Vault (version v1.*.*)

HTTP API that gives you full access to Vault. All API routes are prefixed with /v1/.

deleteAdConfig

Configure the AD server to connect to, along with password options.

This operation has no parameters

deleteAdLibraryName

Delete a library set.

Parameters

name (required)

Name of the set.

Type: string

deleteAdRolesName

Manage roles to build links between Vault and Active Directory service accounts.

Parameters

name (required)

Name of the role

Type: string

deleteAlicloudConfig

Configure the access key and secret to use for RAM and STS calls.

This operation has no parameters

deleteAlicloudRoleName

Read, write and reference policies and roles that API keys or STS credentials can be made for.

Parameters

name (required)

The name of the role.

Type: string

deleteAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

deleteAwsRolesName

Read, write and reference IAM policies that access keys can be made for.

Parameters

name (required)

Name of the policy

Type: string

deleteAzureConfig

Configure the Azure Secret backend.

This operation has no parameters

deleteAzureRolesName

Manage the Vault roles used to generate Azure credentials.

Parameters

name (required)

Name of the role.

Type: string

deleteConsulRolesName

Parameters

name (required)

Name of the role

Type: string

deleteCubbyholePath

Deletes the secret at the specified location.

Parameters

path (required)

Specifies the path of the secret.

Type: string

deleteDatabaseConfigName

Configure connection details to a database plugin.

Parameters

name (required)

Name of this database connection

Type: string

deleteDatabaseRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

deleteDatabaseStaticRolesName

Manage the static roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

deleteGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

deleteGcpkmsConfig

Configure the GCP KMS secrets engine

This operation has no parameters

deleteGcpkmsKeysDeregisterKey

Deregister an existing key in Vault

Parameters

key (required)

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

deleteGcpkmsKeysKey

Interact with crypto keys in Vault and Google Cloud KMS

Parameters

key (required)

Name of the key in Vault.

Type: string

deleteGcpkmsKeysTrimKey

Delete old crypto key versions from Google Cloud KMS

Parameters

key (required)

Name of the key in Vault.

Type: string

deleteIdentityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

deleteIdentityEntityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

deleteIdentityEntityIdId

Update, read or delete an entity using entity ID

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

deleteIdentityEntityNameName

Update, read or delete an entity using entity name

Parameters

name (required)

Name of the entity

Type: string

deleteIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

deleteIdentityGroupIdId

Update or delete an existing group using its ID.

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

deleteIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

deleteIdentityOidcKeyName

CRUD operations for OIDC keys.

Parameters

name (required)

Name of the key

Type: string

deleteIdentityOidcRoleName

CRUD operations on OIDC Roles

Parameters

name (required)

Name of the role

Type: string

deleteIdentityPersonaIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the persona

Type: string

deleteNomadConfigAccess

This operation has no parameters

deleteNomadConfigLease

Configure the lease parameters for generated tokens

This operation has no parameters

deleteNomadRoleName

Parameters

name (required)

Name of the role

Type: string

deletePkiRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role

Type: string

deletePkiRoot

Deletes the root CA key to allow a new one to be generated.

This operation has no parameters

deleteRabbitmqRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

deleteSecretDataPath

Write, Read, and Delete data in the Key-Value Store.

Parameters

path (required)

Location of the secret.

Type: string

deleteSecretMetadataPath

Configures settings for the KV store

Parameters

path (required)

Location of the secret.

Type: string

deleteSshConfigCa

Set the SSH private key used for signing certificates.

This operation has no parameters

deleteSshConfigZeroaddress

Assign zero address as default CIDR block for select roles.

This operation has no parameters

deleteSshKeysKey_name

Register a shared private key with Vault.

Parameters

key_name (required)

[Required] Name of the key

Type: string

deleteSshRolesRole

Manage the 'roles' that can be created with this backend.

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

deleteSysAuditPath

Disable the audit device at the given path.

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

deleteSysAuthPath

Disable the auth method at the given auth path

Parameters

path (required)

The path to mount to. Cannot be delimited. Example: "user"

Type: string

deleteSysConfigAuditingRequestHeadersHeader

Disable auditing of the given request header.

Parameters

header (required)

Type: string

deleteSysConfigCors

Remove any CORS settings.

This operation has no parameters

deleteSysConfigUiHeadersHeader

Remove a UI header.

Parameters

header (required)

The name of the header.

Type: string

deleteSysGenerateRoot

Cancels any in-progress root generation attempt.

This operation has no parameters

deleteSysGenerateRootAttempt

Cancels any in-progress root generation attempt.

This operation has no parameters

deleteSysMountsPath

Disable the mount point specified at the given path.

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

deleteSysPluginsCatalogName

Remove the plugin with the given name.

Parameters

name (required)

The name of the plugin

Type: string

deleteSysPluginsCatalogTypeName

Remove the plugin with the given name.

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

deleteSysPoliciesAclName

Delete the ACL policy with the given name.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

deleteSysPolicyName

Delete the policy with the given name.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

deleteSysRaw

Delete the key with given path.

This operation has no parameters

deleteSysRawPath

Delete the key with given path.

Parameters

path (required)

Type: string

deleteSysRekeyBackup

Delete the backup copy of PGP-encrypted unseal keys.

This operation has no parameters

deleteSysRekeyInit

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

This operation has no parameters

deleteSysRekeyRecoveryKeyBackup

Allows fetching or deleting the backup of the rotated unseal keys.

This operation has no parameters

deleteSysRekeyVerify

This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.

This operation has no parameters

deleteTotpKeysName

Manage the keys that can be created with this backend.

Parameters

name (required)

Name of the key.

Type: string

deleteTransitKeysName

Managed named encryption keys

Parameters

name (required)

Name of the key

Type: string

getAdConfig

Configure the AD server to connect to, along with password options.

This operation has no parameters

getAdCredsName

Retrieve a role's creds by role name.

Parameters

name (required)

Name of the role

Type: string

getAdLibrary

Parameters

list

Return a list if true

Type: string

getAdLibraryName

Read a library set.

Parameters

name (required)

Name of the set.

Type: string

getAdLibraryNameStatus

Check the status of the service accounts in a library set.

Parameters

name (required)

Name of the set.

Type: string

getAdRoles

List the name of each role currently stored.

Parameters

list

Return a list if true

Type: string

getAdRolesName

Manage roles to build links between Vault and Active Directory service accounts.

Parameters

name (required)

Name of the role

Type: string

getAdRotateRoot

Request to rotate the root credentials.

This operation has no parameters

getAlicloudConfig

Configure the access key and secret to use for RAM and STS calls.

This operation has no parameters

getAlicloudCredsName

Generate an API key or STS credential using the given role's configuration.'

Parameters

name (required)

The name of the role.

Type: string

getAlicloudRole

List the existing roles in this backend.

Parameters

list

Return a list if true

Type: string

getAlicloudRoleName

Read, write and reference policies and roles that API keys or STS credentials can be made for.

Parameters

name (required)

The name of the role.

Type: string

getAuthTokenAccessors

List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'.

Parameters

list

Return a list if true

Type: string

getAuthTokenLookup

This endpoint will lookup a token and its properties.

This operation has no parameters

getAuthTokenLookupSelf

This endpoint will lookup a token and its properties.

This operation has no parameters

getAuthTokenRoles

This endpoint lists configured roles.

Parameters

list

Return a list if true

Type: string

getAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

getAwsConfigLease

Configure the default lease information for generated credentials.

This operation has no parameters

getAwsConfigRoot

Configure the root credentials that are used to manage IAM.

This operation has no parameters

getAwsCreds

Generate AWS credentials from a specific Vault role.

This operation has no parameters

getAwsRoles

List the existing roles in this backend

Parameters

list

Return a list if true

Type: string

getAwsRolesName

Read, write and reference IAM policies that access keys can be made for.

Parameters

name (required)

Name of the policy

Type: string

getAwsStsName

Generate AWS credentials from a specific Vault role.

Parameters

name (required)

Name of the role

Type: string

getAzureConfig

Configure the Azure Secret backend.

This operation has no parameters

getAzureCredsRole

Request Service Principal credentials for a given Vault role.

Parameters

role (required)

Name of the Vault role

Type: string

getAzureRoles

List existing roles.

