Vault (version v1.*.*)

HTTP API that gives you full access to Vault. All API routes are prefixed with /v1/.

deleteAdConfig

This operation has no parameters

deleteAdLibraryName

Parameters

name (required)

Name of the set.

Type: string

deleteAdRolesName

Parameters

name (required)

Name of the role

Type: string

deleteAlicloudConfig

This operation has no parameters

deleteAlicloudRoleName

Parameters

name (required)

The name of the role.

Type: string

deleteAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

deleteAwsRolesName

Parameters

name (required)

Name of the policy

Type: string

deleteAzureConfig

This operation has no parameters

deleteAzureRolesName

Parameters

name (required)

Name of the role.

Type: string

deleteConsulRolesName

Parameters

name (required)

Name of the role

Type: string

deleteCubbyholePath

Parameters

path (required)

Specifies the path of the secret.

Type: string

deleteDatabaseConfigName

Parameters

name (required)

Name of this database connection

Type: string

deleteDatabaseRolesName

Parameters

name (required)

Name of the role.

Type: string

deleteDatabaseStaticRolesName

Parameters

name (required)

Name of the role.

Type: string

deleteGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

deleteGcpkmsConfig

This operation has no parameters

deleteGcpkmsKeysDeregisterKey

Parameters

key (required)

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

deleteGcpkmsKeysKey

Parameters

key (required)

Name of the key in Vault.

Type: string

deleteGcpkmsKeysTrimKey

Parameters

key (required)

Name of the key in Vault.

Type: string

deleteIdentityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

deleteIdentityEntityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

deleteIdentityEntityIdId

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

deleteIdentityEntityNameName

Parameters

name (required)

Name of the entity

Type: string

deleteIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

deleteIdentityGroupIdId

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

deleteIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

deleteIdentityOidcKeyName

Parameters

name (required)

Name of the key

Type: string

deleteIdentityOidcRoleName

Parameters

name (required)

Name of the role

Type: string

deleteIdentityPersonaIdId

Parameters

id (required)

ID of the persona

Type: string

deleteNomadConfigAccess

This operation has no parameters

deleteNomadConfigLease

This operation has no parameters

deleteNomadRoleName

Parameters

name (required)

Name of the role

Type: string

deletePkiRolesName

Parameters

name (required)

Name of the role

Type: string

deletePkiRoot

This operation has no parameters

deleteRabbitmqRolesName

Parameters

name (required)

Name of the role.

Type: string

deleteSecretDataPath

Parameters

path (required)

Location of the secret.

Type: string

deleteSecretMetadataPath

Parameters

path (required)

Location of the secret.

Type: string

deleteSshConfigCa

This operation has no parameters

deleteSshConfigZeroaddress

This operation has no parameters

deleteSshKeysKey_name

Parameters

key_name (required)

[Required] Name of the key

Type: string

deleteSshRolesRole

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

deleteSysAuditPath

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

deleteSysAuthPath

Parameters

path (required)

The path to mount to. Cannot be delimited. Example: "user"

Type: string

deleteSysConfigAuditingRequestHeadersHeader

Parameters

header (required)

Type: string

deleteSysConfigCors

This operation has no parameters

deleteSysConfigUiHeadersHeader

Parameters

header (required)

The name of the header.

Type: string

deleteSysGenerateRoot

This operation has no parameters

deleteSysGenerateRootAttempt

This operation has no parameters

deleteSysMountsPath

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

deleteSysPluginsCatalogName

Parameters

name (required)

The name of the plugin

Type: string

deleteSysPluginsCatalogTypeName

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

deleteSysPoliciesAclName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

deleteSysPolicyName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

deleteSysRaw

This operation has no parameters

deleteSysRawPath

Parameters

path (required)

Type: string

deleteSysRekeyBackup

This operation has no parameters

deleteSysRekeyInit

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

This operation has no parameters

deleteSysRekeyRecoveryKeyBackup

This operation has no parameters

deleteSysRekeyVerify

This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.

This operation has no parameters

deleteTotpKeysName

Parameters

name (required)

Name of the key.

