list if true
Type: string
getSysPoliciesAclName
Retrieve information about the named ACL policy.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
getSysPolicy
List the configured access control policies.
Parameters
list
Return a list if true
Type: string
getSysPolicyName
Retrieve the policy body for the named policy.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
getSysPprof
Returns an HTML page listing the available profiles. This should be mainly accessed via browsers or applications that can render pages.
This operation has no parameters
getSysPprofCmdline
Returns the running program's command line, with arguments separated by NUL bytes.
This operation has no parameters
getSysPprofGoroutine
Returns stack traces of all current goroutines.
This operation has no parameters
getSysPprofHeap
Returns a sampling of memory allocations of live object.
This operation has no parameters
getSysPprofProfile
Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.
This operation has no parameters
getSysPprofSymbol
Returns the program counters listed in the request.
This operation has no parameters
getSysPprofTrace
Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.
This operation has no parameters
getSysRaw
Read the value of the key at the given path.
Parameters
list
Return a list if true
Type: string
getSysRawPath
Read the value of the key at the given path.
Parameters
path (required)
Type: string
list
Return a list if true
Type: string
getSysRekeyBackup
Return the backup copy of PGP-encrypted unseal keys.
This operation has no parameters
getSysRekeyInit
Reads the configuration and progress of the current rekey attempt.
This operation has no parameters
getSysRekeyRecoveryKeyBackup
Allows fetching or deleting the backup of the rotated unseal keys.
This operation has no parameters
getSysRekeyVerify
Read the configuration and progress of the current rekey verification attempt.
This operation has no parameters
getSysReplicationStatus
This operation has no parameters
getSysSealStatus
Check the seal status of a Vault.
This operation has no parameters
getSysWrappingLookup
Look up wrapping properties for the requester's token.
This operation has no parameters
getTotpCodeName
Request time-based one-time use password or validate a password for a certain key .
Parameters
name (required)
Name of the key.
Type: string
getTotpKeys
Manage the keys that can be created with this backend.
Parameters
list
Return a list if true
Type: string
getTotpKeysName
Manage the keys that can be created with this backend.
Parameters
name (required)
Name of the key.
Type: string
getTransitBackupName
Backup the named key
Parameters
name (required)
Name of the key
Type: string
getTransitCacheConfig
Returns the size of the active cache
This operation has no parameters
getTransitExportTypeName
Export named encryption or signing key
Parameters
name (required)
Name of the key
Type: string
type (required)
Type of key to export (encryption-key, signing-key, hmac-key)
Type: string
getTransitExportTypeNameVersion
Export named encryption or signing key
Parameters
name (required)
Name of the key
Type: string
type (required)
Type of key to export (encryption-key, signing-key, hmac-key)
Type: string
version (required)
Version of the key
Type: string
getTransitKeys
Managed named encryption keys
Parameters
list
Return a list if true
Type: string
getTransitKeysName
Managed named encryption keys
Parameters
name (required)
Name of the key
Type: string
postAdConfig
Configure the AD server to connect to, along with password options.
Parameters
$body
Type: object
{
"last_rotation_tolerance" : "The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.",
"bindpass" : "LDAP password for searching for the user DN (optional)",
"max_ttl" : "In seconds, the maximum password time-to-live.",
"request_timeout" : "Timeout, in seconds, for the connection when making requests against the server before returning back an error.",
"certificate" : "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
"use_pre111_group_cn_behavior" : "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.",
"case_sensitive_names" : "If true, case sensitivity will be used when comparing usernames and groups for matching policies.",
"groupattr" : "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn",
"tls_min_version" : "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"upndomain" : "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
"userattr" : "Attribute used for users (default: cn)",
"starttls" : "Issue a StartTLS command after establishing unencrypted connection (optional)",
"groupfilter" : "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))",
"length" : "The desired length of passwords that Vault generates.",
"insecure_tls" : "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
"deny_null_bind" : "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
"tls_max_version" : "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"ttl" : "In seconds, the default password time-to-live.",
"url" : "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
"formatter" : "Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".",
"binddn" : "LDAP DN for searching for the user DN (optional)",
"groupdn" : "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
"use_token_groups" : "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
"discoverdn" : "Use anonymous bind to discover the bind DN of a user (optional)",
"userdn" : "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)"
}
postAdLibraryManageNameCheckIn
Check service accounts in to the library.
Parameters
name (required)
Name of the set.
Type: string
$body
Type: object
{
"service_account_names" : [ "string" ]
}
postAdLibraryName
Update a library set.
Parameters
name (required)
Name of the set.
Type: string
$body
Type: object
{
"max_ttl" : "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.",
"service_account_names" : [ "string" ],
"disable_check_in_enforcement" : "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.",
"ttl" : "In seconds, the amount of time a check-out should last. Defaults to 24 hours."
}
postAdLibraryNameCheckIn
Check service accounts in to the library.
Parameters
name (required)
Name of the set.
Type: string
$body
Type: object
{
"service_account_names" : [ "string" ]
}
postAdLibraryNameCheckOut
Check a service account out from the library.
Parameters
name (required)
Name of the set
Type: string
$body
Type: object
{
"ttl" : "The length of time before the check-out will expire, in seconds."
}
postAdRolesName
Manage roles to build links between Vault and Active Directory service accounts.
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"service_account_name" : "The username/logon name for the service account with which this role will be associated.",
"ttl" : "In seconds, the default password time-to-live."
}
postAlicloudConfig
Configure the access key and secret to use for RAM and STS calls.
Parameters
$body
Type: object
{
"secret_key" : "Secret key with appropriate permissions.",
"access_key" : "Access key with appropriate permissions."
}
postAlicloudRoleName
Read, write and reference policies and roles that API keys or STS credentials can be made for.
Parameters
name (required)
The name of the role.
Type: string
$body
Type: object
{
"max_ttl" : "The maximum allowed lifetime of tokens issued using this role.",
"role_arn" : "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.",
"remote_policies" : [ "string" ],
"inline_policies" : "JSON of policies to be dynamically applied to users of this role.",
"ttl" : "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults."