Parameters

list

Return a list if true

Type: string

getAzureRolesName

Manage the Vault roles used to generate Azure credentials.

Parameters

name (required)

Name of the role.

Type: string

getConsulConfigAccess

This operation has no parameters

getConsulCredsRole

Parameters

role (required)

Name of the role

Type: string

getConsulRoles

Parameters

list

Return a list if true

Type: string

getConsulRolesName

Parameters

name (required)

Name of the role

Type: string

getCubbyholePath

Retrieve the secret at the specified location.

Parameters

path (required)

Specifies the path of the secret.

Type: string

list

Return a list if true

Type: string

getDatabaseConfig

Configure connection details to a database plugin.

Parameters

list

Return a list if true

Type: string

getDatabaseConfigName

Configure connection details to a database plugin.

Parameters

name (required)

Name of this database connection

Type: string

getDatabaseCredsName

Request database credentials for a certain role.

Parameters

name (required)

Name of the role.

Type: string

getDatabaseRoles

Manage the roles that can be created with this backend.

Parameters

list

Return a list if true

Type: string

getDatabaseRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

getDatabaseStaticCredsName

Request database credentials for a certain static role. These credentials are rotated periodically.

Parameters

name (required)

Name of the static role.

Type: string

getDatabaseStaticRoles

Manage the static roles that can be created with this backend.

Parameters

list

Return a list if true

Type: string

getDatabaseStaticRolesName

Manage the static roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

getGcpConfig

This operation has no parameters

getGcpKeyRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

getGcpRoleset

Parameters

list

Return a list if true

Type: string

getGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

getGcpRolesets

Parameters

list

Return a list if true

Type: string

getGcpTokenRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

getGcpkmsConfig

Configure the GCP KMS secrets engine

This operation has no parameters

getGcpkmsKeys

List named keys

Parameters

list

Return a list if true

Type: string

getGcpkmsKeysConfigKey

Configure the key in Vault

Parameters

key (required)

Name of the key in Vault.

Type: string

getGcpkmsKeysKey

Interact with crypto keys in Vault and Google Cloud KMS

Parameters

key (required)

Name of the key in Vault.

Type: string

getGcpkmsPubkeyKey

Retrieve the public key associated with the named key

Parameters

key (required)

Name of the key for which to get the public key. This key must already exist in Vault and Google Cloud KMS.

Type: string

getIdentityAliasId

List all the alias IDs.

Parameters

list

Return a list if true

Type: string

getIdentityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

getIdentityEntityAliasId

List all the alias IDs.

Parameters

list

Return a list if true

Type: string

getIdentityEntityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

getIdentityEntityId

List all the entity IDs

Parameters

list

Return a list if true

Type: string

getIdentityEntityIdId

Update, read or delete an entity using entity ID

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

getIdentityEntityName

List all the entity names

Parameters

list

Return a list if true

Type: string

getIdentityEntityNameName

Update, read or delete an entity using entity name

Parameters

name (required)

Name of the entity

Type: string

getIdentityGroupAliasId

List all the group alias IDs.

Parameters

list

Return a list if true

Type: string

getIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

getIdentityGroupId

List all the group IDs.

Parameters

list

Return a list if true

Type: string

getIdentityGroupIdId

Update or delete an existing group using its ID.

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

getIdentityGroupName

Parameters

list

Return a list if true

Type: string

getIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

getIdentityOidcConfig

OIDC configuration

This operation has no parameters

getIdentityOidcKey

List OIDC keys

Parameters

list

Return a list if true

Type: string

getIdentityOidcKeyName

CRUD operations for OIDC keys.

Parameters

name (required)

Name of the key

Type: string

getIdentityOidcRole

List configured OIDC roles

Parameters

list

Return a list if true

Type: string

getIdentityOidcRoleName

CRUD operations on OIDC Roles

Parameters

name (required)

Name of the role

Type: string

getIdentityOidcTokenName

Generate an OIDC token

Parameters

name (required)

Name of the role

Type: string

getIdentityOidcWellKnownKeys

Retrieve public keys

This operation has no parameters

getIdentityOidcWellKnownOpenidConfiguration

Query OIDC configurations

This operation has no parameters

getIdentityPersonaId

List all the alias IDs.

Parameters

list

Return a list if true

Type: string

getIdentityPersonaIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the persona

Type: string

getNomadConfigAccess

This operation has no parameters

getNomadConfigLease

Configure the lease parameters for generated tokens

This operation has no parameters

getNomadCredsName

Parameters

name (required)

Name of the role

Type: string

getNomadRole

Parameters

list

Return a list if true

Type: string

getNomadRoleName

Parameters

name (required)

Name of the role

Type: string

getPkiCa

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCaPem

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCa_chain

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCertCa_chain

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCertCrl

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCertSerial

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

Parameters

serial (required)

Certificate serial number, in colon- or hyphen-separated octal

Type: string

getPkiCerts

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

Parameters

list

Return a list if true

Type: string

getPkiConfigCrl

Configure the CRL expiration.

This operation has no parameters

getPkiConfigUrls

Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.

This operation has no parameters

getPkiCrl

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCrlPem

Fetch a CA, CRL, CA Chain, or non-revoked certificate.

This operation has no parameters

getPkiCrlRotate

Force a rebuild of the CRL.

This operation has no parameters

getPkiRoles

List the existing roles in this backend

Parameters

list

Return a list if true

Type: string

getPkiRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role

Type: string

getRabbitmqConfigLease

Configure the lease parameters for generated credentials

This operation has no parameters

getRabbitmqCredsName

Request RabbitMQ credentials for a certain role.

Parameters

name (required)

Name of the role.

Type: string

getRabbitmqRoles

Manage the roles that can be created with this backend.

Parameters

list

Return a list if true

Type: string

getRabbitmqRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

getSecretConfig

Read the backend level settings.

This operation has no parameters

getSecretDataPath

Write, Read, and Delete data in the Key-Value Store.

Parameters

path (required)

Location of the secret.

Type: string

getSecretMetadataPath

Configures settings for the KV store

Parameters

path (required)

Location of the secret.

Type: string

list

Return a list if true

Type: string

getSshConfigCa

Set the SSH private key used for signing certificates.

This operation has no parameters

getSshConfigZeroaddress

Assign zero address as default CIDR block for select roles.

This operation has no parameters

getSshPublic_key

Retrieve the public key.

This operation has no parameters

getSshRoles

Manage the 'roles' that can be created with this backend.

Parameters

list

Return a list if true

Type: string

getSshRolesRole

Manage the 'roles' that can be created with this backend.

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

getSysAudit

List the enabled audit devices.

This operation has no parameters

getSysAuth

List the currently enabled credential backends.

This operation has no parameters

getSysAuthPathTune

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required)

Tune the configuration parameters for an auth path.

Type: string

getSysConfigAuditingRequestHeaders

List the request headers that are configured to be audited.

This operation has no parameters

getSysConfigAuditingRequestHeadersHeader

List the information for the given request header.

Parameters

header (required)

Type: string

getSysConfigCors

Return the current CORS settings.

This operation has no parameters

getSysConfigStateSanitized

The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.

This operation has no parameters

getSysConfigUiHeaders

Return a list of configured UI headers.

Parameters

list

Return a list if true

Type: string

getSysConfigUiHeadersHeader

Return the given UI header's configuration

Parameters

header (required)

The name of the header.

Type: string

getSysGenerateRoot

Read the configuration and progress of the current root generation attempt.

This operation has no parameters

getSysGenerateRootAttempt

Read the configuration and progress of the current root generation attempt.

This operation has no parameters

getSysHealth

Returns the health status of Vault.

This operation has no parameters

getSysHostInfo

Information about the host instance that this Vault server is running on. The information that gets collected includes host hardware information, and CPU, disk, and memory utilization

This operation has no parameters

getSysInit

Returns the initialization status of Vault.

This operation has no parameters

getSysInternalSpecsOpenapi

Generate an OpenAPI 3 document of all mounted paths.

This operation has no parameters

getSysInternalUiMounts

Lists all enabled and visible auth and secrets mounts.

This operation has no parameters

getSysInternalUiMountsPath

Return information about the given mount.

Parameters

path (required)

The path of the mount.

Type: string

getSysKeyStatus

Provides information about the backend encryption key.