Type: string

deleteTransitKeysName

Parameters

name (required)

Name of the key

Type: string

getAdConfig

This operation has no parameters

getAdCredsName

Parameters

name (required)

Name of the role

Type: string

getAdLibrary

Parameters

list

Return a list if true

Type: string

getAdLibraryName

Parameters

name (required)

Name of the set.

Type: string

getAdLibraryNameStatus

Parameters

name (required)

Name of the set.

Type: string

getAdRoles

Parameters

list

Return a list if true

Type: string

getAdRolesName

Parameters

name (required)

Name of the role

Type: string

getAdRotateRoot

This operation has no parameters

getAlicloudConfig

This operation has no parameters

getAlicloudCredsName

Parameters

name (required)

The name of the role.

Type: string

getAlicloudRole

Parameters

list

Return a list if true

Type: string

getAlicloudRoleName

Parameters

name (required)

The name of the role.

Type: string

getAuthTokenAccessors

Parameters

list

Return a list if true

Type: string

getAuthTokenLookup

This operation has no parameters

getAuthTokenLookupSelf

This operation has no parameters

getAuthTokenRoles

Parameters

list

Return a list if true

Type: string

getAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

getAwsConfigLease

This operation has no parameters

getAwsConfigRoot

This operation has no parameters

getAwsCreds

This operation has no parameters

getAwsRoles

Parameters

list

Return a list if true

Type: string

getAwsRolesName

Parameters

name (required)

Name of the policy

Type: string

getAwsStsName

Parameters

name (required)

Name of the role

Type: string

getAzureConfig

This operation has no parameters

getAzureCredsRole

Parameters

role (required)

Name of the Vault role

Type: string

getAzureRoles

Parameters

list

Return a list if true

Type: string

getAzureRolesName

Parameters

name (required)

Name of the role.

Type: string

getConsulConfigAccess

This operation has no parameters

getConsulCredsRole

Parameters

role (required)

Name of the role

Type: string

getConsulRoles

Parameters

list

Return a list if true

Type: string

getConsulRolesName

Parameters

name (required)

Name of the role

Type: string

getCubbyholePath

Parameters

path (required)

Specifies the path of the secret.

Type: string

list

Return a list if true

Type: string

getDatabaseConfig

Parameters

list

Return a list if true

Type: string

getDatabaseConfigName

Parameters

name (required)

Name of this database connection

Type: string

getDatabaseCredsName

Parameters

name (required)

Name of the role.

Type: string

getDatabaseRoles

Parameters

list

Return a list if true

Type: string

getDatabaseRolesName

Parameters

name (required)

Name of the role.

Type: string

getDatabaseStaticCredsName

Parameters

name (required)

Name of the static role.

Type: string

getDatabaseStaticRoles

Parameters

list

Return a list if true

Type: string

getDatabaseStaticRolesName

Parameters

name (required)

Name of the role.

Type: string

getGcpConfig

This operation has no parameters

getGcpKeyRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

getGcpRoleset

Parameters

list

Return a list if true

Type: string

getGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

getGcpRolesets

Parameters

list

Return a list if true

Type: string

getGcpTokenRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

getGcpkmsConfig

This operation has no parameters

getGcpkmsKeys

Parameters

list

Return a list if true

Type: string

getGcpkmsKeysConfigKey

Parameters

key (required)

Name of the key in Vault.

Type: string

getGcpkmsKeysKey

Parameters

key (required)

Name of the key in Vault.

Type: string

getGcpkmsPubkeyKey

Parameters

key (required)

Name of the key for which to get the public key. This key must already exist in Vault and Google Cloud KMS.