}
postAuthTokenCreate
The token create path is used to create new tokens.
This operation has no parameters
postAuthTokenCreateOrphan
The token create path is used to create new orphan tokens.
This operation has no parameters
postAuthTokenCreateRole_name
This token create path is used to create new tokens adhering to the given role.
Parameters
role_name (required)
Name of the role
Type: string
postAuthTokenLookup
This endpoint will lookup a token and its properties.
Parameters
$body
Type: object
{
"token" : "Token to lookup (POST request body)"
}
postAuthTokenLookupAccessor
This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.
Parameters
$body
Type: object
{
"accessor" : "Accessor of the token to look up (request body)"
}
postAuthTokenLookupSelf
This endpoint will lookup a token and its properties.
Parameters
$body
Type: object
{
"token" : "Token to look up (unused, does not need to be set)"
}
postAuthTokenRenew
This endpoint will renew the given token and prevent expiration.
Parameters
$body
Type: object
{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (request body)"
}
postAuthTokenRenewAccessor
This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.
Parameters
$body
Type: object
{
"accessor" : "Accessor of the token to renew (request body)",
"increment" : "The desired increment in seconds to the token expiration"
}
postAuthTokenRenewSelf
This endpoint will renew the token used to call it and prevent expiration.
Parameters
$body
Type: object
{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (unused, does not need to be set)"
}
postAuthTokenRevoke
This endpoint will delete the given token and all of its child tokens.
Parameters
$body
Type: object
{
"token" : "Token to revoke (request body)"
}
postAuthTokenRevokeAccessor
This endpoint will delete the token associated with the accessor and all of its child tokens.
Parameters
$body
Type: object
{
"accessor" : "Accessor of the token (request body)"
}
postAuthTokenRevokeOrphan
This endpoint will delete the token and orphan its child tokens.
Parameters
$body
Type: object
{
"token" : "Token to revoke (request body)"
}
postAuthTokenRevokeSelf
This endpoint will delete the token used to call it and all of its child tokens.
This operation has no parameters
postAuthTokenRolesRole_name
Parameters
role_name (required)
Name of the role
Type: string
$body
Type: object
{
"bound_cidrs" : [ "string" ],
"period" : "Use 'token_period' instead.",
"token_num_uses" : "The maximum number of times a token may be used, a value of zero means unlimited",
"allowed_entity_aliases" : [ "string" ],
"token_explicit_max_ttl" : "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
"path_suffix" : "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w",
"token_period" : "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").",
"orphan" : "If true, tokens created via this role will be orphan tokens (have no parent)",
"token_type" : "The type of token to generate, service or batch",
"explicit_max_ttl" : "Use 'token_explicit_max_ttl' instead.",
"token_no_default_policy" : "If true, the 'default' policy will not automatically be added to generated tokens",
"disallowed_policies" : [ "string" ],
"allowed_policies" : [ "string" ],
"renewable" : "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".",
"token_bound_cidrs" : [ "string" ]
}
postAuthTokenTidy
This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.
This operation has no parameters
postAwsConfigLease
Configure the default lease information for generated credentials.
Parameters
$body
Type: object
{
"lease_max" : "Maximum time a credential is valid for.",
"lease" : "Default lease for roles."
}
postAwsConfigRoot
Configure the root credentials that are used to manage IAM.
Parameters
$body
Type: object
{
"secret_key" : "Secret key with permission to create new keys.",
"max_retries" : "Maximum number of retries for recoverable exceptions of AWS APIs",
"access_key" : "Access key with permission to create new keys.",
"iam_endpoint" : "Endpoint to custom IAM server URL",
"sts_endpoint" : "Endpoint to custom STS server URL",
"region" : "Region for API calls."
}
postAwsConfigRotateRoot
Request to rotate the AWS credentials used by Vault
This operation has no parameters
postAwsCreds
Generate AWS credentials from a specific Vault role.
Parameters
$body
Type: object
{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"name" : "Name of the role",
"ttl" : "Lifetime of the returned credentials in seconds"
}
postAwsRolesName
Read, write and reference IAM policies that access keys can be made for.
Parameters
name (required)
Name of the policy
Type: string
$body
Type: object
{
"credential_type" : "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token",
"role_arns" : [ "string" ],
"max_sts_ttl" : "Max allowed TTL for assumed_role and federation_token credential types",
"user_path" : "Path for IAM User. Only valid when credential_type is iam_user",
"permissions_boundary_arn" : "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user",
"arn" : "Use role_arns or policy_arns instead.",
"default_sts_ttl" : "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials",
"policy_document" : "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.",
"policy" : "Use policy_document instead.",
"policy_arns" : [ "string" ]
}
postAwsStsName
Generate AWS credentials from a specific Vault role.
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"ttl" : "Lifetime of the returned credentials in seconds"
}
postAzureConfig
Configure the Azure Secret backend.
Parameters
$body
Type: object
{
"subscription_id" : "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.",
"tenant_id" : "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.",
"environment" : "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.",
"client_secret" : "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.",
"client_id" : "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable."
}
postAzureRolesName
Manage the Vault roles used to generate Azure credentials.
Parameters
name (required)
Name of the role.
Type: string
$body
Type: object
{
"max_ttl" : "Maximum time a service principal. If not set or set to 0, will use system default.",
"application_object_id" : "Application Object ID to use for static service principal credentials.",
"azure_roles" : "JSON list of Azure roles to assign.",
"ttl" : "Default lease for generated credentials. If not set or set to 0, will use system default.",
"azure_groups" : "JSON list of Azure groups to add the service principal to."