This operation has no parameters

getSysLeader

Returns the high availability status and current leader instance of Vault.

This operation has no parameters

getSysLeasesLookup

Returns a list of lease ids.

Parameters

list

Return a list if true

Type: string

getSysLeasesLookupPrefix

Returns a list of lease ids.

Parameters

prefix (required)

The path to list leases under. Example: "aws/creds/deploy"

Type: string

list

Return a list if true

Type: string

getSysMetrics

Export the metrics aggregated for telemetry purpose.

Parameters

format

Format to export metrics into. Currently accepts only "prometheus".

Type: string

getSysMounts

List the currently mounted backends.

This operation has no parameters

getSysMountsPathTune

Tune backend configuration parameters for this mount.

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

getSysPluginsCatalog

Lists all the plugins known to Vault

This operation has no parameters

getSysPluginsCatalogName

Return the configuration data for the plugin with the given name.

Parameters

name (required)

The name of the plugin

Type: string

getSysPluginsCatalogType

List the plugins in the catalog.

Parameters

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

list

Return a list if true

Type: string

getSysPluginsCatalogTypeName

Return the configuration data for the plugin with the given name.

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

getSysPoliciesAcl

List the configured access control policies.

Parameters

list

Return a list if true

Type: string

getSysPoliciesAclName

Retrieve information about the named ACL policy.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

getSysPolicy

List the configured access control policies.

Parameters

list

Return a list if true

Type: string

getSysPolicyName

Retrieve the policy body for the named policy.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

getSysPprof

Returns an HTML page listing the available profiles. This should be mainly accessed via browsers or applications that can render pages.

This operation has no parameters

getSysPprofCmdline

Returns the running program's command line, with arguments separated by NUL bytes.

This operation has no parameters

getSysPprofGoroutine

Returns stack traces of all current goroutines.

This operation has no parameters

getSysPprofHeap

Returns a sampling of memory allocations of live object.

This operation has no parameters

getSysPprofProfile

Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.

This operation has no parameters

getSysPprofSymbol

Returns the program counters listed in the request.

This operation has no parameters

getSysPprofTrace

Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.

This operation has no parameters

getSysRaw

Read the value of the key at the given path.

Parameters

list

Return a list if true

Type: string

getSysRawPath

Read the value of the key at the given path.

Parameters

path (required)

Type: string

list

Return a list if true

Type: string

getSysRekeyBackup

Return the backup copy of PGP-encrypted unseal keys.

This operation has no parameters

getSysRekeyInit

Reads the configuration and progress of the current rekey attempt.

This operation has no parameters

getSysRekeyRecoveryKeyBackup

Allows fetching or deleting the backup of the rotated unseal keys.

This operation has no parameters

getSysRekeyVerify

Read the configuration and progress of the current rekey verification attempt.

This operation has no parameters

getSysReplicationStatus

This operation has no parameters

getSysSealStatus

Check the seal status of a Vault.

This operation has no parameters

getSysWrappingLookup

Look up wrapping properties for the requester's token.

This operation has no parameters

getTotpCodeName

Request time-based one-time use password or validate a password for a certain key .

Parameters

name (required)

Name of the key.

Type: string

getTotpKeys

Manage the keys that can be created with this backend.

Parameters

list

Return a list if true

Type: string

getTotpKeysName

Manage the keys that can be created with this backend.

Parameters

name (required)

Name of the key.

Type: string

getTransitBackupName

Backup the named key

Parameters

name (required)

Name of the key

Type: string

getTransitCacheConfig

Returns the size of the active cache

This operation has no parameters

getTransitExportTypeName

Export named encryption or signing key

Parameters

name (required)

Name of the key

Type: string

type (required)

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

getTransitExportTypeNameVersion

Export named encryption or signing key

Parameters

name (required)

Name of the key

Type: string

type (required)

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

version (required)

Version of the key

Type: string

getTransitKeys

Managed named encryption keys

Parameters

list

Return a list if true

Type: string

getTransitKeysName

Managed named encryption keys

Parameters

name (required)

Name of the key

Type: string

postAdConfig

Configure the AD server to connect to, along with password options.

Parameters

$body

Type: object

{
  "last_rotation_tolerance" : "The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.",
  "bindpass" : "LDAP password for searching for the user DN (optional)",
  "max_ttl" : "In seconds, the maximum password time-to-live.",
  "request_timeout" : "Timeout, in seconds, for the connection when making requests against the server before returning back an error.",
  "certificate" : "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
  "use_pre111_group_cn_behavior" : "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.",
  "case_sensitive_names" : "If true, case sensitivity will be used when comparing usernames and groups for matching policies.",
  "groupattr" : "LDAP attribute to follow on objects returned by  in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn",
  "tls_min_version" : "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
  "upndomain" : "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
  "userattr" : "Attribute used for users (default: cn)",
  "starttls" : "Issue a StartTLS command after establishing unencrypted connection (optional)",
  "groupfilter" : "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))",
  "length" : "The desired length of passwords that Vault generates.",
  "insecure_tls" : "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
  "deny_null_bind" : "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
  "tls_max_version" : "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
  "ttl" : "In seconds, the default password time-to-live.",
  "url" : "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
  "formatter" : "Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".",
  "binddn" : "LDAP DN for searching for the user DN (optional)",
  "groupdn" : "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
  "use_token_groups" : "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
  "discoverdn" : "Use anonymous bind to discover the bind DN of a user (optional)",
  "userdn" : "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)"
}

postAdLibraryManageNameCheckIn

Check service accounts in to the library.

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
  "service_account_names" : [ "string" ]
}

postAdLibraryName

Update a library set.

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
  "max_ttl" : "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.",
  "service_account_names" : [ "string" ],
  "disable_check_in_enforcement" : "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.",
  "ttl" : "In seconds, the amount of time a check-out should last. Defaults to 24 hours."
}

postAdLibraryNameCheckIn

Check service accounts in to the library.

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
  "service_account_names" : [ "string" ]
}

postAdLibraryNameCheckOut

Check a service account out from the library.

Parameters

name (required)

Name of the set

Type: string

$body

Type: object

{
  "ttl" : "The length of time before the check-out will expire, in seconds."
}

postAdRolesName

Manage roles to build links between Vault and Active Directory service accounts.

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "service_account_name" : "The username/logon name for the service account with which this role will be associated.",
  "ttl" : "In seconds, the default password time-to-live."
}

postAlicloudConfig

Configure the access key and secret to use for RAM and STS calls.

Parameters

$body

Type: object

{
  "secret_key" : "Secret key with appropriate permissions.",
  "access_key" : "Access key with appropriate permissions."
}

postAlicloudRoleName

Read, write and reference policies and roles that API keys or STS credentials can be made for.

Parameters

name (required)

The name of the role.

Type: string

$body

Type: object

{
  "max_ttl" : "The maximum allowed lifetime of tokens issued using this role.",
  "role_arn" : "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.",
  "remote_policies" : [ "string" ],
  "inline_policies" : "JSON of policies to be dynamically applied to users of this role.",
  "ttl" : "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults."
}

postAuthTokenCreate

The token create path is used to create new tokens.

This operation has no parameters

postAuthTokenCreateOrphan

The token create path is used to create new orphan tokens.

This operation has no parameters

postAuthTokenCreateRole_name

This token create path is used to create new tokens adhering to the given role.

Parameters

role_name (required)

Name of the role

Type: string

postAuthTokenLookup

This endpoint will lookup a token and its properties.

Parameters

$body

Type: object

{
  "token" : "Token to lookup (POST request body)"
}

postAuthTokenLookupAccessor

This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.

Parameters

$body

Type: object

{
  "accessor" : "Accessor of the token to look up (request body)"
}

postAuthTokenLookupSelf

This endpoint will lookup a token and its properties.

Parameters

$body

Type: object

{
  "token" : "Token to look up (unused, does not need to be set)"
}

postAuthTokenRenew

This endpoint will renew the given token and prevent expiration.

Parameters

$body

Type: object

{
  "increment" : "The desired increment in seconds to the token expiration",
  "token" : "Token to renew (request body)"
}

postAuthTokenRenewAccessor

This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.

