Vault (version v1.*.*)

HTTP API that gives you full access to Vault. All API routes are prefixed with /v1/.

deleteAdConfig #

This operation has no parameters

deleteAdLibraryName #

Parameters

name (required) #

Name of the set.

Type: string

deleteAdRolesName #

Parameters

name (required) #

Name of the role

Type: string

deleteAlicloudConfig #

This operation has no parameters

deleteAlicloudRoleName #

Parameters

name (required) #

The name of the role.

Type: string

deleteAuthTokenRolesRole_name #

Parameters

role_name (required) #

Name of the role

Type: string

deleteAwsRolesName #

Parameters

name (required) #

Name of the policy

Type: string

deleteAzureConfig #

This operation has no parameters

deleteAzureRolesName #

Parameters

name (required) #

Name of the role.

Type: string

deleteConsulRolesName #

Parameters

name (required) #

Name of the role

Type: string

deleteCubbyholePath #

Parameters

path (required) #

Specifies the path of the secret.

Type: string

deleteDatabaseConfigName #

Parameters

name (required) #

Name of this database connection

Type: string

deleteDatabaseRolesName #

Parameters

name (required) #

Name of the role.

Type: string

deleteDatabaseStaticRolesName #

Parameters

name (required) #

Name of the role.

Type: string

deleteGcpRolesetName #

Parameters

name (required) #

Required. Name of the role.

Type: string

deleteGcpkmsConfig #

This operation has no parameters

deleteGcpkmsKeysDeregisterKey #

Parameters

key (required) #

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

deleteGcpkmsKeysKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

deleteGcpkmsKeysTrimKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

deleteIdentityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

deleteIdentityEntityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

deleteIdentityEntityIdId #

Parameters

id (required) #

ID of the entity. If set, updates the corresponding existing entity.

Type: string

deleteIdentityEntityNameName #

Parameters

name (required) #

Name of the entity

Type: string

deleteIdentityGroupAliasIdId #

Parameters

id (required) #

ID of the group alias.

Type: string

deleteIdentityGroupIdId #

Parameters

id (required) #

ID of the group. If set, updates the corresponding existing group.

Type: string

deleteIdentityGroupNameName #

Parameters

name (required) #

Name of the group.

Type: string

deleteIdentityOidcKeyName #

Parameters

name (required) #

Name of the key

Type: string

deleteIdentityOidcRoleName #

Parameters

name (required) #

Name of the role

Type: string

deleteIdentityPersonaIdId #

Parameters

id (required) #

ID of the persona

Type: string

deleteNomadConfigAccess #

This operation has no parameters

deleteNomadConfigLease #

This operation has no parameters

deleteNomadRoleName #

Parameters

name (required) #

Name of the role

Type: string

deletePkiRolesName #

Parameters

name (required) #

Name of the role

Type: string

deletePkiRoot #

This operation has no parameters

deleteRabbitmqRolesName #

Parameters

name (required) #

Name of the role.

Type: string

deleteSecretDataPath #

Parameters

path (required) #

Location of the secret.

Type: string

deleteSecretMetadataPath #

Parameters

path (required) #

Location of the secret.

Type: string

deleteSshConfigCa #

This operation has no parameters

deleteSshConfigZeroaddress #

This operation has no parameters

deleteSshKeysKey_name #

Parameters

key_name (required) #

[Required] Name of the key

Type: string

deleteSshRolesRole #

Parameters

role (required) #

[Required for all types] Name of the role being created.

Type: string

deleteSysAuditPath #

Parameters

path (required) #

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

deleteSysAuthPath #

Parameters

path (required) #

The path to mount to. Cannot be delimited. Example: "user"

Type: string

deleteSysConfigAuditingRequestHeadersHeader #

Parameters

header (required) #

Type: string

deleteSysConfigCors #

This operation has no parameters

deleteSysConfigUiHeadersHeader #

Parameters

header (required) #

The name of the header.

Type: string

deleteSysGenerateRoot #

This operation has no parameters

deleteSysGenerateRootAttempt #

This operation has no parameters

deleteSysMountsPath #

Parameters

path (required) #

The path to mount to. Example: "aws/east"

Type: string

deleteSysPluginsCatalogName #

Parameters

name (required) #

The name of the plugin

Type: string

deleteSysPluginsCatalogTypeName #

Parameters

name (required) #

The name of the plugin

Type: string

type (required) #

The type of the plugin, may be auth, secret, or database

Type: string

deleteSysPoliciesAclName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

deleteSysPolicyName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

deleteSysRaw #

This operation has no parameters

deleteSysRawPath #

Parameters

path (required) #

Type: string

deleteSysRekeyBackup #

This operation has no parameters

deleteSysRekeyInit #

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

This operation has no parameters

deleteSysRekeyRecoveryKeyBackup #

This operation has no parameters

deleteSysRekeyVerify #

This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.

This operation has no parameters

deleteTotpKeysName #

Parameters

name (required) #

Name of the key.

Type: string

deleteTransitKeysName #

Parameters

name (required) #

Name of the key

Type: string

getAdConfig #

This operation has no parameters

getAdCredsName #

Parameters

name (required) #

Name of the role

Type: string

getAdLibrary #

Parameters

list #

Return a list if true

Type: string

getAdLibraryName #

Parameters

name (required) #

Name of the set.

Type: string

getAdLibraryNameStatus #

Parameters

name (required) #

Name of the set.

Type: string

getAdRoles #

Parameters

list #

Return a list if true

Type: string

getAdRolesName #

Parameters

name (required) #

Name of the role

Type: string

getAdRotateRoot #

This operation has no parameters

getAlicloudConfig #

This operation has no parameters

getAlicloudCredsName #

Parameters

name (required) #

The name of the role.

Type: string

getAlicloudRole #

Parameters

list #

Return a list if true

Type: string

getAlicloudRoleName #

Parameters

name (required) #

The name of the role.

Type: string

getAuthTokenAccessors #

Parameters

list #

Return a list if true

Type: string

getAuthTokenLookup #

This operation has no parameters

getAuthTokenLookupSelf #

This operation has no parameters

getAuthTokenRoles #

Parameters

list #

Return a list if true

Type: string

getAuthTokenRolesRole_name #

Parameters

role_name (required) #

Name of the role

Type: string

getAwsConfigLease #

This operation has no parameters

getAwsConfigRoot #

This operation has no parameters

getAwsCreds #

This operation has no parameters

getAwsRoles #

Parameters

list #

Return a list if true

Type: string

getAwsRolesName #

Parameters

name (required) #

Name of the policy

Type: string

getAwsStsName #

Parameters

name (required) #

Name of the role

Type: string

getAzureConfig #

This operation has no parameters

getAzureCredsRole #

Parameters

role (required) #

Name of the Vault role

Type: string

getAzureRoles #

Parameters

list #

Return a list if true

Type: string

getAzureRolesName #

Parameters

name (required) #

Name of the role.