}
postConsulConfigAccess
Parameters
$body
Type: object
{
"address" : "Consul server address",
"scheme" : "URI scheme for the Consul address",
"token" : "Token for API calls"
}
postConsulRolesName
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"max_ttl" : "Max TTL for the Consul token created from the role.",
"policies" : [ "string" ],
"lease" : "Use ttl instead.",
"token_type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\" parameter is not required. Defaults to 'client'.",
"ttl" : "TTL for the Consul token created from the role.",
"local" : "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.",
"policy" : "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4."
}
postCubbyholePath
Store a secret at the specified location.
Parameters
path (required)
Specifies the path of the secret.
Type: string
postDatabaseConfigName
Configure connection details to a database plugin.
Parameters
name (required)
Name of this database connection
Type: string
$body
Type: object
{
"verify_connection" : "If true, the connection details are verified by actually connecting to the database. Defaults to true.",
"allowed_roles" : [ "string" ],
"root_rotation_statements" : [ "string" ],
"plugin_name" : "The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type."
}
postDatabaseResetName
Resets a database plugin.
Parameters
name (required)
Name of this database connection
Type: string
postDatabaseRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
$body
Type: object
{
"renew_statements" : [ "string" ],
"db_name" : "Name of the database this role acts on.",
"max_ttl" : "Maximum time a credential is valid for",
"default_ttl" : "Default ttl for role.",
"revocation_statements" : [ "string" ],
"rollback_statements" : [ "string" ],
"creation_statements" : [ "string" ]
}
postDatabaseRotateRoleName
Request database credentials for a certain role.
Parameters
name (required)
Name of the static role
Type: string
postDatabaseRotateRootName
Request database credentials for a certain role.
Parameters
name (required)
Name of this database connection
Type: string
postDatabaseStaticRolesName
Manage the static roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
$body
Type: object
{
"db_name" : "Name of the database this role acts on.",
"rotation_statements" : [ "string" ],
"rotation_period" : "Period for automatic credential rotation of the given username. Not valid unless used with \"username\".",
"username" : "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified"
}
postGcpConfig
Parameters
$body
Type: object
{
"max_ttl" : "Maximum time a service account key is valid for. If <= 0, will use system default.",
"credentials" : "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies",
"ttl" : "Default lease for generated keys. If <= 0, will use system default."
}
postGcpKeyRoleset
Parameters
roleset (required)
Required. Name of the role set.
Type: string
$body
Type: object
{
"key_type" : "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"",
"key_algorithm" : "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\""
}
postGcpRolesetName
Parameters
name (required)
Required. Name of the role.
Type: string
$body
Type: object
{
"secret_type" : "Type of secret generated for this role set. Defaults to 'access_token'",
"token_scopes" : [ "string" ],
"bindings" : "Bindings configuration string.",
"project" : "Name of the GCP project that this roleset's service account will belong to."
}
postGcpRolesetNameRotate
Parameters
name (required)
Name of the role.
Type: string
postGcpRolesetNameRotateKey
Parameters
name (required)
Name of the role.
Type: string
postGcpTokenRoleset
Parameters
roleset (required)
Required. Name of the role set.
Type: string
postGcpkmsConfig
Configure the GCP KMS secrets engine
Parameters
$body
Type: object
{
"credentials" : "The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication.",
"scopes" : [ "string" ]
}
postGcpkmsDecryptKey
Decrypt a ciphertext value using a named key
Parameters
key (required)
Name of the key in Vault to use for decryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.
Type: string
$body
Type: object
{
"ciphertext" : "Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation.",
"key_version" : "Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically.",
"additional_authenticated_data" : "Optional data that was specified during encryption of this payload."
}
postGcpkmsEncryptKey
Encrypt a plaintext value using a named key
Parameters
key (required)
Name of the key in Vault to use for encryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.
Type: string
$body
Type: object
{
"key_version" : "Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version.",
"plaintext" : "Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types.",
"additional_authenticated_data" : "Optional base64-encoded data that, if specified, must also be provided to decrypt this payload."
}
postGcpkmsKeysConfigKey
Configure the key in Vault
Parameters
key (required)
Name of the key in Vault.
Type: string
$body
Type: object
{
"min_version" : "Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation.",
"max_version" : "Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version."
}
postGcpkmsKeysDeregisterKey
Deregister an existing key in Vault
Parameters
key (required)
Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.
Type: string
postGcpkmsKeysKey
Interact with crypto keys in Vault and Google Cloud KMS
Parameters
key (required)
Name of the key in Vault.
Type: string
$body
Type: object
{
"crypto_key" : "Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified.",
"protection_level" : "Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation.",
"purpose" : "Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation.",
"key_ring" : "Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation.",
"rotation_period" : "Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".",
"algorithm" : "Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256",
"labels" : { }
}
postGcpkmsKeysRegisterKey
Register an existing crypto key in Google Cloud KMS
Parameters
key (required)
Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.
Type: string
$body
Type: object
{
"crypto_key" : "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".",
"verify" : "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time."
}
postGcpkmsKeysRotateKey
Rotate a crypto key to a new primary version
Parameters
key (required)
Name of the key to rotate. This key must already be registered with Vault and point to a valid Google Cloud KMS crypto key.
Type: string
postGcpkmsKeysTrimKey
Delete old crypto key versions from Google Cloud KMS
Parameters
key (required)
Name of the key in Vault.
Type: string
postGcpkmsReencryptKey
Re-encrypt existing ciphertext data to a new version
Parameters
key (required)
Name of the key to use for encryption. This key must already exist in Vault and Google Cloud KMS.
Type: string
$body
Type: object
{
"ciphertext" : "Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key.",
"key_version" : "Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version.",
"additional_authenticated_data" : "Optional data that, if specified, must also be provided during decryption."
}
postGcpkmsSignKey
Signs a message or digest using a named key
Parameters
key (required)
Name of the key in Vault to use for signing. This key must already exist in Vault and must map back to a Google Cloud KMS key.
Type: string
$body
Type: object
{
"key_version" : "Integer version of the crypto key version to use for signing. This field is required.",
"digest" : "Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}
postGcpkmsVerifyKey
Verify a signature using a named key
Parameters
key (required)
Name of the key in Vault to use for verification. This key must already exist in Vault and must map back to a Google Cloud KMS key.