Parameters

$body

Type: object

{
  "accessor" : "Accessor of the token to renew (request body)",
  "increment" : "The desired increment in seconds to the token expiration"
}

postAuthTokenRenewSelf

This endpoint will renew the token used to call it and prevent expiration.

Parameters

$body

Type: object

{
  "increment" : "The desired increment in seconds to the token expiration",
  "token" : "Token to renew (unused, does not need to be set)"
}

postAuthTokenRevoke

This endpoint will delete the given token and all of its child tokens.

Parameters

$body

Type: object

{
  "token" : "Token to revoke (request body)"
}

postAuthTokenRevokeAccessor

This endpoint will delete the token associated with the accessor and all of its child tokens.

Parameters

$body

Type: object

{
  "accessor" : "Accessor of the token (request body)"
}

postAuthTokenRevokeOrphan

This endpoint will delete the token and orphan its child tokens.

Parameters

$body

Type: object

{
  "token" : "Token to revoke (request body)"
}

postAuthTokenRevokeSelf

This endpoint will delete the token used to call it and all of its child tokens.

This operation has no parameters

postAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

$body

Type: object

{
  "bound_cidrs" : [ "string" ],
  "period" : "Use 'token_period' instead.",
  "token_num_uses" : "The maximum number of times a token may be used, a value of zero means unlimited",
  "allowed_entity_aliases" : [ "string" ],
  "token_explicit_max_ttl" : "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
  "path_suffix" : "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w",
  "token_period" : "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").",
  "orphan" : "If true, tokens created via this role will be orphan tokens (have no parent)",
  "token_type" : "The type of token to generate, service or batch",
  "explicit_max_ttl" : "Use 'token_explicit_max_ttl' instead.",
  "token_no_default_policy" : "If true, the 'default' policy will not automatically be added to generated tokens",
  "disallowed_policies" : [ "string" ],
  "allowed_policies" : [ "string" ],
  "renewable" : "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".",
  "token_bound_cidrs" : [ "string" ]
}

postAuthTokenTidy

This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.

This operation has no parameters

postAwsConfigLease

Configure the default lease information for generated credentials.

Parameters

$body

Type: object

{
  "lease_max" : "Maximum time a credential is valid for.",
  "lease" : "Default lease for roles."
}

postAwsConfigRoot

Configure the root credentials that are used to manage IAM.

Parameters

$body

Type: object

{
  "secret_key" : "Secret key with permission to create new keys.",
  "max_retries" : "Maximum number of retries for recoverable exceptions of AWS APIs",
  "access_key" : "Access key with permission to create new keys.",
  "iam_endpoint" : "Endpoint to custom IAM server URL",
  "sts_endpoint" : "Endpoint to custom STS server URL",
  "region" : "Region for API calls."
}

postAwsConfigRotateRoot

Request to rotate the AWS credentials used by Vault

This operation has no parameters

postAwsCreds

Generate AWS credentials from a specific Vault role.

Parameters

$body

Type: object

{
  "role_arn" : "ARN of role to assume when credential_type is assumed_role",
  "name" : "Name of the role",
  "ttl" : "Lifetime of the returned credentials in seconds"
}

postAwsRolesName

Read, write and reference IAM policies that access keys can be made for.

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
  "credential_type" : "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token",
  "role_arns" : [ "string" ],
  "max_sts_ttl" : "Max allowed TTL for assumed_role and federation_token credential types",
  "user_path" : "Path for IAM User. Only valid when credential_type is iam_user",
  "permissions_boundary_arn" : "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user",
  "arn" : "Use role_arns or policy_arns instead.",
  "default_sts_ttl" : "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials",
  "policy_document" : "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.",
  "policy" : "Use policy_document instead.",
  "policy_arns" : [ "string" ]
}

postAwsStsName

Generate AWS credentials from a specific Vault role.

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "role_arn" : "ARN of role to assume when credential_type is assumed_role",
  "ttl" : "Lifetime of the returned credentials in seconds"
}

postAzureConfig

Configure the Azure Secret backend.

Parameters

$body

Type: object

{
  "subscription_id" : "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.",
  "tenant_id" : "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.",
  "environment" : "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.",
  "client_secret" : "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.",
  "client_id" : "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable."
}

postAzureRolesName

Manage the Vault roles used to generate Azure credentials.

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
  "max_ttl" : "Maximum time a service principal. If not set or set to 0, will use system default.",
  "application_object_id" : "Application Object ID to use for static service principal credentials.",
  "azure_roles" : "JSON list of Azure roles to assign.",
  "ttl" : "Default lease for generated credentials. If not set or set to 0, will use system default.",
  "azure_groups" : "JSON list of Azure groups to add the service principal to."
}

postConsulConfigAccess

Parameters

$body

Type: object

{
  "address" : "Consul server address",
  "scheme" : "URI scheme for the Consul address",
  "token" : "Token for API calls"
}

postConsulRolesName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "max_ttl" : "Max TTL for the Consul token created from the role.",
  "policies" : [ "string" ],
  "lease" : "Use ttl instead.",
  "token_type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\" parameter is not required. Defaults to 'client'.",
  "ttl" : "TTL for the Consul token created from the role.",
  "local" : "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.",
  "policy" : "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4."
}

postCubbyholePath

Store a secret at the specified location.

Parameters

path (required)

Specifies the path of the secret.

Type: string

postDatabaseConfigName

Configure connection details to a database plugin.

Parameters

name (required)

Name of this database connection

Type: string

$body

Type: object

{
  "verify_connection" : "If true, the connection details are verified by actually connecting to the database. Defaults to true.",
  "allowed_roles" : [ "string" ],
  "root_rotation_statements" : [ "string" ],
  "plugin_name" : "The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type."
}

postDatabaseResetName

Resets a database plugin.

Parameters

name (required)

Name of this database connection

Type: string

postDatabaseRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
  "renew_statements" : [ "string" ],
  "db_name" : "Name of the database this role acts on.",
  "max_ttl" : "Maximum time a credential is valid for",
  "default_ttl" : "Default ttl for role.",
  "revocation_statements" : [ "string" ],
  "rollback_statements" : [ "string" ],
  "creation_statements" : [ "string" ]
}

postDatabaseRotateRoleName

Request database credentials for a certain role.

Parameters

name (required)

Name of the static role

Type: string

postDatabaseRotateRootName

Request database credentials for a certain role.

Parameters

name (required)

Name of this database connection

Type: string

postDatabaseStaticRolesName

Manage the static roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
  "db_name" : "Name of the database this role acts on.",
  "rotation_statements" : [ "string" ],
  "rotation_period" : "Period for automatic credential rotation of the given username. Not valid unless used with \"username\".",
  "username" : "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified"
}

postGcpConfig

Parameters

$body

Type: object

{
  "max_ttl" : "Maximum time a service account key is valid for. If <= 0, will use system default.",
  "credentials" : "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies",
  "ttl" : "Default lease for generated keys. If <= 0, will use system default."
}

postGcpKeyRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

$body

Type: object

{
  "key_type" : "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"",
  "key_algorithm" : "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\""
}

postGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

$body

Type: object

{
  "secret_type" : "Type of secret generated for this role set. Defaults to 'access_token'",
  "token_scopes" : [ "string" ],
  "bindings" : "Bindings configuration string.",
  "project" : "Name of the GCP project that this roleset's service account will belong to."
}

postGcpRolesetNameRotate

Parameters

name (required)

Name of the role.

Type: string

postGcpRolesetNameRotateKey

Parameters

name (required)

Name of the role.

Type: string

postGcpTokenRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

postGcpkmsConfig

Configure the GCP KMS secrets engine

Parameters

$body

Type: object

{
  "credentials" : "The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication.",
  "scopes" : [ "string" ]
}

postGcpkmsDecryptKey

Decrypt a ciphertext value using a named key

Parameters

key (required)

Name of the key in Vault to use for decryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
  "ciphertext" : "Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation.",
  "key_version" : "Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically.",
  "additional_authenticated_data" : "Optional data that was specified during encryption of this payload."
}

postGcpkmsEncryptKey

Encrypt a plaintext value using a named key

Parameters

key (required)

Name of the key in Vault to use for encryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
  "key_version" : "Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version.",
  "plaintext" : "Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types.",
  "additional_authenticated_data" : "Optional base64-encoded data that, if specified, must also be provided to decrypt this payload."
}

postGcpkmsKeysConfigKey

Configure the key in Vault

Parameters

key (required)

Name of the key in Vault.