Type: string

getConsulConfigAccess #

This operation has no parameters

getConsulCredsRole #

Parameters

role (required) #

Name of the role

Type: string

getConsulRoles #

Parameters

list #

Return a list if true

Type: string

getConsulRolesName #

Parameters

name (required) #

Name of the role

Type: string

getCubbyholePath #

Parameters

path (required) #

Specifies the path of the secret.

Type: string

list #

Return a list if true

Type: string

getDatabaseConfig #

Parameters

list #

Return a list if true

Type: string

getDatabaseConfigName #

Parameters

name (required) #

Name of this database connection

Type: string

getDatabaseCredsName #

Parameters

name (required) #

Name of the role.

Type: string

getDatabaseRoles #

Parameters

list #

Return a list if true

Type: string

getDatabaseRolesName #

Parameters

name (required) #

Name of the role.

Type: string

getDatabaseStaticCredsName #

Parameters

name (required) #

Name of the static role.

Type: string

getDatabaseStaticRoles #

Parameters

list #

Return a list if true

Type: string

getDatabaseStaticRolesName #

Parameters

name (required) #

Name of the role.

Type: string

getGcpConfig #

This operation has no parameters

getGcpKeyRoleset #

Parameters

roleset (required) #

Required. Name of the role set.

Type: string

getGcpRoleset #

Parameters

list #

Return a list if true

Type: string

getGcpRolesetName #

Parameters

name (required) #

Required. Name of the role.

Type: string

getGcpRolesets #

Parameters

list #

Return a list if true

Type: string

getGcpTokenRoleset #

Parameters

roleset (required) #

Required. Name of the role set.

Type: string

getGcpkmsConfig #

This operation has no parameters

getGcpkmsKeys #

Parameters

list #

Return a list if true

Type: string

getGcpkmsKeysConfigKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

getGcpkmsKeysKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

getGcpkmsPubkeyKey #

Parameters

key (required) #

Name of the key for which to get the public key. This key must already exist in Vault and Google Cloud KMS.

Type: string

getIdentityAliasId #

Parameters

list #

Return a list if true

Type: string

getIdentityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

getIdentityEntityAliasId #

Parameters

list #

Return a list if true

Type: string

getIdentityEntityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

getIdentityEntityId #

Parameters

list #

Return a list if true

Type: string

getIdentityEntityIdId #

Parameters

id (required) #

ID of the entity. If set, updates the corresponding existing entity.

Type: string

getIdentityEntityName #

Parameters

list #

Return a list if true

Type: string

getIdentityEntityNameName #

Parameters

name (required) #

Name of the entity

Type: string

getIdentityGroupAliasId #

Parameters

list #

Return a list if true

Type: string

getIdentityGroupAliasIdId #

Parameters

id (required) #

ID of the group alias.

Type: string

getIdentityGroupId #

Parameters

list #

Return a list if true

Type: string

getIdentityGroupIdId #

Parameters

id (required) #

ID of the group. If set, updates the corresponding existing group.

Type: string

getIdentityGroupName #

Parameters

list #

Return a list if true

Type: string

getIdentityGroupNameName #

Parameters

name (required) #

Name of the group.

Type: string

getIdentityOidcConfig #

This operation has no parameters

getIdentityOidcKey #

Parameters

list #

Return a list if true

Type: string

getIdentityOidcKeyName #

Parameters

name (required) #

Name of the key

Type: string

getIdentityOidcRole #

Parameters

list #

Return a list if true

Type: string

getIdentityOidcRoleName #

Parameters

name (required) #

Name of the role

Type: string

getIdentityOidcTokenName #

Parameters

name (required) #

Name of the role

Type: string

getIdentityOidcWellKnownKeys #

This operation has no parameters

getIdentityOidcWellKnownOpenidConfiguration #

This operation has no parameters

getIdentityPersonaId #

Parameters

list #

Return a list if true

Type: string

getIdentityPersonaIdId #

Parameters

id (required) #

ID of the persona

Type: string

getNomadConfigAccess #

This operation has no parameters

getNomadConfigLease #

This operation has no parameters

getNomadCredsName #

Parameters

name (required) #

Name of the role

Type: string

getNomadRole #

Parameters

list #

Return a list if true

Type: string

getNomadRoleName #

Parameters

name (required) #

Name of the role

Type: string

getPkiCa #

This operation has no parameters

getPkiCaPem #

This operation has no parameters

getPkiCa_chain #

This operation has no parameters

getPkiCertCa_chain #

This operation has no parameters

getPkiCertCrl #

This operation has no parameters

getPkiCertSerial #

Parameters

serial (required) #

Certificate serial number, in colon- or hyphen-separated octal

Type: string

getPkiCerts #

Parameters

list #

Return a list if true

Type: string

getPkiConfigCrl #

This operation has no parameters

getPkiConfigUrls #

This operation has no parameters

getPkiCrl #

This operation has no parameters

getPkiCrlPem #

This operation has no parameters

getPkiCrlRotate #

This operation has no parameters

getPkiRoles #

Parameters

list #

Return a list if true

Type: string

getPkiRolesName #

Parameters

name (required) #

Name of the role

Type: string

getRabbitmqConfigLease #

This operation has no parameters

getRabbitmqCredsName #

Parameters

name (required) #

Name of the role.

Type: string

getRabbitmqRoles #

Parameters

list #

Return a list if true

Type: string

getRabbitmqRolesName #

Parameters

name (required) #

Name of the role.

Type: string

getSecretConfig #

This operation has no parameters

getSecretDataPath #

Parameters

path (required) #

Location of the secret.

Type: string

getSecretMetadataPath #

Parameters

path (required) #

Location of the secret.

Type: string

list #

Return a list if true

Type: string

getSshConfigCa #

This operation has no parameters

getSshConfigZeroaddress #

This operation has no parameters

getSshPublic_key #

This operation has no parameters

getSshRoles #

Parameters

list #

Return a list if true

Type: string

getSshRolesRole #

Parameters

role (required) #

[Required for all types] Name of the role being created.

Type: string

getSysAudit #

This operation has no parameters

getSysAuth #

This operation has no parameters

getSysAuthPathTune #

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required) #

Tune the configuration parameters for an auth path.

Type: string

getSysConfigAuditingRequestHeaders #

This operation has no parameters

getSysConfigAuditingRequestHeadersHeader #

Parameters

header (required) #

Type: string

getSysConfigCors #

This operation has no parameters

getSysConfigStateSanitized #

The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.

This operation has no parameters

getSysConfigUiHeaders #

Parameters

list #

Return a list if true

Type: string

getSysConfigUiHeadersHeader #

Parameters

header (required) #

The name of the header.