Type: string

getIdentityAliasId

Parameters

list

Return a list if true

Type: string

getIdentityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

getIdentityEntityAliasId

Parameters

list

Return a list if true

Type: string

getIdentityEntityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

getIdentityEntityId

Parameters

list

Return a list if true

Type: string

getIdentityEntityIdId

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

getIdentityEntityName

Parameters

list

Return a list if true

Type: string

getIdentityEntityNameName

Parameters

name (required)

Name of the entity

Type: string

getIdentityGroupAliasId

Parameters

list

Return a list if true

Type: string

getIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

getIdentityGroupId

Parameters

list

Return a list if true

Type: string

getIdentityGroupIdId

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

getIdentityGroupName

Parameters

list

Return a list if true

Type: string

getIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

getIdentityOidcConfig

This operation has no parameters

getIdentityOidcKey

Parameters

list

Return a list if true

Type: string

getIdentityOidcKeyName

Parameters

name (required)

Name of the key

Type: string

getIdentityOidcRole

Parameters

list

Return a list if true

Type: string

getIdentityOidcRoleName

Parameters

name (required)

Name of the role

Type: string

getIdentityOidcTokenName

Parameters

name (required)

Name of the role

Type: string

getIdentityOidcWellKnownKeys

This operation has no parameters

getIdentityOidcWellKnownOpenidConfiguration

This operation has no parameters

getIdentityPersonaId

Parameters

list

Return a list if true

Type: string

getIdentityPersonaIdId

Parameters

id (required)

ID of the persona

Type: string

getNomadConfigAccess

This operation has no parameters

getNomadConfigLease

This operation has no parameters

getNomadCredsName

Parameters

name (required)

Name of the role

Type: string

getNomadRole

Parameters

list

Return a list if true

Type: string

getNomadRoleName

Parameters

name (required)

Name of the role

Type: string

getPkiCa

This operation has no parameters

getPkiCaPem

This operation has no parameters

getPkiCa_chain

This operation has no parameters

getPkiCertCa_chain

This operation has no parameters

getPkiCertCrl

This operation has no parameters

getPkiCertSerial

Parameters

serial (required)

Certificate serial number, in colon- or hyphen-separated octal

Type: string

getPkiCerts

Parameters

list

Return a list if true

Type: string

getPkiConfigCrl

This operation has no parameters

getPkiConfigUrls

This operation has no parameters

getPkiCrl

This operation has no parameters

getPkiCrlPem

This operation has no parameters

getPkiCrlRotate

This operation has no parameters

getPkiRoles

Parameters

list

Return a list if true

Type: string

getPkiRolesName

Parameters

name (required)

Name of the role

Type: string

getRabbitmqConfigLease

This operation has no parameters

getRabbitmqCredsName

Parameters

name (required)

Name of the role.

Type: string

getRabbitmqRoles

Parameters

list

Return a list if true

Type: string

getRabbitmqRolesName

Parameters

name (required)

Name of the role.

Type: string

getSecretConfig

This operation has no parameters

getSecretDataPath

Parameters

path (required)

Location of the secret.

Type: string

getSecretMetadataPath

Parameters

path (required)

Location of the secret.

Type: string

list

Return a list if true

Type: string

getSshConfigCa

This operation has no parameters

getSshConfigZeroaddress

This operation has no parameters

getSshPublic_key

This operation has no parameters

getSshRoles

Parameters

list

Return a list if true

Type: string

getSshRolesRole

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

getSysAudit

This operation has no parameters

getSysAuth

This operation has no parameters

getSysAuthPathTune

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required)

Tune the configuration parameters for an auth path.

Type: string

getSysConfigAuditingRequestHeaders

This operation has no parameters

getSysConfigAuditingRequestHeadersHeader

Parameters

header (required)

Type: string

getSysConfigCors

This operation has no parameters

getSysConfigStateSanitized

The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.

This operation has no parameters

getSysConfigUiHeaders

Parameters

list

Return a list if true

Type: string

getSysConfigUiHeadersHeader

Parameters

header (required)

The name of the header.

Type: string

getSysGenerateRoot

This operation has no parameters

getSysGenerateRootAttempt

This operation has no parameters

getSysHealth

This operation has no parameters

getSysHostInfo

Information about the host instance that this Vault server is running on.
The information that gets collected includes host hardware information, and CPU,
disk, and memory utilization

This operation has no parameters

getSysInit

This operation has no parameters

getSysInternalSpecsOpenapi

This operation has no parameters

getSysInternalUiMounts

This operation has no parameters

getSysInternalUiMountsPath

Parameters

path (required)

The path of the mount.