Type: string

$body

Type: object

{
  "min_version" : "Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation.",
  "max_version" : "Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version."
}

postGcpkmsKeysDeregisterKey

Deregister an existing key in Vault

Parameters

key (required)

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

postGcpkmsKeysKey

Interact with crypto keys in Vault and Google Cloud KMS

Parameters

key (required)

Name of the key in Vault.

Type: string

$body

Type: object

{
  "crypto_key" : "Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified.",
  "protection_level" : "Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation.",
  "purpose" : "Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation.",
  "key_ring" : "Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation.",
  "rotation_period" : "Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".",
  "algorithm" : "Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256",
  "labels" : { }
}

postGcpkmsKeysRegisterKey

Register an existing crypto key in Google Cloud KMS

Parameters

key (required)

Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.

Type: string

$body

Type: object

{
  "crypto_key" : "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".",
  "verify" : "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time."
}

postGcpkmsKeysRotateKey

Rotate a crypto key to a new primary version

Parameters

key (required)

Name of the key to rotate. This key must already be registered with Vault and point to a valid Google Cloud KMS crypto key.

Type: string

postGcpkmsKeysTrimKey

Delete old crypto key versions from Google Cloud KMS

Parameters

key (required)

Name of the key in Vault.

Type: string

postGcpkmsReencryptKey

Re-encrypt existing ciphertext data to a new version

Parameters

key (required)

Name of the key to use for encryption. This key must already exist in Vault and Google Cloud KMS.

Type: string

$body

Type: object

{
  "ciphertext" : "Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key.",
  "key_version" : "Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version.",
  "additional_authenticated_data" : "Optional data that, if specified, must also be provided during decryption."
}

postGcpkmsSignKey

Signs a message or digest using a named key

Parameters

key (required)

Name of the key in Vault to use for signing. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
  "key_version" : "Integer version of the crypto key version to use for signing. This field is required.",
  "digest" : "Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postGcpkmsVerifyKey

Verify a signature using a named key

Parameters

key (required)

Name of the key in Vault to use for verification. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
  "key_version" : "Integer version of the crypto key version to use for verification. This field is required.",
  "signature" : "Base64-encoded signature to use for verification. This field is required.",
  "digest" : "Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postIdentityAlias

Create a new alias.

Parameters

$body

Type: object

{
  "canonical_id" : "Entity ID to which this alias belongs to",
  "name" : "Name of the alias",
  "id" : "ID of the alias",
  "entity_id" : "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'.",
  "mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

$body

Type: object

{
  "canonical_id" : "Entity ID to which this alias should be tied to",
  "name" : "Name of the alias",
  "entity_id" : "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.",
  "mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityEntity

Create a new entity

Parameters

$body

Type: object

{
  "metadata" : { },
  "name" : "Name of the entity",
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
  "id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityEntityAlias

Create a new alias.

Parameters

$body

Type: object

{
  "canonical_id" : "Entity ID to which this alias belongs",
  "name" : "Name of the alias; unused for a modify",
  "id" : "ID of the entity alias. If set, updates the corresponding entity alias.",
  "entity_id" : "Entity ID to which this alias belongs. This field is deprecated, use canonical_id.",
  "mount_accessor" : "Mount accessor to which this alias belongs to; unused for a modify"
}

postIdentityEntityAliasIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the alias

Type: string

$body

Type: object

{
  "canonical_id" : "Entity ID to which this alias should be tied to",
  "name" : "(Unused)",
  "entity_id" : "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.",
  "mount_accessor" : "(Unused)"
}

postIdentityEntityIdId

Update, read or delete an entity using entity ID

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

$body

Type: object

{
  "metadata" : { },
  "name" : "Name of the entity",
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)."
}

postIdentityEntityMerge

Merge two or more entities together

Parameters

$body

Type: object

{
  "from_entity_ids" : [ "string" ],
  "to_entity_id" : "Entity ID into which all the other entities need to get merged",
  "force" : "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts."
}

postIdentityEntityNameName

Update, read or delete an entity using entity name

Parameters

name (required)

Name of the entity

Type: string

$body

Type: object

{
  "metadata" : { },
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
  "id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityGroup

Create a new group.

Parameters

$body

Type: object

{
  "member_group_ids" : [ "string" ],
  "metadata" : { },
  "name" : "Name of the group.",
  "policies" : [ "string" ],
  "id" : "ID of the group. If set, updates the corresponding existing group.",
  "type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
  "member_entity_ids" : [ "string" ]
}

postIdentityGroupAlias

Creates a new group alias, or updates an existing one.

Parameters

$body

Type: object

{
  "canonical_id" : "ID of the group to which this is an alias.",
  "name" : "Alias of the group.",
  "id" : "ID of the group alias.",
  "mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

$body

Type: object

{
  "canonical_id" : "ID of the group to which this is an alias.",
  "name" : "Alias of the group.",
  "mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupIdId

Update or delete an existing group using its ID.

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

$body

Type: object

{
  "member_group_ids" : [ "string" ],
  "metadata" : { },
  "name" : "Name of the group.",
  "policies" : [ "string" ],
  "type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
  "member_entity_ids" : [ "string" ]
}

postIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

$body

Type: object

{
  "member_group_ids" : [ "string" ],
  "metadata" : { },
  "policies" : [ "string" ],
  "id" : "ID of the group. If set, updates the corresponding existing group.",
  "type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
  "member_entity_ids" : [ "string" ]
}

postIdentityLookupEntity

Query entities based on various properties.

Parameters

$body

Type: object

{
  "alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
  "alias_id" : "ID of the alias.",
  "name" : "Name of the entity.",
  "id" : "ID of the entity.",
  "alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityLookupGroup

Query groups based on various properties.

Parameters

$body

Type: object

{
  "alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
  "alias_id" : "ID of the alias.",
  "name" : "Name of the group.",
  "id" : "ID of the group.",
  "alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityOidcConfig

OIDC configuration

Parameters

$body

Type: object

{
  "issuer" : "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used."
}

postIdentityOidcIntrospect

Verify the authenticity of an OIDC token

Parameters

$body

Type: object

{
  "client_id" : "Optional client_id to verify",
  "token" : "Token to verify"
}

postIdentityOidcKeyName

CRUD operations for OIDC keys.

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated.",
  "rotation_period" : "How often to generate a new keypair.",
  "allowed_client_ids" : [ "string" ],
  "algorithm" : "Signing algorithm to use. This will default to RS256."
}

postIdentityOidcKeyNameRotate

Rotate a named OIDC key.

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key."
}

postIdentityOidcRoleName

CRUD operations on OIDC Roles

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "template" : "The template string to use for generating tokens. This may be in string-ified JSON or base64 format.",
  "ttl" : "TTL of the tokens generated against the role.",
  "key" : "The OIDC key to use for generating tokens. The specified key must already exist."
}

postIdentityPersona

Create a new alias.

Parameters

$body

Type: object

{
  "metadata" : { },
  "name" : "Name of the persona",
  "id" : "ID of the persona",
  "entity_id" : "Entity ID to which this persona belongs to",
  "mount_accessor" : "Mount accessor to which this persona belongs to"
}

postIdentityPersonaIdId

Update, read or delete an alias ID.

Parameters

id (required)

ID of the persona

Type: string

$body

Type: object

{
  "metadata" : { },
  "name" : "Name of the persona",
  "entity_id" : "Entity ID to which this persona should be tied to",
  "mount_accessor" : "Mount accessor to which this persona belongs to"
}

postNomadConfigAccess

Parameters

$body

Type: object

{
  "max_token_name_length" : "Max length for name of generated Nomad tokens",
  "address" : "Nomad server address",
  "token" : "Token for API calls"
}

postNomadConfigLease

Configure the lease parameters for generated tokens

Parameters

$body

Type: object

{
  "max_ttl" : "Duration after which the issued token should not be allowed to be renewed",
  "ttl" : "Duration before which the issued token needs renewal"
}

postNomadRoleName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "policies" : [ "string" ],
  "global" : "Boolean value describing if the token should be global or not. Defaults to false.",
  "type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'."
}

postPkiConfigCa

Set the CA certificate and private key used for generated credentials.