Type: string

getSysGenerateRoot #

This operation has no parameters

getSysGenerateRootAttempt #

This operation has no parameters

getSysHealth #

This operation has no parameters

getSysHostInfo #

Information about the host instance that this Vault server is running on.
The information that gets collected includes host hardware information, and CPU,
disk, and memory utilization

This operation has no parameters

getSysInit #

This operation has no parameters

getSysInternalSpecsOpenapi #

This operation has no parameters

getSysInternalUiMounts #

This operation has no parameters

getSysInternalUiMountsPath #

Parameters

path (required) #

The path of the mount.

Type: string

getSysKeyStatus #

This operation has no parameters

getSysLeader #

This operation has no parameters

getSysLeasesLookup #

Parameters

list #

Return a list if true

Type: string

getSysLeasesLookupPrefix #

Parameters

prefix (required) #

The path to list leases under. Example: "aws/creds/deploy"

Type: string

list #

Return a list if true

Type: string

getSysMetrics #

Parameters

format #

Format to export metrics into. Currently accepts only "prometheus".

Type: string

getSysMounts #

This operation has no parameters

getSysMountsPathTune #

Parameters

path (required) #

The path to mount to. Example: "aws/east"

Type: string

getSysPluginsCatalog #

This operation has no parameters

getSysPluginsCatalogName #

Parameters

name (required) #

The name of the plugin

Type: string

getSysPluginsCatalogType #

Parameters

type (required) #

The type of the plugin, may be auth, secret, or database

Type: string

list #

Return a list if true

Type: string

getSysPluginsCatalogTypeName #

Parameters

name (required) #

The name of the plugin

Type: string

type (required) #

The type of the plugin, may be auth, secret, or database

Type: string

getSysPoliciesAcl #

Parameters

list #

Return a list if true

Type: string

getSysPoliciesAclName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

getSysPolicy #

Parameters

list #

Return a list if true

Type: string

getSysPolicyName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

getSysPprof #

Returns an HTML page listing the available
profiles. This should be mainly accessed via browsers or applications that can
render pages.

This operation has no parameters

getSysPprofCmdline #

Returns the running program's command line, with arguments separated by NUL bytes.

This operation has no parameters

getSysPprofGoroutine #

Returns stack traces of all current goroutines.

This operation has no parameters

getSysPprofHeap #

Returns a sampling of memory allocations of live object.

This operation has no parameters

getSysPprofProfile #

Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.

This operation has no parameters

getSysPprofSymbol #

Returns the program counters listed in the request.

This operation has no parameters

getSysPprofTrace #

Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.

This operation has no parameters

getSysRaw #

Parameters

list #

Return a list if true

Type: string

getSysRawPath #

Parameters

path (required) #

Type: string

list #

Return a list if true

Type: string

getSysRekeyBackup #

This operation has no parameters

getSysRekeyInit #

This operation has no parameters

getSysRekeyRecoveryKeyBackup #

This operation has no parameters

getSysRekeyVerify #

This operation has no parameters

getSysReplicationStatus #

This operation has no parameters

getSysSealStatus #

This operation has no parameters

getSysWrappingLookup #

This operation has no parameters

getTotpCodeName #

Parameters

name (required) #

Name of the key.

Type: string

getTotpKeys #

Parameters

list #

Return a list if true

Type: string

getTotpKeysName #

Parameters

name (required) #

Name of the key.

Type: string

getTransitBackupName #

Parameters

name (required) #

Name of the key

Type: string

getTransitCacheConfig #

This operation has no parameters

getTransitExportTypeName #

Parameters

name (required) #

Name of the key

Type: string

type (required) #

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

getTransitExportTypeNameVersion #

Parameters

name (required) #

Name of the key

Type: string

type (required) #

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

version (required) #

Version of the key

Type: string

getTransitKeys #

Parameters

list #

Return a list if true

Type: string

getTransitKeysName #

Parameters

name (required) #

Name of the key

Type: string

postAdConfig #

Parameters

$body #

Type: object

{
"last_rotation_tolerance" : "The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.",
"bindpass" : "LDAP password for searching for the user DN (optional)",
"max_ttl" : "In seconds, the maximum password time-to-live.",
"request_timeout" : "Timeout, in seconds, for the connection when making requests against the server before returning back an error.",
"certificate" : "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
"use_pre111_group_cn_behavior" : "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.",
"case_sensitive_names" : "If true, case sensitivity will be used when comparing usernames and groups for matching policies.",
"groupattr" : "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn",
"tls_min_version" : "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"upndomain" : "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
"userattr" : "Attribute used for users (default: cn)",
"starttls" : "Issue a StartTLS command after establishing unencrypted connection (optional)",
"groupfilter" : "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=)) Default: (|(memberUid=)(member=)(uniqueMember=))",
"length" : "The desired length of passwords that Vault generates.",
"insecure_tls" : "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
"deny_null_bind" : "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
"tls_max_version" : "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"ttl" : "In seconds, the default password time-to-live.",
"url" : "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
"formatter" : "Text to insert the password into, ex. \"customPrefixcustomSuffix\".",
"binddn" : "LDAP DN for searching for the user DN (optional)",
"groupdn" : "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
"use_token_groups" : "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
"discoverdn" : "Use anonymous bind to discover the bind DN of a user (optional)",
"userdn" : "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)"
}

postAdLibraryManageNameCheckIn #

Parameters

name (required) #

Name of the set.

Type: string

$body #

Type: object

{
"service_account_names" : [ "string" ]
}

postAdLibraryName #

Parameters

name (required) #

Name of the set.

Type: string

$body #

Type: object

{
"max_ttl" : "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.",
"service_account_names" : [ "string" ],
"disable_check_in_enforcement" : "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.",
"ttl" : "In seconds, the amount of time a check-out should last. Defaults to 24 hours."
}

postAdLibraryNameCheckIn #

Parameters

name (required) #

Name of the set.

Type: string

$body #

Type: object

{
"service_account_names" : [ "string" ]
}

postAdLibraryNameCheckOut #

Parameters

name (required) #

Name of the set

Type: string

$body #

Type: object

{
"ttl" : "The length of time before the check-out will expire, in seconds."
}

postAdRolesName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"service_account_name" : "The username/logon name for the service account with which this role will be associated.",
"ttl" : "In seconds, the default password time-to-live."
}

postAlicloudConfig #

Parameters

$body #

Type: object

{
"secret_key" : "Secret key with appropriate permissions.",
"access_key" : "Access key with appropriate permissions."
}

postAlicloudRoleName #

Parameters

name (required) #

The name of the role.