Type: string

getSysKeyStatus

This operation has no parameters

getSysLeader

This operation has no parameters

getSysLeasesLookup

Parameters

list

Return a list if true

Type: string

getSysLeasesLookupPrefix

Parameters

prefix (required)

The path to list leases under. Example: "aws/creds/deploy"

Type: string

list

Return a list if true

Type: string

getSysMetrics

Parameters

format

Format to export metrics into. Currently accepts only "prometheus".

Type: string

getSysMounts

This operation has no parameters

getSysMountsPathTune

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

getSysPluginsCatalog

This operation has no parameters

getSysPluginsCatalogName

Parameters

name (required)

The name of the plugin

Type: string

getSysPluginsCatalogType

Parameters

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

list

Return a list if true

Type: string

getSysPluginsCatalogTypeName

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

getSysPoliciesAcl

Parameters

list

Return a list if true

Type: string

getSysPoliciesAclName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

getSysPolicy

Parameters

list

Return a list if true

Type: string

getSysPolicyName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

getSysPprof

Returns an HTML page listing the available
profiles. This should be mainly accessed via browsers or applications that can
render pages.

This operation has no parameters

getSysPprofCmdline

Returns the running program's command line, with arguments separated by NUL bytes.

This operation has no parameters

getSysPprofGoroutine

Returns stack traces of all current goroutines.

This operation has no parameters

getSysPprofHeap

Returns a sampling of memory allocations of live object.

This operation has no parameters

getSysPprofProfile

Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.

This operation has no parameters

getSysPprofSymbol

Returns the program counters listed in the request.

This operation has no parameters

getSysPprofTrace

Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.

This operation has no parameters

getSysRaw

Parameters

list

Return a list if true

Type: string

getSysRawPath

Parameters

path (required)

Type: string

list

Return a list if true

Type: string

getSysRekeyBackup

This operation has no parameters

getSysRekeyInit

This operation has no parameters

getSysRekeyRecoveryKeyBackup

This operation has no parameters

getSysRekeyVerify

This operation has no parameters

getSysReplicationStatus

This operation has no parameters

getSysSealStatus

This operation has no parameters

getSysWrappingLookup

This operation has no parameters

getTotpCodeName

Parameters

name (required)

Name of the key.

Type: string

getTotpKeys

Parameters

list

Return a list if true

Type: string

getTotpKeysName

Parameters

name (required)

Name of the key.

Type: string

getTransitBackupName

Parameters

name (required)

Name of the key

Type: string

getTransitCacheConfig

This operation has no parameters

getTransitExportTypeName

Parameters

name (required)

Name of the key

Type: string

type (required)

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

getTransitExportTypeNameVersion

Parameters

name (required)

Name of the key

Type: string

type (required)

Type of key to export (encryption-key, signing-key, hmac-key)

Type: string

version (required)

Version of the key

Type: string

getTransitKeys

Parameters

list

Return a list if true

Type: string

getTransitKeysName

Parameters

name (required)

Name of the key

Type: string

postAdConfig

Parameters

$body

Type: object

{
"last_rotation_tolerance" : "The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.",
"bindpass" : "LDAP password for searching for the user DN (optional)",
"max_ttl" : "In seconds, the maximum password time-to-live.",
"request_timeout" : "Timeout, in seconds, for the connection when making requests against the server before returning back an error.",
"certificate" : "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
"use_pre111_group_cn_behavior" : "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.",
"case_sensitive_names" : "If true, case sensitivity will be used when comparing usernames and groups for matching policies.",
"groupattr" : "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn",
"tls_min_version" : "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"upndomain" : "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
"userattr" : "Attribute used for users (default: cn)",
"starttls" : "Issue a StartTLS command after establishing unencrypted connection (optional)",
"groupfilter" : "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=)) Default: (|(memberUid=)(member=)(uniqueMember=))",
"length" : "The desired length of passwords that Vault generates.",
"insecure_tls" : "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
"deny_null_bind" : "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
"tls_max_version" : "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
"ttl" : "In seconds, the default password time-to-live.",
"url" : "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
"formatter" : "Text to insert the password into, ex. \"customPrefixcustomSuffix\".",
"binddn" : "LDAP DN for searching for the user DN (optional)",
"groupdn" : "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
"use_token_groups" : "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
"discoverdn" : "Use anonymous bind to discover the bind DN of a user (optional)",
"userdn" : "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)"
}