Parameters

$body

Type: object

{
  "pem_bundle" : "PEM-format, concatenated unencrypted secret key and certificate."
}

postPkiConfigCrl

Configure the CRL expiration.

Parameters

$body

Type: object

{
  "disable" : "If set to true, disables generating the CRL entirely.",
  "expiry" : "The amount of time the generated CRL should be valid; defaults to 72 hours"
}

postPkiConfigUrls

Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.

Parameters

$body

Type: object

{
  "crl_distribution_points" : [ "string" ],
  "issuing_certificates" : [ "string" ],
  "ocsp_servers" : [ "string" ]
}

postPkiIntermediateGenerateExported

Generate a new CSR and private key used for signing.

Parameters

exported (required)

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "add_basic_constraints" : "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.",
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiIntermediateSetSigned

Provide the signed intermediate CA cert.

Parameters

$body

Type: object

{
  "certificate" : "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint."
}

postPkiIssueRole

Request a certificate using a certain role with the provided details.

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
  "other_sans" : [ "string" ],
  "ip_sans" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiRevoke

Revoke a certificate by serial number.

Parameters

$body

Type: object

{
  "serial_number" : "Certificate serial number, in colon- or hyphen-separated octal"
}

postPkiRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "allow_subdomains" : "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information.",
  "allowed_domains" : [ "string" ],
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "key_usage" : [ "string" ],
  "max_ttl" : "The maximum allowed lease duration",
  "allow_bare_domains" : "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
  "allowed_other_sans" : [ "string" ],
  "province" : [ "string" ],
  "allow_localhost" : "Whether to allow \"localhost\" as a valid common name in a request",
  "enforce_hostnames" : "If set, only valid host names are allowed for CN and SANs. Defaults to true.",
  "allowed_uri_sans" : [ "string" ],
  "backend" : "Backend Type",
  "email_protection_flag" : "If set, certificates are flagged for email protection use. Defaults to false.",
  "no_store" : "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".",
  "allowed_serial_numbers" : [ "string" ],
  "ou" : [ "string" ],
  "allow_any_name" : "If set, clients can request certificates for any CN they like. See the documentation for more information.",
  "locality" : [ "string" ],
  "basic_constraints_valid_for_non_ca" : "Mark Basic Constraints valid when issuing non-CA certificates.",
  "server_flag" : "If set, certificates are flagged for server auth use. Defaults to true.",
  "generate_lease" : "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.",
  "ttl" : "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
  "use_csr_sans" : "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.",
  "not_before_duration" : "The duration before now the cert needs to be created / signed.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "require_cn" : "If set to false, makes the 'common_name' field optional while generating a certificate.",
  "allow_ip_sans" : "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.",
  "code_signing_flag" : "If set, certificates are flagged for code signing use. Defaults to false.",
  "policy_identifiers" : [ "string" ],
  "allow_glob_domains" : "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.",
  "organization" : [ "string" ],
  "use_csr_common_name" : "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.",
  "ext_key_usage" : [ "string" ],
  "postal_code" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ],
  "client_flag" : "If set, certificates are flagged for client auth use. Defaults to true."
}

postPkiRootGenerateExported

Generate a new CA certificate and private key used for signing.

Parameters

exported (required)

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "max_path_length" : "The maximum allowable path length",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "permitted_dns_domains" : [ "string" ],
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiRootSignIntermediate

Issue an intermediate CA certificate based on the provided CSR.

Parameters

$body

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "csr" : "PEM-format CSR to be signed.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "max_path_length" : "The maximum allowable path length",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "permitted_dns_domains" : [ "string" ],
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "use_csr_values" : "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.",
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiRootSignSelfIssued

Signs another CA's self-issued certificate.

Parameters

$body

Type: object

{
  "certificate" : "PEM-format self-issued certificate to be signed."
}

postPkiSignRole

Request certificates using a certain role with the provided details.

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed.",
  "ip_sans" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiSignVerbatim

Request certificates using a certain role with the provided details.

Parameters

$body

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
  "role" : "The desired role with configuration for this request",
  "key_usage" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
  "ip_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ext_key_usage" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ]
}

postPkiSignVerbatimRole

Request certificates using a certain role with the provided details.

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
  "key_usage" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
  "ip_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ext_key_usage" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ]
}

postPkiTidy

Tidy up the backend by removing expired certificates, revocation information, or both.

Parameters

$body

Type: object

{
  "tidy_revocation_list" : "Deprecated; synonym for 'tidy_revoked_certs",
  "tidy_cert_store" : "Set to true to enable tidying up the certificate store",
  "tidy_revoked_certs" : "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.",
  "safety_buffer" : "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours."
}

postRabbitmqConfigConnection

Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.

Parameters

$body

Type: object

{
  "verify_connection" : "If set, connection_uri is verified by actually connecting to the RabbitMQ management API",
  "connection_uri" : "RabbitMQ Management URI",
  "password" : "Password of the provided RabbitMQ management user",
  "username" : "Username of a RabbitMQ management administrator"
}

postRabbitmqConfigLease

Configure the lease parameters for generated credentials

Parameters

$body

Type: object

{
  "max_ttl" : "Duration after which the issued credentials should not be allowed to be renewed",
  "ttl" : "Duration before which the issued credentials needs renewal"
}

postRabbitmqRolesName

Manage the roles that can be created with this backend.

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
  "vhosts" : "A map of virtual hosts to permissions.",
  "vhost_topics" : "A nested map of virtual hosts and exchanges to topic permissions.",
  "tags" : "Comma-separated list of tags for this role."
}

postSecretConfig

Configure backend level settings that are applied to every key in the key-value store.

Parameters

$body

Type: object

{
  "cas_required" : "If true, the backend will require the cas parameter to be set for each write",
  "delete_version_after" : "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.",
  "max_versions" : "The number of versions to keep for each key. Defaults to 10"
}

postSecretDataPath

Write, Read, and Delete data in the Key-Value Store.

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
  "data" : { },
  "options" : { },
  "version" : "If provided during a read, the value at the version number will be returned"
}

postSecretDeletePath

Marks one or more versions as deleted in the KV store.

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
  "versions" : [ "integer" ]
}

postSecretDestroyPath

Permanently removes one or more versions in the KV store

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
  "versions" : [ "integer" ]
}

postSecretMetadataPath

Configures settings for the KV store

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
  "cas_required" : "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.",
  "delete_version_after" : "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.",
  "max_versions" : "The number of versions to keep. If not set, the backend’s configured max version is used."
}

postSecretUndeletePath

Undeletes one or more versions from the KV store.

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
  "versions" : [ "integer" ]
}

postSshConfigCa

Set the SSH private key used for signing certificates.

Parameters

$body

Type: object

{
  "public_key" : "Public half of the SSH key that will be used to sign certificates.",
  "private_key" : "Private half of the SSH key that will be used to sign certificates.",
  "generate_signing_key" : "Generate SSH key pair internally rather than use the private_key and public_key fields."
}

postSshConfigZeroaddress

Assign zero address as default CIDR block for select roles.

Parameters

$body

Type: object

{
  "roles" : [ "string" ]
}

postSshCredsRole

Creates a credential for establishing SSH connection with the remote host.

Parameters

role (required)

[Required] Name of the role

Type: string

$body

Type: object

{
  "ip" : "[Required] IP of the remote host",
  "username" : "[Optional] Username in remote host"
}

postSshKeysKey_name

Register a shared private key with Vault.

Parameters

key_name (required)

[Required] Name of the key

Type: string

$body

Type: object

{
  "key" : "[Required] SSH private key with super user privileges in host"
}

postSshLookup

List all the roles associated with the given IP address.

Parameters

$body

Type: object

{
  "ip" : "[Required] IP address of remote host"
}

postSshRolesRole

Manage the 'roles' that can be created with this backend.