Type: string
$body
Type: object
{
"key_version" : "Integer version of the crypto key version to use for verification. This field is required.",
"signature" : "Base64-encoded signature to use for verification. This field is required.",
"digest" : "Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}
postIdentityAlias
Create a new alias.
Parameters
$body
Type: object
{
"canonical_id" : "Entity ID to which this alias belongs to",
"name" : "Name of the alias",
"id" : "ID of the alias",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}
postIdentityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
$body
Type: object
{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "Name of the alias",
"entity_id" : "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}
postIdentityEntity
Create a new entity
Parameters
$body
Type: object
{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}
postIdentityEntityAlias
Create a new alias.
Parameters
$body
Type: object
{
"canonical_id" : "Entity ID to which this alias belongs",
"name" : "Name of the alias; unused for a modify",
"id" : "ID of the entity alias. If set, updates the corresponding entity alias.",
"entity_id" : "Entity ID to which this alias belongs. This field is deprecated, use canonical_id.",
"mount_accessor" : "Mount accessor to which this alias belongs to; unused for a modify"
}
postIdentityEntityAliasIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the alias
Type: string
$body
Type: object
{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "(Unused)",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.",
"mount_accessor" : "(Unused)"
}
postIdentityEntityIdId
Update, read or delete an entity using entity ID
Parameters
id (required)
ID of the entity. If set, updates the corresponding existing entity.
Type: string
$body
Type: object
{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)."
}
postIdentityEntityMerge
Merge two or more entities together
Parameters
$body
Type: object
{
"from_entity_ids" : [ "string" ],
"to_entity_id" : "Entity ID into which all the other entities need to get merged",
"force" : "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts."
}
postIdentityEntityNameName
Update, read or delete an entity using entity name
Parameters
name (required)
Name of the entity
Type: string
$body
Type: object
{
"metadata" : { },
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}
postIdentityGroup
Create a new group.
Parameters
$body
Type: object
{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}
postIdentityGroupAlias
Creates a new group alias, or updates an existing one.
Parameters
$body
Type: object
{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"id" : "ID of the group alias.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}
postIdentityGroupAliasIdId
Parameters
id (required)
ID of the group alias.
Type: string
$body
Type: object
{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}
postIdentityGroupIdId
Update or delete an existing group using its ID.
Parameters
id (required)
ID of the group. If set, updates the corresponding existing group.
Type: string
$body
Type: object
{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}
postIdentityGroupNameName
Parameters
name (required)
Name of the group.
Type: string
$body
Type: object
{
"member_group_ids" : [ "string" ],
"metadata" : { },
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}
postIdentityLookupEntity
Query entities based on various properties.
Parameters
$body
Type: object
{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the entity.",
"id" : "ID of the entity.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}
postIdentityLookupGroup
Query groups based on various properties.
Parameters
$body
Type: object
{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the group.",
"id" : "ID of the group.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}
postIdentityOidcConfig
OIDC configuration
Parameters
$body
Type: object
{
"issuer" : "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used."
}
postIdentityOidcIntrospect
Verify the authenticity of an OIDC token
Parameters
$body
Type: object
{
"client_id" : "Optional client_id to verify",
"token" : "Token to verify"
}
postIdentityOidcKeyName
CRUD operations for OIDC keys.
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated.",
"rotation_period" : "How often to generate a new keypair.",
"allowed_client_ids" : [ "string" ],
"algorithm" : "Signing algorithm to use. This will default to RS256."
}
postIdentityOidcKeyNameRotate
Rotate a named OIDC key.
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key."
}
postIdentityOidcRoleName
CRUD operations on OIDC Roles
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"template" : "The template string to use for generating tokens. This may be in string-ified JSON or base64 format.",
"ttl" : "TTL of the tokens generated against the role.",
"key" : "The OIDC key to use for generating tokens. The specified key must already exist."
}
postIdentityPersona
Create a new alias.
Parameters
$body
Type: object
{
"metadata" : { },
"name" : "Name of the persona",
"id" : "ID of the persona",
"entity_id" : "Entity ID to which this persona belongs to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}
postIdentityPersonaIdId
Update, read or delete an alias ID.
Parameters
id (required)
ID of the persona
Type: string
$body
Type: object
{
"metadata" : { },
"name" : "Name of the persona",
"entity_id" : "Entity ID to which this persona should be tied to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}
postNomadConfigAccess
Parameters
$body
Type: object
{
"max_token_name_length" : "Max length for name of generated Nomad tokens",
"address" : "Nomad server address",
"token" : "Token for API calls"
}
postNomadConfigLease
Configure the lease parameters for generated tokens
Parameters
$body
Type: object
{
"max_ttl" : "Duration after which the issued token should not be allowed to be renewed",
"ttl" : "Duration before which the issued token needs renewal"
}
postNomadRoleName
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"policies" : [ "string" ],
"global" : "Boolean value describing if the token should be global or not. Defaults to false.",
"type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'."
}
postPkiConfigCa
Set the CA certificate and private key used for generated credentials.
Parameters
$body
Type: object
{
"pem_bundle" : "PEM-format, concatenated unencrypted secret key and certificate."
}
postPkiConfigCrl
Configure the CRL expiration.
Parameters
$body
Type: object
{
"disable" : "If set to true, disables generating the CRL entirely.",
"expiry" : "The amount of time the generated CRL should be valid; defaults to 72 hours"
}
postPkiConfigUrls
Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.
Parameters
$body
Type: object
{
"crl_distribution_points" : [ "string" ],
"issuing_certificates" : [ "string" ],
"ocsp_servers" : [ "string" ]
}
postPkiIntermediateGenerateExported
Generate a new CSR and private key used for signing.
Parameters
exported (required)
Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!
Type: string
$body
Type: object
{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"add_basic_constraints" : "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.",
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}
postPkiIntermediateSetSigned
Provide the signed intermediate CA cert.