Type: string

$body #

Type: object

{
"max_ttl" : "The maximum allowed lifetime of tokens issued using this role.",
"role_arn" : "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.",
"remote_policies" : [ "string" ],
"inline_policies" : "JSON of policies to be dynamically applied to users of this role.",
"ttl" : "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults."
}

postAuthTokenCreate #

This operation has no parameters

postAuthTokenCreateOrphan #

This operation has no parameters

postAuthTokenCreateRole_name #

Parameters

role_name (required) #

Name of the role

Type: string

postAuthTokenLookup #

Parameters

$body #

Type: object

{
"token" : "Token to lookup (POST request body)"
}

postAuthTokenLookupAccessor #

Parameters

$body #

Type: object

{
"accessor" : "Accessor of the token to look up (request body)"
}

postAuthTokenLookupSelf #

Parameters

$body #

Type: object

{
"token" : "Token to look up (unused, does not need to be set)"
}

postAuthTokenRenew #

Parameters

$body #

Type: object

{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (request body)"
}

postAuthTokenRenewAccessor #

Parameters

$body #

Type: object

{
"accessor" : "Accessor of the token to renew (request body)",
"increment" : "The desired increment in seconds to the token expiration"
}

postAuthTokenRenewSelf #

Parameters

$body #

Type: object

{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (unused, does not need to be set)"
}

postAuthTokenRevoke #

Parameters

$body #

Type: object

{
"token" : "Token to revoke (request body)"
}

postAuthTokenRevokeAccessor #

Parameters

$body #

Type: object

{
"accessor" : "Accessor of the token (request body)"
}

postAuthTokenRevokeOrphan #

Parameters

$body #

Type: object

{
"token" : "Token to revoke (request body)"
}

postAuthTokenRevokeSelf #

This operation has no parameters

postAuthTokenRolesRole_name #

Parameters

role_name (required) #

Name of the role

Type: string

$body #

Type: object

{
"bound_cidrs" : [ "string" ],
"period" : "Use 'token_period' instead.",
"token_num_uses" : "The maximum number of times a token may be used, a value of zero means unlimited",
"allowed_entity_aliases" : [ "string" ],
"token_explicit_max_ttl" : "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
"path_suffix" : "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w",
"token_period" : "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").",
"orphan" : "If true, tokens created via this role will be orphan tokens (have no parent)",
"token_type" : "The type of token to generate, service or batch",
"explicit_max_ttl" : "Use 'token_explicit_max_ttl' instead.",
"token_no_default_policy" : "If true, the 'default' policy will not automatically be added to generated tokens",
"disallowed_policies" : [ "string" ],
"allowed_policies" : [ "string" ],
"renewable" : "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".",
"token_bound_cidrs" : [ "string" ]
}

postAuthTokenTidy #

This operation has no parameters

postAwsConfigLease #

Parameters

$body #

Type: object

{
"lease_max" : "Maximum time a credential is valid for.",
"lease" : "Default lease for roles."
}

postAwsConfigRoot #

Parameters

$body #

Type: object

{
"secret_key" : "Secret key with permission to create new keys.",
"max_retries" : "Maximum number of retries for recoverable exceptions of AWS APIs",
"access_key" : "Access key with permission to create new keys.",
"iam_endpoint" : "Endpoint to custom IAM server URL",
"sts_endpoint" : "Endpoint to custom STS server URL",
"region" : "Region for API calls."
}

postAwsConfigRotateRoot #

This operation has no parameters

postAwsCreds #

Parameters

$body #

Type: object

{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"name" : "Name of the role",
"ttl" : "Lifetime of the returned credentials in seconds"
}

postAwsRolesName #

Parameters

name (required) #

Name of the policy

Type: string

$body #

Type: object

{
"credential_type" : "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token",
"role_arns" : [ "string" ],
"max_sts_ttl" : "Max allowed TTL for assumed_role and federation_token credential types",
"user_path" : "Path for IAM User. Only valid when credential_type is iam_user",
"permissions_boundary_arn" : "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user",
"arn" : "Use role_arns or policy_arns instead.",
"default_sts_ttl" : "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials",
"policy_document" : "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.",
"policy" : "Use policy_document instead.",
"policy_arns" : [ "string" ]
}

postAwsStsName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"ttl" : "Lifetime of the returned credentials in seconds"
}

postAzureConfig #

Parameters

$body #

Type: object

{
"subscription_id" : "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.",
"tenant_id" : "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.",
"environment" : "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.",
"client_secret" : "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.",
"client_id" : "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable."
}

postAzureRolesName #

Parameters

name (required) #

Name of the role.

Type: string

$body #

Type: object

{
"max_ttl" : "Maximum time a service principal. If not set or set to 0, will use system default.",
"application_object_id" : "Application Object ID to use for static service principal credentials.",
"azure_roles" : "JSON list of Azure roles to assign.",
"ttl" : "Default lease for generated credentials. If not set or set to 0, will use system default.",
"azure_groups" : "JSON list of Azure groups to add the service principal to."
}

postConsulConfigAccess #

Parameters

$body #

Type: object

{
"address" : "Consul server address",
"scheme" : "URI scheme for the Consul address",
"token" : "Token for API calls"
}

postConsulRolesName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"max_ttl" : "Max TTL for the Consul token created from the role.",
"policies" : [ "string" ],
"lease" : "Use ttl instead.",
"token_type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\" parameter is not required. Defaults to 'client'.",
"ttl" : "TTL for the Consul token created from the role.",
"local" : "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.",
"policy" : "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4."
}

postCubbyholePath #

Parameters

path (required) #

Specifies the path of the secret.

Type: string

postDatabaseConfigName #

Parameters

name (required) #

Name of this database connection

Type: string

$body #

Type: object

{
"verify_connection" : "If true, the connection details are verified by actually connecting to the database. Defaults to true.",
"allowed_roles" : [ "string" ],
"root_rotation_statements" : [ "string" ],
"plugin_name" : "The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type."
}

postDatabaseResetName #

Parameters

name (required) #

Name of this database connection

Type: string

postDatabaseRolesName #

Parameters

name (required) #

Name of the role.

Type: string

$body #

Type: object

{
"renew_statements" : [ "string" ],
"db_name" : "Name of the database this role acts on.",
"max_ttl" : "Maximum time a credential is valid for",
"default_ttl" : "Default ttl for role.",
"revocation_statements" : [ "string" ],
"rollback_statements" : [ "string" ],
"creation_statements" : [ "string" ]
}

postDatabaseRotateRoleName #

Parameters

name (required) #

Name of the static role

Type: string

postDatabaseRotateRootName #

Parameters

name (required) #

Name of this database connection

Type: string

postDatabaseStaticRolesName #

Parameters

name (required) #

Name of the role.

Type: string

$body #

Type: object

{
"db_name" : "Name of the database this role acts on.",
"rotation_statements" : [ "string" ],
"rotation_period" : "Period for automatic credential rotation of the given username. Not valid unless used with \"username\".",
"username" : "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified"
}

postGcpConfig #

Parameters

$body #

Type: object

{
"max_ttl" : "Maximum time a service account key is valid for. If <= 0, will use system default.",
"credentials" : "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies",
"ttl" : "Default lease for generated keys. If <= 0, will use system default."
}

postGcpKeyRoleset #

Parameters

roleset (required) #

Required. Name of the role set.