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

$body

Type: object

{
  "allow_subdomains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".",
  "allow_host_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.",
  "allowed_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.",
  "key_type" : "[Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.",
  "max_ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration",
  "default_critical_options" : { },
  "allow_bare_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
  "install_script" : "[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type] Script used to install and uninstall public keys in the target machine. The inbuilt default install script will be for Linux hosts. For sample script, refer the project documentation website.",
  "allowed_extensions" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string.",
  "allowed_user_key_lengths" : { },
  "key" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Name of the registered key in Vault. Before creating the role, use the 'keys/' endpoint to create a named key.",
  "allow_user_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.",
  "exclude_cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.",
  "ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
  "allowed_critical_options" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.",
  "key_bits" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.",
  "key_id_format" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.",
  "key_option_specs" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Comma separated option specifications which will be prefixed to RSA key in authorized_keys file. Options should be valid and comply with authorized_keys file format and should not contain spaces.",
  "allowed_users" : "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.",
  "allow_user_key_ids" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.",
  "port" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.",
  "default_user" : "[Required for Dynamic type] [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.",
  "default_extensions" : { },
  "cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.",
  "admin_user" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Admin user at remote host. The shared key being registered should be for this user and should have root privileges. Everytime a dynamic credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user."
}

postSshSignRole

Request signing an SSH key using a certain role with the provided details.

Parameters

role (required)

The desired role with configuration for this request.

Type: string

$body

Type: object

{
  "public_key" : "SSH public key that should be signed.",
  "cert_type" : "Type of certificate to be created; either \"user\" or \"host\".",
  "extensions" : { },
  "critical_options" : { },
  "key_id" : "Key id that the created certificate should have. If not specified, the display name of the token will be used.",
  "valid_principals" : "Valid principals, either usernames or hostnames, that the certificate should be signed for.",
  "ttl" : "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL."
}

postSshVerify

Validate the OTP provided by Vault SSH Agent.

Parameters

$body

Type: object

{
  "otp" : "[Required] One-Time-Key that needs to be validated"
}

postSysAuditHashPath

The hash of the given string via the given audit backend

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body

Type: object

{
  "input" : "string"
}

postSysAuditPath

Enable a new audit device at the supplied path.

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body

Type: object

{
  "options" : { },
  "description" : "User-friendly description for this audit backend.",
  "type" : "The type of the backend. Example: \"mysql\"",
  "local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPath

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

For example, enable the "foo" auth method will make it accessible at /auth/foo.

Parameters

path (required)

The path to mount to. Cannot be delimited. Example: "user"

Type: string

$body

Type: object

{
  "seal_wrap" : "Whether to turn on seal wrapping for the mount.",
  "options" : { },
  "description" : "User-friendly description for this credential backend.",
  "external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
  "plugin_name" : "Name of the auth plugin to use based from the name in the plugin catalog.",
  "type" : "The type of the backend. Example: \"userpass\"",
  "config" : { },
  "local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPathTune

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required)

Tune the configuration parameters for an auth path.

Type: string

$body

Type: object

{
  "listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
  "audit_non_hmac_request_keys" : [ "string" ],
  "max_lease_ttl" : "The max lease TTL for this mount.",
  "passthrough_request_headers" : [ "string" ],
  "default_lease_ttl" : "The default lease TTL for this mount.",
  "options" : { },
  "description" : "User-friendly description for this credential backend.",
  "allowed_response_headers" : [ "string" ],
  "token_type" : "The type of token to issue (service or batch).",
  "audit_non_hmac_response_keys" : [ "string" ]
}

postSysCapabilities

Fetches the capabilities of the given token on the given path.

Parameters

$body

Type: object

{
  "path" : [ "string" ],
  "paths" : [ "string" ],
  "token" : "Token for which capabilities are being queried."
}

postSysCapabilitiesAccessor

Fetches the capabilities of the token associated with the given token, on the given path.

Parameters

$body

Type: object

{
  "path" : [ "string" ],
  "paths" : [ "string" ],
  "accessor" : "Accessor of the token for which capabilities are being queried."
}

postSysCapabilitiesSelf

Fetches the capabilities of the given token on the given path.

Parameters

$body

Type: object

{
  "path" : [ "string" ],
  "paths" : [ "string" ],
  "token" : "Token for which capabilities are being queried."
}

postSysConfigAuditingRequestHeadersHeader

Enable auditing of a header.

Parameters

header (required)

Type: string

$body

Type: object

{
  "hmac" : "boolean"
}

postSysConfigCors

Configure the CORS settings.

Parameters

$body

Type: object

{
  "allowed_headers" : [ "string" ],
  "enable" : "Enables or disables CORS headers on requests.",
  "allowed_origins" : [ "string" ]
}

postSysConfigUiHeadersHeader

Configure the values to be returned for the UI header.

Parameters

header (required)

The name of the header.

Type: string

$body

Type: object

{
  "values" : [ "string" ]
}

postSysGenerateRoot

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body

Type: object

{
  "pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootAttempt

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body

Type: object

{
  "pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootUpdate

If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.

Parameters

$body

Type: object

{
  "nonce" : "Specifies the nonce of the attempt.",
  "key" : "Specifies a single master key share."
}

postSysInit

The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.

Parameters

$body

Type: object

{
  "recovery_pgp_keys" : [ "string" ],
  "stored_shares" : "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
  "secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
  "recovery_shares" : "Specifies the number of shares to split the recovery key into.",
  "secret_shares" : "Specifies the number of shares to split the master key into.",
  "pgp_keys" : [ "string" ],
  "recovery_threshold" : "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
  "root_token_pgp_key" : "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation."
}

postSysLeasesLookup

Retrieve lease metadata.

Parameters

$body

Type: object

{
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenew

Renews a lease, requesting to extend the lease.

Parameters

$body

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenewUrl_lease_id

Renews a lease, requesting to extend the lease.

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevoke

Revokes a lease immediately.

Parameters

$body

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevokeForcePrefix

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysLeasesRevokePrefixPrefix

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body

Type: object

{
  "sync" : "Whether or not to perform the revocation synchronously"
}

postSysLeasesRevokeUrl_lease_id

Revokes a lease immediately.

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesTidy

This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.

This operation has no parameters

postSysMountsPath

Enable a new secrets engine at the given path.

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

$body

Type: object

{
  "seal_wrap" : "Whether to turn on seal wrapping for the mount.",
  "options" : { },
  "description" : "User-friendly description for this mount.",
  "external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
  "plugin_name" : "Name of the plugin to mount based from the name registered in the plugin catalog.",
  "type" : "The type of the backend. Example: \"passthrough\"",
  "config" : { },
  "local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysMountsPathTune

Tune backend configuration parameters for this mount.

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

$body

Type: object

{
  "listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
  "audit_non_hmac_request_keys" : [ "string" ],
  "max_lease_ttl" : "The max lease TTL for this mount.",
  "passthrough_request_headers" : [ "string" ],
  "default_lease_ttl" : "The default lease TTL for this mount.",
  "options" : { },
  "description" : "User-friendly description for this credential backend.",
  "allowed_response_headers" : [ "string" ],
  "token_type" : "The type of token to issue (service or batch).",
  "audit_non_hmac_response_keys" : [ "string" ]
}

postSysPluginsCatalogName

Register a new plugin, or updates an existing one with the supplied name.

Parameters

name (required)

The name of the plugin

Type: string

$body

Type: object

{
  "args" : [ "string" ],
  "sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "env" : [ "string" ],
  "type" : "The type of the plugin, may be auth, secret, or database",
  "command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsCatalogTypeName

Register a new plugin, or updates an existing one with the supplied name.

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

$body

Type: object

{
  "args" : [ "string" ],
  "sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "env" : [ "string" ],
  "command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsReloadBackend

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

Parameters

$body

Type: object

{
  "plugin" : "The name of the plugin to reload, as registered in the plugin catalog.",
  "mounts" : [ "string" ]
}

postSysPoliciesAclName

Add a new or update an existing ACL policy.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

$body

Type: object

{
  "policy" : "The rules of the policy."
}

postSysPolicyName

Add a new or update an existing policy.

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

$body

Type: object

{
  "rules" : "The rules of the policy.",
  "policy" : "The rules of the policy."
}

postSysRaw

Update the value of the key at the given path.

Parameters

$body

Type: object

{
  "path" : "string",
  "value" : "string"
}

postSysRawPath

Update the value of the key at the given path.

Parameters

path (required)

Type: string

$body

Type: object

{
  "value" : "string"
}

postSysRekeyInit

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Parameters

$body

Type: object

{
  "backup" : "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
  "secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
  "require_verification" : "Turns on verification functionality",
  "secret_shares" : "Specifies the number of shares to split the master key into.",
  "pgp_keys" : [ "string" ]
}

postSysRekeyUpdate

Enter a single master key share to progress the rekey of the Vault.