Parameters
$body
Type: object
{
"certificate" : "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint."
}
postPkiIssueRole
Request a certificate using a certain role with the provided details.
Parameters
role (required)
The desired role with configuration for this request
Type: string
$body
Type: object
{
"other_sans" : [ "string" ],
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}
postPkiRevoke
Revoke a certificate by serial number.
Parameters
$body
Type: object
{
"serial_number" : "Certificate serial number, in colon- or hyphen-separated octal"
}
postPkiRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role
Type: string
$body
Type: object
{
"country" : [ "string" ],
"street_address" : [ "string" ],
"allow_subdomains" : "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information.",
"allowed_domains" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"key_usage" : [ "string" ],
"max_ttl" : "The maximum allowed lease duration",
"allow_bare_domains" : "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"allowed_other_sans" : [ "string" ],
"province" : [ "string" ],
"allow_localhost" : "Whether to allow \"localhost\" as a valid common name in a request",
"enforce_hostnames" : "If set, only valid host names are allowed for CN and SANs. Defaults to true.",
"allowed_uri_sans" : [ "string" ],
"backend" : "Backend Type",
"email_protection_flag" : "If set, certificates are flagged for email protection use. Defaults to false.",
"no_store" : "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".",
"allowed_serial_numbers" : [ "string" ],
"ou" : [ "string" ],
"allow_any_name" : "If set, clients can request certificates for any CN they like. See the documentation for more information.",
"locality" : [ "string" ],
"basic_constraints_valid_for_non_ca" : "Mark Basic Constraints valid when issuing non-CA certificates.",
"server_flag" : "If set, certificates are flagged for server auth use. Defaults to true.",
"generate_lease" : "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.",
"ttl" : "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"use_csr_sans" : "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.",
"not_before_duration" : "The duration before now the cert needs to be created / signed.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"require_cn" : "If set to false, makes the 'common_name' field optional while generating a certificate.",
"allow_ip_sans" : "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.",
"code_signing_flag" : "If set, certificates are flagged for code signing use. Defaults to false.",
"policy_identifiers" : [ "string" ],
"allow_glob_domains" : "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.",
"organization" : [ "string" ],
"use_csr_common_name" : "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.",
"ext_key_usage" : [ "string" ],
"postal_code" : [ "string" ],
"ext_key_usage_oids" : [ "string" ],
"client_flag" : "If set, certificates are flagged for client auth use. Defaults to true."
}
postPkiRootGenerateExported
Generate a new CA certificate and private key used for signing.
Parameters
exported (required)
Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!
Type: string
$body
Type: object
{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}
postPkiRootSignIntermediate
Issue an intermediate CA certificate based on the provided CSR.
Parameters
$body
Type: object
{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"use_csr_values" : "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.",
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}
postPkiRootSignSelfIssued
Signs another CA's self-issued certificate.
Parameters
$body
Type: object
{
"certificate" : "PEM-format self-issued certificate to be signed."
}
postPkiSignRole
Request certificates using a certain role with the provided details.
Parameters
role (required)
The desired role with configuration for this request
Type: string
$body
Type: object
{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}
postPkiSignVerbatim
Request certificates using a certain role with the provided details.
Parameters
$body
Type: object
{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"role" : "The desired role with configuration for this request",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}
postPkiSignVerbatimRole
Request certificates using a certain role with the provided details.
Parameters
role (required)
The desired role with configuration for this request
Type: string
$body
Type: object
{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}
postPkiTidy
Tidy up the backend by removing expired certificates, revocation information, or both.
Parameters
$body
Type: object
{
"tidy_revocation_list" : "Deprecated; synonym for 'tidy_revoked_certs",
"tidy_cert_store" : "Set to true to enable tidying up the certificate store",
"tidy_revoked_certs" : "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.",
"safety_buffer" : "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours."
}
postRabbitmqConfigConnection
Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.
Parameters
$body
Type: object
{
"verify_connection" : "If set, connection_uri is verified by actually connecting to the RabbitMQ management API",
"connection_uri" : "RabbitMQ Management URI",
"password" : "Password of the provided RabbitMQ management user",
"username" : "Username of a RabbitMQ management administrator"
}
postRabbitmqConfigLease
Configure the lease parameters for generated credentials
Parameters
$body
Type: object
{
"max_ttl" : "Duration after which the issued credentials should not be allowed to be renewed",
"ttl" : "Duration before which the issued credentials needs renewal"
}
postRabbitmqRolesName
Manage the roles that can be created with this backend.
Parameters
name (required)
Name of the role.
Type: string
$body
Type: object
{
"vhosts" : "A map of virtual hosts to permissions.",
"vhost_topics" : "A nested map of virtual hosts and exchanges to topic permissions.",
"tags" : "Comma-separated list of tags for this role."
}
postSecretConfig
Configure backend level settings that are applied to every key in the key-value store.
Parameters
$body
Type: object
{
"cas_required" : "If true, the backend will require the cas parameter to be set for each write",
"delete_version_after" : "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.",
"max_versions" : "The number of versions to keep for each key. Defaults to 10"
}
postSecretDataPath
Write, Read, and Delete data in the Key-Value Store.
Parameters
path (required)
Location of the secret.
Type: string
$body
Type: object
{
"data" : { },
"options" : { },
"version" : "If provided during a read, the value at the version number will be returned"
}
postSecretDeletePath
Marks one or more versions as deleted in the KV store.
Parameters
path (required)
Location of the secret.
Type: string
$body
Type: object
{
"versions" : [ "integer" ]
}
postSecretDestroyPath
Permanently removes one or more versions in the KV store
Parameters
path (required)
Location of the secret.
Type: string
$body
Type: object
{
"versions" : [ "integer" ]
}
postSecretMetadataPath
Configures settings for the KV store
Parameters
path (required)
Location of the secret.