Type: string

$body #

Type: object

{
"key_type" : "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"",
"key_algorithm" : "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\""
}

postGcpRolesetName #

Parameters

name (required) #

Required. Name of the role.

Type: string

$body #

Type: object

{
"secret_type" : "Type of secret generated for this role set. Defaults to 'access_token'",
"token_scopes" : [ "string" ],
"bindings" : "Bindings configuration string.",
"project" : "Name of the GCP project that this roleset's service account will belong to."
}

postGcpRolesetNameRotate #

Parameters

name (required) #

Name of the role.

Type: string

postGcpRolesetNameRotateKey #

Parameters

name (required) #

Name of the role.

Type: string

postGcpTokenRoleset #

Parameters

roleset (required) #

Required. Name of the role set.

Type: string

postGcpkmsConfig #

Parameters

$body #

Type: object

{
"credentials" : "The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication.",
"scopes" : [ "string" ]
}

postGcpkmsDecryptKey #

Parameters

key (required) #

Name of the key in Vault to use for decryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body #

Type: object

{
"ciphertext" : "Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation.",
"key_version" : "Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically.",
"additional_authenticated_data" : "Optional data that was specified during encryption of this payload."
}

postGcpkmsEncryptKey #

Parameters

key (required) #

Name of the key in Vault to use for encryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body #

Type: object

{
"key_version" : "Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version.",
"plaintext" : "Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types.",
"additional_authenticated_data" : "Optional base64-encoded data that, if specified, must also be provided to decrypt this payload."
}

postGcpkmsKeysConfigKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

$body #

Type: object

{
"min_version" : "Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation.",
"max_version" : "Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version."
}

postGcpkmsKeysDeregisterKey #

Parameters

key (required) #

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

postGcpkmsKeysKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

$body #

Type: object

{
"crypto_key" : "Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified.",
"protection_level" : "Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation.",
"purpose" : "Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation.",
"key_ring" : "Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation.",
"rotation_period" : "Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".",
"algorithm" : "Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256",
"labels" : { }
}

postGcpkmsKeysRegisterKey #

Parameters

key (required) #

Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.

Type: string

$body #

Type: object

{
"crypto_key" : "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".",
"verify" : "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time."
}

postGcpkmsKeysRotateKey #

Parameters

key (required) #

Name of the key to rotate. This key must already be registered with Vault and point to a valid Google Cloud KMS crypto key.

Type: string

postGcpkmsKeysTrimKey #

Parameters

key (required) #

Name of the key in Vault.

Type: string

postGcpkmsReencryptKey #

Parameters

key (required) #

Name of the key to use for encryption. This key must already exist in Vault and Google Cloud KMS.

Type: string

$body #

Type: object

{
"ciphertext" : "Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key.",
"key_version" : "Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version.",
"additional_authenticated_data" : "Optional data that, if specified, must also be provided during decryption."
}

postGcpkmsSignKey #

Parameters

key (required) #

Name of the key in Vault to use for signing. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body #

Type: object

{
"key_version" : "Integer version of the crypto key version to use for signing. This field is required.",
"digest" : "Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postGcpkmsVerifyKey #

Parameters

key (required) #

Name of the key in Vault to use for verification. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body #

Type: object

{
"key_version" : "Integer version of the crypto key version to use for verification. This field is required.",
"signature" : "Base64-encoded signature to use for verification. This field is required.",
"digest" : "Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postIdentityAlias #

Parameters

$body #

Type: object

{
"canonical_id" : "Entity ID to which this alias belongs to",
"name" : "Name of the alias",
"id" : "ID of the alias",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

$body #

Type: object

{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "Name of the alias",
"entity_id" : "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityEntity #

Parameters

$body #

Type: object

{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityEntityAlias #

Parameters

$body #

Type: object

{
"canonical_id" : "Entity ID to which this alias belongs",
"name" : "Name of the alias; unused for a modify",
"id" : "ID of the entity alias. If set, updates the corresponding entity alias.",
"entity_id" : "Entity ID to which this alias belongs. This field is deprecated, use canonical_id.",
"mount_accessor" : "Mount accessor to which this alias belongs to; unused for a modify"
}

postIdentityEntityAliasIdId #

Parameters

id (required) #

ID of the alias

Type: string

$body #

Type: object

{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "(Unused)",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.",
"mount_accessor" : "(Unused)"
}

postIdentityEntityIdId #

Parameters

id (required) #

ID of the entity. If set, updates the corresponding existing entity.

Type: string

$body #

Type: object

{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)."
}

postIdentityEntityMerge #

Parameters

$body #

Type: object

{
"from_entity_ids" : [ "string" ],
"to_entity_id" : "Entity ID into which all the other entities need to get merged",
"force" : "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts."
}

postIdentityEntityNameName #

Parameters

name (required) #

Name of the entity

Type: string

$body #

Type: object

{
"metadata" : { },
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityGroup #

Parameters

$body #

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityGroupAlias #

Parameters

$body #

Type: object

{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"id" : "ID of the group alias.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupAliasIdId #

Parameters

id (required) #

ID of the group alias.

Type: string

$body #

Type: object

{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupIdId #

Parameters

id (required) #

ID of the group. If set, updates the corresponding existing group.

Type: string

$body #

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityGroupNameName #

Parameters

name (required) #

Name of the group.

Type: string

$body #

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityLookupEntity #

Parameters

$body #

Type: object

{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the entity.",
"id" : "ID of the entity.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityLookupGroup #

Parameters

$body #

Type: object

{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the group.",
"id" : "ID of the group.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityOidcConfig #

Parameters

$body #

Type: object

{
"issuer" : "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used."
}

postIdentityOidcIntrospect #

Parameters

$body #

Type: object

{
"client_id" : "Optional client_id to verify",
"token" : "Token to verify"
}

postIdentityOidcKeyName #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated.",
"rotation_period" : "How often to generate a new keypair.",
"allowed_client_ids" : [ "string" ],
"algorithm" : "Signing algorithm to use. This will default to RS256."
}

postIdentityOidcKeyNameRotate #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key."
}

postIdentityOidcRoleName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"template" : "The template string to use for generating tokens. This may be in string-ified JSON or base64 format.",
"ttl" : "TTL of the tokens generated against the role.",
"key" : "The OIDC key to use for generating tokens. The specified key must already exist."
}

postIdentityPersona #

Parameters

$body #

Type: object

{
"metadata" : { },
"name" : "Name of the persona",
"id" : "ID of the persona",
"entity_id" : "Entity ID to which this persona belongs to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}

postIdentityPersonaIdId #

Parameters

id (required) #

ID of the persona

Type: string

$body #

Type: object

{
"metadata" : { },
"name" : "Name of the persona",
"entity_id" : "Entity ID to which this persona should be tied to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}