Parameters

$body

Type: object

{
  "nonce" : "Specifies the nonce of the rekey attempt.",
  "key" : "Specifies a single master key share."
}

postSysRekeyVerify

Enter a single new key share to progress the rekey verification operation.

Parameters

$body

Type: object

{
  "nonce" : "Specifies the nonce of the rekey verification operation.",
  "key" : "Specifies a single master share key from the new set of shares."
}

postSysRemount

Move the mount point of an already-mounted backend.

Parameters

$body

Type: object

{
  "from" : "The previous mount point.",
  "to" : "The new mount point."
}

postSysRenew

Renews a lease, requesting to extend the lease.

Parameters

$body

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRenewUrl_lease_id

Renews a lease, requesting to extend the lease.

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevoke

Revokes a lease immediately.

Parameters

$body

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevokeForcePrefix

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysRevokePrefixPrefix

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body

Type: object

{
  "sync" : "Whether or not to perform the revocation synchronously"
}

postSysRevokeUrl_lease_id

Revokes a lease immediately.

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRotate

Rotates the backend encryption key used to persist data.

This operation has no parameters

postSysSeal

Seal the Vault.

This operation has no parameters

postSysStepDown

This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.

This operation has no parameters

postSysToolsHash

Generate a hash sum for input data

Parameters

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Algorithm to use (POST URL parameter)",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsHashUrlalgorithm

Generate a hash sum for input data

Parameters

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsRandom

Generate random bytes

Parameters

$body

Type: object

{
  "urlbytes" : "The number of bytes to generate (POST URL parameter)",
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysToolsRandomUrlbytes

Generate random bytes

Parameters

urlbytes (required)

The number of bytes to generate (POST URL parameter)

Type: string

$body

Type: object

{
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysUnseal

Unseal the Vault.

Parameters

$body

Type: object

{
  "reset" : "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
  "key" : "Specifies a single master key share. This is required unless reset is true."
}

postSysWrappingLookup

Look up wrapping properties for the given token.

Parameters

$body

Type: object

{
  "token" : "string"
}

postSysWrappingRewrap

Rotates a response-wrapped token.

Parameters

$body

Type: object

{
  "token" : "string"
}

postSysWrappingUnwrap

Unwraps a response-wrapped token.

Parameters

$body

Type: object

{
  "token" : "string"
}

postSysWrappingWrap

Response-wraps an arbitrary JSON object.

This operation has no parameters

postTotpCodeName

Request time-based one-time use password or validate a password for a certain key .

Parameters

name (required)

Name of the key.

Type: string

$body

Type: object

{
  "code" : "TOTP code to be validated."
}

postTotpKeysName

Manage the keys that can be created with this backend.

Parameters

name (required)

Name of the key.

Type: string

$body

Type: object

{
  "exported" : "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.",
  "period" : "The length of time used to generate a counter for the TOTP token calculation.",
  "qr_size" : "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.",
  "account_name" : "The name of the account associated with the key. Required if generate is true.",
  "digits" : "The number of digits in the generated TOTP token. This value can either be 6 or 8.",
  "generate" : "Determines if a key should be generated by Vault or if a key is being passed from another service.",
  "issuer" : "The name of the key's issuing organization. Required if generate is true.",
  "key" : "The shared master key used to generate a TOTP token. Only used if generate is false.",
  "url" : "A TOTP url string containing all of the parameters for key setup. Only used if generate is false.",
  "algorithm" : "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.",
  "key_size" : "Determines the size in bytes of the generated key. Only used if generate is true.",
  "skew" : "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true."
}

postTransitCacheConfig

Configures a new cache of the specified size

Parameters

$body

Type: object

{
  "size" : "Size of cache, use 0 for an unlimited cache size, defaults to 0"
}

postTransitDatakeyPlaintextName

Generate a data key

Parameters

name (required)

The backend key used for encrypting the data key

Type: string

plaintext (required)

"plaintext" will return the key in both plaintext and ciphertext; "wrapped" will return the ciphertext only.

Type: string

$body

Type: object

{
  "key_version" : "The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "bits" : "Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.",
  "context" : "Context for key derivation. Required for derived keys.",
  "nonce" : "Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)"
}

postTransitDecryptName

Decrypt a ciphertext value using a named key

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
  "ciphertext" : "The ciphertext to decrypt, provided as returned by encrypt.",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled.",
  "nonce" : "Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+."
}

postTransitEncryptName

Encrypt a plaintext value or a batch of plaintext blocks using a named key

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
  "convergent_encryption" : "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
  "key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled",
  "plaintext" : "Base64 encoded plaintext value to be encrypted",
  "type" : "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".",
  "nonce" : "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**."
}

postTransitHash

Generate a hash sum for input data

Parameters

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Algorithm to use (POST URL parameter)",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHashUrlalgorithm

Generate a hash sum for input data

Parameters

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacName

Generate an HMAC for input data using the named key

Parameters

name (required)

The key to use for the HMAC function

Type: string

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Algorithm to use (POST URL parameter)",
  "key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacNameUrlalgorithm

Generate an HMAC for input data using the named key

Parameters

name (required)

The key to use for the HMAC function

Type: string

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
  "input" : "The base64-encoded input data",
  "key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitKeysName

Managed named encryption keys

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "exportable" : "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.",
  "convergent_encryption" : "Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
  "context" : "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.",
  "allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
  "type" : "The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".",
  "derived" : "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations."
}

postTransitKeysNameConfig

Configure a named encryption key

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "deletion_allowed" : "Whether to allow deletion of the key",
  "exportable" : "Enables export of the key. Once set, this cannot be disabled.",
  "allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
  "min_decryption_version" : "If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification.",
  "min_encryption_version" : "If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed."
}

postTransitKeysNameRotate

Rotate named encryption key

Parameters

name (required)

Name of the key

Type: string

postTransitKeysNameTrim

Trim key versions of a named key

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "min_available_version" : "The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero."
}

postTransitRandom

Generate random bytes

Parameters

$body

Type: object

{
  "urlbytes" : "The number of bytes to generate (POST URL parameter)",
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRandomUrlbytes

Generate random bytes

Parameters

urlbytes (required)

The number of bytes to generate (POST URL parameter)

Type: string

$body

Type: object

{
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRestore

Restore the named key

Parameters

$body

Type: object

{
  "backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
  "name" : "If set, this will be the name of the restored key.",
  "force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRestoreName

Restore the named key

Parameters

name (required)

If set, this will be the name of the restored key.

Type: string

$body

Type: object

{
  "backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
  "force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRewrapName

Rewrap ciphertext

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
  "ciphertext" : "Ciphertext value to rewrap",
  "key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "context" : "Base64 encoded context for key derivation. Required for derived keys.",
  "nonce" : "Nonce for when convergent encryption is used"
}

postTransitSignName

Generate a signature for input data using the named key

Parameters

name (required)

The key to use

Type: string

$body

Type: object

{
  "prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
  "key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
  "hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
  "signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
  "algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
  "marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitSignNameUrlalgorithm

Generate a signature for input data using the named key

Parameters

name (required)

The key to use

Type: string

urlalgorithm (required)

Hash algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
  "prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
  "input" : "The base64-encoded input data",
  "key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
  "hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
  "signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
  "algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
  "marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyName

Verify a signature or HMAC for input data created using the named key

Parameters

name (required)

The key to use

Type: string

$body

Type: object

{
  "prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
  "input" : "The base64-encoded input data to verify",
  "urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
  "signature" : "The signature, including vault header/key version",
  "hmac" : "The HMAC, including vault header/key version",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
  "hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
  "signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
  "algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
  "marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyNameUrlalgorithm

Verify a signature or HMAC for input data created using the named key

Parameters

name (required)

The key to use

Type: string

urlalgorithm (required)

Hash algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
  "prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
  "input" : "The base64-encoded input data to verify",
  "signature" : "The signature, including vault header/key version",
  "hmac" : "The HMAC, including vault header/key version",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
  "hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
  "signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
  "algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
  "marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}