Type: string
$body
Type: object
{
"cas_required" : "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.",
"delete_version_after" : "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.",
"max_versions" : "The number of versions to keep. If not set, the backend’s configured max version is used."
}
postSecretUndeletePath
Undeletes one or more versions from the KV store.
Parameters
path (required)
Location of the secret.
Type: string
$body
Type: object
{
"versions" : [ "integer" ]
}
postSshConfigCa
Set the SSH private key used for signing certificates.
Parameters
$body
Type: object
{
"public_key" : "Public half of the SSH key that will be used to sign certificates.",
"private_key" : "Private half of the SSH key that will be used to sign certificates.",
"generate_signing_key" : "Generate SSH key pair internally rather than use the private_key and public_key fields."
}
postSshConfigZeroaddress
Assign zero address as default CIDR block for select roles.
Parameters
$body
Type: object
{
"roles" : [ "string" ]
}
postSshCredsRole
Creates a credential for establishing SSH connection with the remote host.
Parameters
role (required)
[Required] Name of the role
Type: string
$body
Type: object
{
"ip" : "[Required] IP of the remote host",
"username" : "[Optional] Username in remote host"
}
postSshKeysKey_name
Register a shared private key with Vault.
Parameters
key_name (required)
[Required] Name of the key
Type: string
$body
Type: object
{
"key" : "[Required] SSH private key with super user privileges in host"
}
postSshLookup
List all the roles associated with the given IP address.
Parameters
$body
Type: object
{
"ip" : "[Required] IP address of remote host"
}
postSshRolesRole
Manage the 'roles' that can be created with this backend.
Parameters
role (required)
[Required for all types] Name of the role being created.
Type: string
$body
Type: object
{
"allow_subdomains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".",
"allow_host_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.",
"allowed_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.",
"key_type" : "[Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.",
"max_ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration",
"default_critical_options" : { },
"allow_bare_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"install_script" : "[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type] Script used to install and uninstall public keys in the target machine. The inbuilt default install script will be for Linux hosts. For sample script, refer the project documentation website.",
"allowed_extensions" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string.",
"allowed_user_key_lengths" : { },
"key" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Name of the registered key in Vault. Before creating the role, use the 'keys/' endpoint to create a named key.",
"allow_user_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.",
"exclude_cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.",
"ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"allowed_critical_options" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.",
"key_bits" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.",
"key_id_format" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.",
"key_option_specs" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Comma separated option specifications which will be prefixed to RSA key in authorized_keys file. Options should be valid and comply with authorized_keys file format and should not contain spaces.",
"allowed_users" : "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.",
"allow_user_key_ids" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.",
"port" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.",
"default_user" : "[Required for Dynamic type] [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.",
"default_extensions" : { },
"cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.",
"admin_user" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Admin user at remote host. The shared key being registered should be for this user and should have root privileges. Everytime a dynamic credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user."
}
postSshSignRole
Request signing an SSH key using a certain role with the provided details.
Parameters
role (required)
The desired role with configuration for this request.
Type: string
$body
Type: object
{
"public_key" : "SSH public key that should be signed.",
"cert_type" : "Type of certificate to be created; either \"user\" or \"host\".",
"extensions" : { },
"critical_options" : { },
"key_id" : "Key id that the created certificate should have. If not specified, the display name of the token will be used.",
"valid_principals" : "Valid principals, either usernames or hostnames, that the certificate should be signed for.",
"ttl" : "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL."
}
postSshVerify
Validate the OTP provided by Vault SSH Agent.
Parameters
$body
Type: object
{
"otp" : "[Required] One-Time-Key that needs to be validated"
}
postSysAuditHashPath
The hash of the given string via the given audit backend
Parameters
path (required)
The name of the backend. Cannot be delimited. Example: "mysql"
Type: string
$body
Type: object
{
"input" : "string"
}
postSysAuditPath
Enable a new audit device at the supplied path.
Parameters
path (required)
The name of the backend. Cannot be delimited. Example: "mysql"
Type: string
$body
Type: object
{
"options" : { },
"description" : "User-friendly description for this audit backend.",
"type" : "The type of the backend. Example: \"mysql\"",
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}
postSysAuthPath
After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.
For example, enable the "foo" auth method will make it accessible at /auth/foo.
Parameters
path (required)
The path to mount to. Cannot be delimited. Example: "user"
Type: string
$body
Type: object
{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the auth plugin to use based from the name in the plugin catalog.",
"type" : "The type of the backend. Example: \"userpass\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}
postSysAuthPathTune
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Parameters
path (required)
Tune the configuration parameters for an auth path.
Type: string
$body
Type: object
{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}
postSysCapabilities
Fetches the capabilities of the given token on the given path.
Parameters
$body
Type: object
{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}
postSysCapabilitiesAccessor
Fetches the capabilities of the token associated with the given token, on the given path.
Parameters
$body
Type: object
{
"path" : [ "string" ],
"paths" : [ "string" ],
"accessor" : "Accessor of the token for which capabilities are being queried."
}
postSysCapabilitiesSelf
Fetches the capabilities of the given token on the given path.
Parameters
$body
Type: object
{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}
postSysConfigAuditingRequestHeadersHeader
Enable auditing of a header.
Parameters
header (required)
Type: string
$body
Type: object
{
"hmac" : "boolean"
}
postSysConfigCors
Configure the CORS settings.
Parameters
$body
Type: object
{
"allowed_headers" : [ "string" ],
"enable" : "Enables or disables CORS headers on requests.",
"allowed_origins" : [ "string" ]
}
postSysConfigUiHeadersHeader
Configure the values to be returned for the UI header.
Parameters
header (required)
The name of the header.
Type: string
$body
Type: object
{
"values" : [ "string" ]
}
postSysGenerateRoot
Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.
Parameters
$body
Type: object
{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}
postSysGenerateRootAttempt
Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.
Parameters
$body
Type: object
{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}
postSysGenerateRootUpdate
If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.