postNomadConfigAccess #

Parameters

$body #

Type: object

{
"max_token_name_length" : "Max length for name of generated Nomad tokens",
"address" : "Nomad server address",
"token" : "Token for API calls"
}

postNomadConfigLease #

Parameters

$body #

Type: object

{
"max_ttl" : "Duration after which the issued token should not be allowed to be renewed",
"ttl" : "Duration before which the issued token needs renewal"
}

postNomadRoleName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"policies" : [ "string" ],
"global" : "Boolean value describing if the token should be global or not. Defaults to false.",
"type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'."
}

postPkiConfigCa #

Parameters

$body #

Type: object

{
"pem_bundle" : "PEM-format, concatenated unencrypted secret key and certificate."
}

postPkiConfigCrl #

Parameters

$body #

Type: object

{
"disable" : "If set to true, disables generating the CRL entirely.",
"expiry" : "The amount of time the generated CRL should be valid; defaults to 72 hours"
}

postPkiConfigUrls #

Parameters

$body #

Type: object

{
"crl_distribution_points" : [ "string" ],
"issuing_certificates" : [ "string" ],
"ocsp_servers" : [ "string" ]
}

postPkiIntermediateGenerateExported #

Parameters

exported (required) #

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body #

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"add_basic_constraints" : "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.",
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiIntermediateSetSigned #

Parameters

$body #

Type: object

{
"certificate" : "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint."
}

postPkiIssueRole #

Parameters

role (required) #

The desired role with configuration for this request

Type: string

$body #

Type: object

{
"other_sans" : [ "string" ],
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiRevoke #

Parameters

$body #

Type: object

{
"serial_number" : "Certificate serial number, in colon- or hyphen-separated octal"
}

postPkiRolesName #

Parameters

name (required) #

Name of the role

Type: string

$body #

Type: object

{
"country" : [ "string" ],
"street_address" : [ "string" ],
"allow_subdomains" : "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information.",
"allowed_domains" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"key_usage" : [ "string" ],
"max_ttl" : "The maximum allowed lease duration",
"allow_bare_domains" : "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"allowed_other_sans" : [ "string" ],
"province" : [ "string" ],
"allow_localhost" : "Whether to allow \"localhost\" as a valid common name in a request",
"enforce_hostnames" : "If set, only valid host names are allowed for CN and SANs. Defaults to true.",
"allowed_uri_sans" : [ "string" ],
"backend" : "Backend Type",
"email_protection_flag" : "If set, certificates are flagged for email protection use. Defaults to false.",
"no_store" : "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".",
"allowed_serial_numbers" : [ "string" ],
"ou" : [ "string" ],
"allow_any_name" : "If set, clients can request certificates for any CN they like. See the documentation for more information.",
"locality" : [ "string" ],
"basic_constraints_valid_for_non_ca" : "Mark Basic Constraints valid when issuing non-CA certificates.",
"server_flag" : "If set, certificates are flagged for server auth use. Defaults to true.",
"generate_lease" : "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.",
"ttl" : "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"use_csr_sans" : "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.",
"not_before_duration" : "The duration before now the cert needs to be created / signed.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"require_cn" : "If set to false, makes the 'common_name' field optional while generating a certificate.",
"allow_ip_sans" : "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.",
"code_signing_flag" : "If set, certificates are flagged for code signing use. Defaults to false.",
"policy_identifiers" : [ "string" ],
"allow_glob_domains" : "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.",
"organization" : [ "string" ],
"use_csr_common_name" : "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.",
"ext_key_usage" : [ "string" ],
"postal_code" : [ "string" ],
"ext_key_usage_oids" : [ "string" ],
"client_flag" : "If set, certificates are flagged for client auth use. Defaults to true."
}

postPkiRootGenerateExported #

Parameters

exported (required) #

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body #

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiRootSignIntermediate #

Parameters

$body #

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"use_csr_values" : "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.",
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiRootSignSelfIssued #

Parameters

$body #

Type: object

{
"certificate" : "PEM-format self-issued certificate to be signed."
}

postPkiSignRole #

Parameters

role (required) #

The desired role with configuration for this request

Type: string

$body #

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiSignVerbatim #

Parameters

$body #

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"role" : "The desired role with configuration for this request",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}

postPkiSignVerbatimRole #

Parameters

role (required) #

The desired role with configuration for this request

Type: string

$body #

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}

postPkiTidy #

Parameters

$body #

Type: object

{
"tidy_revocation_list" : "Deprecated; synonym for 'tidy_revoked_certs",
"tidy_cert_store" : "Set to true to enable tidying up the certificate store",
"tidy_revoked_certs" : "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.",
"safety_buffer" : "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours."
}

postRabbitmqConfigConnection #

Parameters

$body #

Type: object

{
"verify_connection" : "If set, connection_uri is verified by actually connecting to the RabbitMQ management API",
"connection_uri" : "RabbitMQ Management URI",
"password" : "Password of the provided RabbitMQ management user",
"username" : "Username of a RabbitMQ management administrator"
}

postRabbitmqConfigLease #

Parameters

$body #

Type: object

{
"max_ttl" : "Duration after which the issued credentials should not be allowed to be renewed",
"ttl" : "Duration before which the issued credentials needs renewal"
}

postRabbitmqRolesName #

Parameters

name (required) #

Name of the role.

Type: string

$body #

Type: object

{
"vhosts" : "A map of virtual hosts to permissions.",
"vhost_topics" : "A nested map of virtual hosts and exchanges to topic permissions.",
"tags" : "Comma-separated list of tags for this role."
}

postSecretConfig #

Parameters

$body #

Type: object

{
"cas_required" : "If true, the backend will require the cas parameter to be set for each write",
"delete_version_after" : "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.",
"max_versions" : "The number of versions to keep for each key. Defaults to 10"
}

postSecretDataPath #

Parameters

path (required) #

Location of the secret.

Type: string

$body #

Type: object

{
"data" : { },
"options" : { },
"version" : "If provided during a read, the value at the version number will be returned"
}

postSecretDeletePath #

Parameters

path (required) #

Location of the secret.

Type: string

$body #

Type: object

{
"versions" : [ "integer" ]
}

postSecretDestroyPath #

Parameters

path (required) #

Location of the secret.

Type: string

$body #

Type: object

{
"versions" : [ "integer" ]
}

postSecretMetadataPath #

Parameters

path (required) #

Location of the secret.

Type: string

$body #

Type: object

{
"cas_required" : "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.",
"delete_version_after" : "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.",
"max_versions" : "The number of versions to keep. If not set, the backend’s configured max version is used."
}

postSecretUndeletePath #

Parameters

path (required) #

Location of the secret.