postAdLibraryManageNameCheckIn

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
"service_account_names" : [ "string" ]
}

postAdLibraryName

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
"max_ttl" : "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.",
"service_account_names" : [ "string" ],
"disable_check_in_enforcement" : "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.",
"ttl" : "In seconds, the amount of time a check-out should last. Defaults to 24 hours."
}

postAdLibraryNameCheckIn

Parameters

name (required)

Name of the set.

Type: string

$body

Type: object

{
"service_account_names" : [ "string" ]
}

postAdLibraryNameCheckOut

Parameters

name (required)

Name of the set

Type: string

$body

Type: object

{
"ttl" : "The length of time before the check-out will expire, in seconds."
}

postAdRolesName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"service_account_name" : "The username/logon name for the service account with which this role will be associated.",
"ttl" : "In seconds, the default password time-to-live."
}

postAlicloudConfig

Parameters

$body

Type: object

{
"secret_key" : "Secret key with appropriate permissions.",
"access_key" : "Access key with appropriate permissions."
}

postAlicloudRoleName

Parameters

name (required)

The name of the role.

Type: string

$body

Type: object

{
"max_ttl" : "The maximum allowed lifetime of tokens issued using this role.",
"role_arn" : "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.",
"remote_policies" : [ "string" ],
"inline_policies" : "JSON of policies to be dynamically applied to users of this role.",
"ttl" : "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults."
}

postAuthTokenCreate

This operation has no parameters

postAuthTokenCreateOrphan

This operation has no parameters

postAuthTokenCreateRole_name

Parameters

role_name (required)

Name of the role

Type: string

postAuthTokenLookup

Parameters

$body

Type: object

{
"token" : "Token to lookup (POST request body)"
}

postAuthTokenLookupAccessor

Parameters

$body

Type: object

{
"accessor" : "Accessor of the token to look up (request body)"
}

postAuthTokenLookupSelf

Parameters

$body

Type: object

{
"token" : "Token to look up (unused, does not need to be set)"
}

postAuthTokenRenew

Parameters

$body

Type: object

{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (request body)"
}

postAuthTokenRenewAccessor

Parameters

$body

Type: object

{
"accessor" : "Accessor of the token to renew (request body)",
"increment" : "The desired increment in seconds to the token expiration"
}

postAuthTokenRenewSelf

Parameters

$body

Type: object

{
"increment" : "The desired increment in seconds to the token expiration",
"token" : "Token to renew (unused, does not need to be set)"
}

postAuthTokenRevoke

Parameters

$body

Type: object

{
"token" : "Token to revoke (request body)"
}

postAuthTokenRevokeAccessor

Parameters

$body

Type: object

{
"accessor" : "Accessor of the token (request body)"
}

postAuthTokenRevokeOrphan

Parameters

$body

Type: object

{
"token" : "Token to revoke (request body)"
}

postAuthTokenRevokeSelf

This operation has no parameters

postAuthTokenRolesRole_name

Parameters

role_name (required)

Name of the role

Type: string

$body

Type: object

{
"bound_cidrs" : [ "string" ],
"period" : "Use 'token_period' instead.",
"token_num_uses" : "The maximum number of times a token may be used, a value of zero means unlimited",
"allowed_entity_aliases" : [ "string" ],
"token_explicit_max_ttl" : "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
"path_suffix" : "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w",
"token_period" : "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").",
"orphan" : "If true, tokens created via this role will be orphan tokens (have no parent)",
"token_type" : "The type of token to generate, service or batch",
"explicit_max_ttl" : "Use 'token_explicit_max_ttl' instead.",
"token_no_default_policy" : "If true, the 'default' policy will not automatically be added to generated tokens",
"disallowed_policies" : [ "string" ],
"allowed_policies" : [ "string" ],
"renewable" : "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".",
"token_bound_cidrs" : [ "string" ]
}