Parameters
$body
Type: object
{
"nonce" : "Specifies the nonce of the attempt.",
"key" : "Specifies a single master key share."
}
postSysInit
The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.
Parameters
$body
Type: object
{
"recovery_pgp_keys" : [ "string" ],
"stored_shares" : "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
"recovery_shares" : "Specifies the number of shares to split the recovery key into.",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ],
"recovery_threshold" : "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
"root_token_pgp_key" : "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation."
}
postSysLeasesLookup
Retrieve lease metadata.
Parameters
$body
Type: object
{
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysLeasesRenew
Renews a lease, requesting to extend the lease.
Parameters
$body
Type: object
{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysLeasesRenewUrl_lease_id
Renews a lease, requesting to extend the lease.
Parameters
url_lease_id (required)
The lease identifier to renew. This is included with a lease.
Type: string
$body
Type: object
{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysLeasesRevoke
Revokes a lease immediately.
Parameters
$body
Type: object
{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysLeasesRevokeForcePrefix
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
Parameters
prefix (required)
The path to revoke keys under. Example: "prod/aws/ops"
Type: string
postSysLeasesRevokePrefixPrefix
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
Parameters
prefix (required)
The path to revoke keys under. Example: "prod/aws/ops"
Type: string
$body
Type: object
{
"sync" : "Whether or not to perform the revocation synchronously"
}
postSysLeasesRevokeUrl_lease_id
Revokes a lease immediately.
Parameters
url_lease_id (required)
The lease identifier to renew. This is included with a lease.
Type: string
$body
Type: object
{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysLeasesTidy
This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.
This operation has no parameters
postSysMountsPath
Enable a new secrets engine at the given path.
Parameters
path (required)
The path to mount to. Example: "aws/east"
Type: string
$body
Type: object
{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this mount.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the plugin to mount based from the name registered in the plugin catalog.",
"type" : "The type of the backend. Example: \"passthrough\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}
postSysMountsPathTune
Tune backend configuration parameters for this mount.
Parameters
path (required)
The path to mount to. Example: "aws/east"
Type: string
$body
Type: object
{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}
postSysPluginsCatalogName
Register a new plugin, or updates an existing one with the supplied name.
Parameters
name (required)
The name of the plugin
Type: string
$body
Type: object
{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"type" : "The type of the plugin, may be auth, secret, or database",
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}
postSysPluginsCatalogTypeName
Register a new plugin, or updates an existing one with the supplied name.
Parameters
name (required)
The name of the plugin
Type: string
type (required)
The type of the plugin, may be auth, secret, or database
Type: string
$body
Type: object
{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}
postSysPluginsReloadBackend
Either the plugin name (plugin
) or the desired plugin backend mounts (mounts
) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.
Parameters
$body
Type: object
{
"plugin" : "The name of the plugin to reload, as registered in the plugin catalog.",
"mounts" : [ "string" ]
}
postSysPoliciesAclName
Add a new or update an existing ACL policy.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
$body
Type: object
{
"policy" : "The rules of the policy."
}
postSysPolicyName
Add a new or update an existing policy.
Parameters
name (required)
The name of the policy. Example: "ops"
Type: string
$body
Type: object
{
"rules" : "The rules of the policy.",
"policy" : "The rules of the policy."
}
postSysRaw
Update the value of the key at the given path.
Parameters
$body
Type: object
{
"path" : "string",
"value" : "string"
}
postSysRawPath
Update the value of the key at the given path.
Parameters
path (required)
Type: string
$body
Type: object
{
"value" : "string"
}
postSysRekeyInit
Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.
Parameters
$body
Type: object
{
"backup" : "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
"require_verification" : "Turns on verification functionality",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ]
}
postSysRekeyUpdate
Enter a single master key share to progress the rekey of the Vault.
Parameters
$body
Type: object
{
"nonce" : "Specifies the nonce of the rekey attempt.",
"key" : "Specifies a single master key share."
}
postSysRekeyVerify
Enter a single new key share to progress the rekey verification operation.
Parameters
$body
Type: object
{
"nonce" : "Specifies the nonce of the rekey verification operation.",
"key" : "Specifies a single master share key from the new set of shares."
}
postSysRemount
Move the mount point of an already-mounted backend.
Parameters
$body
Type: object
{
"from" : "The previous mount point.",
"to" : "The new mount point."
}
postSysRenew
Renews a lease, requesting to extend the lease.
Parameters
$body
Type: object
{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysRenewUrl_lease_id
Renews a lease, requesting to extend the lease.
Parameters
url_lease_id (required)
The lease identifier to renew. This is included with a lease.
Type: string
$body
Type: object
{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysRevoke
Revokes a lease immediately.
Parameters
$body
Type: object
{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysRevokeForcePrefix
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
Parameters
prefix (required)
The path to revoke keys under. Example: "prod/aws/ops"
Type: string
postSysRevokePrefixPrefix
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
Parameters
prefix (required)
The path to revoke keys under. Example: "prod/aws/ops"
Type: string
$body
Type: object
{
"sync" : "Whether or not to perform the revocation synchronously"
}
postSysRevokeUrl_lease_id
Revokes a lease immediately.
Parameters
url_lease_id (required)
The lease identifier to renew. This is included with a lease.
Type: string
$body
Type: object
{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}
postSysRotate
Rotates the backend encryption key used to persist data.
This operation has no parameters
postSysSeal
Seal the Vault.
This operation has no parameters
postSysStepDown
This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.
This operation has no parameters
postSysToolsHash
Generate a hash sum for input data
Parameters
$body
Type: object
{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postSysToolsHashUrlalgorithm
Generate a hash sum for input data
Parameters
urlalgorithm (required)
Algorithm to use (POST URL parameter)
Type: string
$body
Type: object
{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postSysToolsRandom
Generate random bytes
Parameters
$body
Type: object
{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}
postSysToolsRandomUrlbytes
Generate random bytes
Parameters
urlbytes (required)
The number of bytes to generate (POST URL parameter)
Type: string
$body
Type: object
{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}
postSysUnseal
Unseal the Vault.