Type: string

$body #

Type: object

{
"versions" : [ "integer" ]
}

postSshConfigCa #

Parameters

$body #

Type: object

{
"public_key" : "Public half of the SSH key that will be used to sign certificates.",
"private_key" : "Private half of the SSH key that will be used to sign certificates.",
"generate_signing_key" : "Generate SSH key pair internally rather than use the private_key and public_key fields."
}

postSshConfigZeroaddress #

Parameters

$body #

Type: object

{
"roles" : [ "string" ]
}

postSshCredsRole #

Parameters

role (required) #

[Required] Name of the role

Type: string

$body #

Type: object

{
"ip" : "[Required] IP of the remote host",
"username" : "[Optional] Username in remote host"
}

postSshKeysKey_name #

Parameters

key_name (required) #

[Required] Name of the key

Type: string

$body #

Type: object

{
"key" : "[Required] SSH private key with super user privileges in host"
}

postSshLookup #

Parameters

$body #

Type: object

{
"ip" : "[Required] IP address of remote host"
}

postSshRolesRole #

Parameters

role (required) #

[Required for all types] Name of the role being created.

Type: string

$body #

Type: object

{
"allow_subdomains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".",
"allow_host_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.",
"allowed_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.",
"key_type" : "[Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.",
"max_ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration",
"default_critical_options" : { },
"allow_bare_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"install_script" : "[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type] Script used to install and uninstall public keys in the target machine. The inbuilt default install script will be for Linux hosts. For sample script, refer the project documentation website.",
"allowed_extensions" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string.",
"allowed_user_key_lengths" : { },
"key" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Name of the registered key in Vault. Before creating the role, use the 'keys/' endpoint to create a named key.",
"allow_user_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.",
"exclude_cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.",
"ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"allowed_critical_options" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.",
"key_bits" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.",
"key_id_format" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '' - The display name of the token used to make the request. '' - The name of the role signing the request. '' - A SHA256 checksum of the public key that is being signed.",
"key_option_specs" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Comma separated option specifications which will be prefixed to RSA key in authorized_keys file. Options should be valid and comply with authorized_keys file format and should not contain spaces.",
"allowed_users" : "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.",
"allow_user_key_ids" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.",
"port" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.",
"default_user" : "[Required for Dynamic type] [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.",
"default_extensions" : { },
"cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.",
"admin_user" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Admin user at remote host. The shared key being registered should be for this user and should have root privileges. Everytime a dynamic credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user."
}

postSshSignRole #

Parameters

role (required) #

The desired role with configuration for this request.

Type: string

$body #

Type: object

{
"public_key" : "SSH public key that should be signed.",
"cert_type" : "Type of certificate to be created; either \"user\" or \"host\".",
"extensions" : { },
"critical_options" : { },
"key_id" : "Key id that the created certificate should have. If not specified, the display name of the token will be used.",
"valid_principals" : "Valid principals, either usernames or hostnames, that the certificate should be signed for.",
"ttl" : "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL."
}

postSshVerify #

Parameters

$body #

Type: object

{
"otp" : "[Required] One-Time-Key that needs to be validated"
}

postSysAuditHashPath #

Parameters

path (required) #

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body #

Type: object

{
"input" : "string"
}

postSysAuditPath #

Parameters

path (required) #

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body #

Type: object

{
"options" : { },
"description" : "User-friendly description for this audit backend.",
"type" : "The type of the backend. Example: \"mysql\"",
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPath #

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

For example, enable the "foo" auth method will make it accessible at /auth/foo.

Parameters

path (required) #

The path to mount to. Cannot be delimited. Example: "user"

Type: string

$body #

Type: object

{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the auth plugin to use based from the name in the plugin catalog.",
"type" : "The type of the backend. Example: \"userpass\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPathTune #

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required) #

Tune the configuration parameters for an auth path.

Type: string

$body #

Type: object

{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}

postSysCapabilities #

Parameters

$body #

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}

postSysCapabilitiesAccessor #

Parameters

$body #

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"accessor" : "Accessor of the token for which capabilities are being queried."
}

postSysCapabilitiesSelf #

Parameters

$body #

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}

postSysConfigAuditingRequestHeadersHeader #

Parameters

header (required) #

Type: string

$body #

Type: object

{
"hmac" : "boolean"
}

postSysConfigCors #

Parameters

$body #

Type: object

{
"allowed_headers" : [ "string" ],
"enable" : "Enables or disables CORS headers on requests.",
"allowed_origins" : [ "string" ]
}

postSysConfigUiHeadersHeader #

Parameters

header (required) #

The name of the header.

Type: string

$body #

Type: object

{
"values" : [ "string" ]
}

postSysGenerateRoot #

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body #

Type: object

{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootAttempt #

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body #

Type: object

{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootUpdate #

If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.

Parameters

$body #

Type: object

{
"nonce" : "Specifies the nonce of the attempt.",
"key" : "Specifies a single master key share."
}

postSysInit #

The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.

Parameters

$body #

Type: object

{
"recovery_pgp_keys" : [ "string" ],
"stored_shares" : "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
"recovery_shares" : "Specifies the number of shares to split the recovery key into.",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ],
"recovery_threshold" : "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
"root_token_pgp_key" : "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation."
}

postSysLeasesLookup #

Parameters

$body #

Type: object

{
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenew #

Parameters

$body #

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenewUrl_lease_id #

Parameters

url_lease_id (required) #

The lease identifier to renew. This is included with a lease.

Type: string

$body #

Type: object

{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevoke #

Parameters

$body #

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevokeForcePrefix #

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required) #

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysLeasesRevokePrefixPrefix #

Parameters

prefix (required) #

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body #

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously"
}

postSysLeasesRevokeUrl_lease_id #

Parameters

url_lease_id (required) #

The lease identifier to renew. This is included with a lease.

Type: string

$body #

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesTidy #

This operation has no parameters

postSysMountsPath #

Parameters

path (required) #

The path to mount to. Example: "aws/east"

Type: string

$body #

Type: object

{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this mount.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the plugin to mount based from the name registered in the plugin catalog.",
"type" : "The type of the backend. Example: \"passthrough\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysMountsPathTune #

Parameters

path (required) #

The path to mount to. Example: "aws/east"

Type: string

$body #

Type: object

{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}

postSysPluginsCatalogName #

Parameters

name (required) #

The name of the plugin

Type: string

$body #

Type: object

{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"type" : "The type of the plugin, may be auth, secret, or database",
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsCatalogTypeName #

Parameters

name (required) #

The name of the plugin

Type: string

type (required) #

The type of the plugin, may be auth, secret, or database

Type: string

$body #

Type: object

{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsReloadBackend #

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

Parameters

$body #

Type: object

{
"plugin" : "The name of the plugin to reload, as registered in the plugin catalog.",
"mounts" : [ "string" ]
}

postSysPoliciesAclName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

$body #

Type: object

{
"policy" : "The rules of the policy."
}

postSysPolicyName #

Parameters

name (required) #

The name of the policy. Example: "ops"