Parameters
$body
Type: object
{
"reset" : "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
"key" : "Specifies a single master key share. This is required unless reset is true."
}
postSysWrappingLookup
Look up wrapping properties for the given token.
Parameters
$body
Type: object
{
"token" : "string"
}
postSysWrappingRewrap
Rotates a response-wrapped token.
Parameters
$body
Type: object
{
"token" : "string"
}
postSysWrappingUnwrap
Unwraps a response-wrapped token.
Parameters
$body
Type: object
{
"token" : "string"
}
postSysWrappingWrap
Response-wraps an arbitrary JSON object.
This operation has no parameters
postTotpCodeName
Request time-based one-time use password or validate a password for a certain key .
Parameters
name (required)
Name of the key.
Type: string
$body
Type: object
{
"code" : "TOTP code to be validated."
}
postTotpKeysName
Manage the keys that can be created with this backend.
Parameters
name (required)
Name of the key.
Type: string
$body
Type: object
{
"exported" : "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.",
"period" : "The length of time used to generate a counter for the TOTP token calculation.",
"qr_size" : "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.",
"account_name" : "The name of the account associated with the key. Required if generate is true.",
"digits" : "The number of digits in the generated TOTP token. This value can either be 6 or 8.",
"generate" : "Determines if a key should be generated by Vault or if a key is being passed from another service.",
"issuer" : "The name of the key's issuing organization. Required if generate is true.",
"key" : "The shared master key used to generate a TOTP token. Only used if generate is false.",
"url" : "A TOTP url string containing all of the parameters for key setup. Only used if generate is false.",
"algorithm" : "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.",
"key_size" : "Determines the size in bytes of the generated key. Only used if generate is true.",
"skew" : "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true."
}
postTransitCacheConfig
Configures a new cache of the specified size
Parameters
$body
Type: object
{
"size" : "Size of cache, use 0 for an unlimited cache size, defaults to 0"
}
postTransitDatakeyPlaintextName
Generate a data key
Parameters
name (required)
The backend key used for encrypting the data key
Type: string
plaintext (required)
"plaintext" will return the key in both plaintext and ciphertext; "wrapped" will return the ciphertext only.
Type: string
$body
Type: object
{
"key_version" : "The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"bits" : "Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.",
"context" : "Context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)"
}
postTransitDecryptName
Decrypt a ciphertext value using a named key
Parameters
name (required)
Name of the policy
Type: string
$body
Type: object
{
"ciphertext" : "The ciphertext to decrypt, provided as returned by encrypt.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled.",
"nonce" : "Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+."
}
postTransitEncryptName
Encrypt a plaintext value or a batch of plaintext blocks using a named key
Parameters
name (required)
Name of the policy
Type: string
$body
Type: object
{
"convergent_encryption" : "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled",
"plaintext" : "Base64 encoded plaintext value to be encrypted",
"type" : "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".",
"nonce" : "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**."
}
postTransitHash
Generate a hash sum for input data
Parameters
$body
Type: object
{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postTransitHashUrlalgorithm
Generate a hash sum for input data
Parameters
urlalgorithm (required)
Algorithm to use (POST URL parameter)
Type: string
$body
Type: object
{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postTransitHmacName
Generate an HMAC for input data using the named key
Parameters
name (required)
The key to use for the HMAC function
Type: string
$body
Type: object
{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postTransitHmacNameUrlalgorithm
Generate an HMAC for input data using the named key
Parameters
name (required)
The key to use for the HMAC function
Type: string
urlalgorithm (required)
Algorithm to use (POST URL parameter)
Type: string
$body
Type: object
{
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}
postTransitKeysName
Managed named encryption keys
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"exportable" : "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.",
"convergent_encryption" : "Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"context" : "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"type" : "The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".",
"derived" : "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations."
}
postTransitKeysNameConfig
Configure a named encryption key
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"deletion_allowed" : "Whether to allow deletion of the key",
"exportable" : "Enables export of the key. Once set, this cannot be disabled.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"min_decryption_version" : "If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification.",
"min_encryption_version" : "If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed."
}
postTransitKeysNameRotate
Rotate named encryption key
Parameters
name (required)
Name of the key
Type: string
postTransitKeysNameTrim
Trim key versions of a named key
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"min_available_version" : "The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero."
}
postTransitRandom
Generate random bytes
Parameters
$body
Type: object
{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}
postTransitRandomUrlbytes
Generate random bytes
Parameters
urlbytes (required)
The number of bytes to generate (POST URL parameter)
Type: string
$body
Type: object
{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}
postTransitRestore
Restore the named key
Parameters
$body
Type: object
{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"name" : "If set, this will be the name of the restored key.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}
postTransitRestoreName
Restore the named key
Parameters
name (required)
If set, this will be the name of the restored key.
Type: string
$body
Type: object
{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}
postTransitRewrapName
Rewrap ciphertext
Parameters
name (required)
Name of the key
Type: string
$body
Type: object
{
"ciphertext" : "Ciphertext value to rewrap",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption is used"
}
postTransitSignName
Generate a signature for input data using the named key
Parameters
name (required)
The key to use
Type: string
$body
Type: object
{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}
postTransitSignNameUrlalgorithm
Generate a signature for input data using the named key
Parameters
name (required)
The key to use
Type: string
urlalgorithm (required)
Hash algorithm to use (POST URL parameter)
Type: string
$body
Type: object
{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}
postTransitVerifyName
Verify a signature or HMAC for input data created using the named key
Parameters
name (required)
The key to use
Type: string
$body
Type: object
{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}
postTransitVerifyNameUrlalgorithm
Verify a signature or HMAC for input data created using the named key
Parameters
name (required)
The key to use
Type: string
urlalgorithm (required)
Hash algorithm to use (POST URL parameter)
Type: string
$body
Type: object
{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}