Type: string

$body #

Type: object

{
"rules" : "The rules of the policy.",
"policy" : "The rules of the policy."
}

postSysRaw #

Parameters

$body #

Type: object

{
"path" : "string",
"value" : "string"
}

postSysRawPath #

Parameters

path (required) #

Type: string

$body #

Type: object

{
"value" : "string"
}

postSysRekeyInit #

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Parameters

$body #

Type: object

{
"backup" : "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
"require_verification" : "Turns on verification functionality",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ]
}

postSysRekeyUpdate #

Parameters

$body #

Type: object

{
"nonce" : "Specifies the nonce of the rekey attempt.",
"key" : "Specifies a single master key share."
}

postSysRekeyVerify #

Parameters

$body #

Type: object

{
"nonce" : "Specifies the nonce of the rekey verification operation.",
"key" : "Specifies a single master share key from the new set of shares."
}

postSysRemount #

Parameters

$body #

Type: object

{
"from" : "The previous mount point.",
"to" : "The new mount point."
}

postSysRenew #

Parameters

$body #

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRenewUrl_lease_id #

Parameters

url_lease_id (required) #

The lease identifier to renew. This is included with a lease.

Type: string

$body #

Type: object

{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevoke #

Parameters

$body #

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevokeForcePrefix #

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required) #

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysRevokePrefixPrefix #

Parameters

prefix (required) #

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body #

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously"
}

postSysRevokeUrl_lease_id #

Parameters

url_lease_id (required) #

The lease identifier to renew. This is included with a lease.

Type: string

$body #

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRotate #

This operation has no parameters

postSysSeal #

This operation has no parameters

postSysStepDown #

This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.

This operation has no parameters

postSysToolsHash #

Parameters

$body #

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsHashUrlalgorithm #

Parameters

urlalgorithm (required) #

Algorithm to use (POST URL parameter)

Type: string

$body #

Type: object

{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsRandom #

Parameters

$body #

Type: object

{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysToolsRandomUrlbytes #

Parameters

urlbytes (required) #

The number of bytes to generate (POST URL parameter)

Type: string

$body #

Type: object

{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysUnseal #

Parameters

$body #

Type: object

{
"reset" : "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
"key" : "Specifies a single master key share. This is required unless reset is true."
}

postSysWrappingLookup #

Parameters

$body #

Type: object

{
"token" : "string"
}

postSysWrappingRewrap #

Parameters

$body #

Type: object

{
"token" : "string"
}

postSysWrappingUnwrap #

Parameters

$body #

Type: object

{
"token" : "string"
}

postSysWrappingWrap #

This operation has no parameters

postTotpCodeName #

Parameters

name (required) #

Name of the key.

Type: string

$body #

Type: object

{
"code" : "TOTP code to be validated."
}

postTotpKeysName #

Parameters

name (required) #

Name of the key.

Type: string

$body #

Type: object

{
"exported" : "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.",
"period" : "The length of time used to generate a counter for the TOTP token calculation.",
"qr_size" : "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.",
"account_name" : "The name of the account associated with the key. Required if generate is true.",
"digits" : "The number of digits in the generated TOTP token. This value can either be 6 or 8.",
"generate" : "Determines if a key should be generated by Vault or if a key is being passed from another service.",
"issuer" : "The name of the key's issuing organization. Required if generate is true.",
"key" : "The shared master key used to generate a TOTP token. Only used if generate is false.",
"url" : "A TOTP url string containing all of the parameters for key setup. Only used if generate is false.",
"algorithm" : "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.",
"key_size" : "Determines the size in bytes of the generated key. Only used if generate is true.",
"skew" : "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true."
}

postTransitCacheConfig #

Parameters

$body #

Type: object

{
"size" : "Size of cache, use 0 for an unlimited cache size, defaults to 0"
}

postTransitDatakeyPlaintextName #

Parameters

name (required) #

The backend key used for encrypting the data key

Type: string

plaintext (required) #

"plaintext" will return the key in both plaintext and ciphertext; "wrapped" will return the ciphertext only.

Type: string

$body #

Type: object

{
"key_version" : "The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"bits" : "Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.",
"context" : "Context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)"
}

postTransitDecryptName #

Parameters

name (required) #

Name of the policy

Type: string

$body #

Type: object

{
"ciphertext" : "The ciphertext to decrypt, provided as returned by encrypt.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled.",
"nonce" : "Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+."
}

postTransitEncryptName #

Parameters

name (required) #

Name of the policy

Type: string

$body #

Type: object

{
"convergent_encryption" : "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled",
"plaintext" : "Base64 encoded plaintext value to be encrypted",
"type" : "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".",
"nonce" : "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**."
}

postTransitHash #

Parameters

$body #

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHashUrlalgorithm #

Parameters

urlalgorithm (required) #

Algorithm to use (POST URL parameter)

Type: string

$body #

Type: object

{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacName #

Parameters

name (required) #

The key to use for the HMAC function

Type: string

$body #

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacNameUrlalgorithm #

Parameters

name (required) #

The key to use for the HMAC function

Type: string

urlalgorithm (required) #

Algorithm to use (POST URL parameter)

Type: string

$body #

Type: object

{
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitKeysName #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"exportable" : "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.",
"convergent_encryption" : "Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"context" : "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"type" : "The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".",
"derived" : "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations."
}

postTransitKeysNameConfig #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"deletion_allowed" : "Whether to allow deletion of the key",
"exportable" : "Enables export of the key. Once set, this cannot be disabled.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"min_decryption_version" : "If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification.",
"min_encryption_version" : "If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed."
}

postTransitKeysNameRotate #

Parameters

name (required) #

Name of the key

Type: string

postTransitKeysNameTrim #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"min_available_version" : "The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero."
}

postTransitRandom #

Parameters

$body #

Type: object

{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRandomUrlbytes #

Parameters

urlbytes (required) #

The number of bytes to generate (POST URL parameter)

Type: string

$body #

Type: object

{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRestore #

Parameters

$body #

Type: object

{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"name" : "If set, this will be the name of the restored key.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRestoreName #

Parameters

name (required) #

If set, this will be the name of the restored key.

Type: string

$body #

Type: object

{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRewrapName #

Parameters

name (required) #

Name of the key

Type: string

$body #

Type: object

{
"ciphertext" : "Ciphertext value to rewrap",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption is used"
}

postTransitSignName #

Parameters

name (required) #

The key to use

Type: string

$body #

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitSignNameUrlalgorithm #

Parameters

name (required) #

The key to use

Type: string

urlalgorithm (required) #

Hash algorithm to use (POST URL parameter)

Type: string

$body #

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyName #

Parameters

name (required) #

The key to use

Type: string

$body #

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyNameUrlalgorithm #

Parameters

name (required) #

The key to use

Type: string

urlalgorithm (required) #

Hash algorithm to use (POST URL parameter)

Type: string

$body #

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}