postAuthTokenTidy

This operation has no parameters

postAwsConfigLease

Parameters

$body

Type: object

{
"lease_max" : "Maximum time a credential is valid for.",
"lease" : "Default lease for roles."
}

postAwsConfigRoot

Parameters

$body

Type: object

{
"secret_key" : "Secret key with permission to create new keys.",
"max_retries" : "Maximum number of retries for recoverable exceptions of AWS APIs",
"access_key" : "Access key with permission to create new keys.",
"iam_endpoint" : "Endpoint to custom IAM server URL",
"sts_endpoint" : "Endpoint to custom STS server URL",
"region" : "Region for API calls."
}

postAwsConfigRotateRoot

This operation has no parameters

postAwsCreds

Parameters

$body

Type: object

{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"name" : "Name of the role",
"ttl" : "Lifetime of the returned credentials in seconds"
}

postAwsRolesName

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
"credential_type" : "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token",
"role_arns" : [ "string" ],
"max_sts_ttl" : "Max allowed TTL for assumed_role and federation_token credential types",
"user_path" : "Path for IAM User. Only valid when credential_type is iam_user",
"permissions_boundary_arn" : "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user",
"arn" : "Use role_arns or policy_arns instead.",
"default_sts_ttl" : "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials",
"policy_document" : "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.",
"policy" : "Use policy_document instead.",
"policy_arns" : [ "string" ]
}

postAwsStsName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"role_arn" : "ARN of role to assume when credential_type is assumed_role",
"ttl" : "Lifetime of the returned credentials in seconds"
}

postAzureConfig

Parameters

$body

Type: object

{
"subscription_id" : "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.",
"tenant_id" : "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.",
"environment" : "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.",
"client_secret" : "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.",
"client_id" : "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable."
}

postAzureRolesName

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
"max_ttl" : "Maximum time a service principal. If not set or set to 0, will use system default.",
"application_object_id" : "Application Object ID to use for static service principal credentials.",
"azure_roles" : "JSON list of Azure roles to assign.",
"ttl" : "Default lease for generated credentials. If not set or set to 0, will use system default.",
"azure_groups" : "JSON list of Azure groups to add the service principal to."
}

postConsulConfigAccess

Parameters

$body

Type: object

{
"address" : "Consul server address",
"scheme" : "URI scheme for the Consul address",
"token" : "Token for API calls"
}

postConsulRolesName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"max_ttl" : "Max TTL for the Consul token created from the role.",
"policies" : [ "string" ],
"lease" : "Use ttl instead.",
"token_type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\" parameter is not required. Defaults to 'client'.",
"ttl" : "TTL for the Consul token created from the role.",
"local" : "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.",
"policy" : "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4."
}

postCubbyholePath

Parameters

path (required)

Specifies the path of the secret.

Type: string

postDatabaseConfigName

Parameters

name (required)

Name of this database connection

Type: string

$body

Type: object

{
"verify_connection" : "If true, the connection details are verified by actually connecting to the database. Defaults to true.",
"allowed_roles" : [ "string" ],
"root_rotation_statements" : [ "string" ],
"plugin_name" : "The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type."
}

postDatabaseResetName

Parameters

name (required)

Name of this database connection

Type: string

postDatabaseRolesName

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
"renew_statements" : [ "string" ],
"db_name" : "Name of the database this role acts on.",
"max_ttl" : "Maximum time a credential is valid for",
"default_ttl" : "Default ttl for role.",
"revocation_statements" : [ "string" ],
"rollback_statements" : [ "string" ],
"creation_statements" : [ "string" ]
}

postDatabaseRotateRoleName

Parameters

name (required)

Name of the static role

Type: string

postDatabaseRotateRootName

Parameters

name (required)

Name of this database connection

Type: string

postDatabaseStaticRolesName

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
"db_name" : "Name of the database this role acts on.",
"rotation_statements" : [ "string" ],
"rotation_period" : "Period for automatic credential rotation of the given username. Not valid unless used with \"username\".",
"username" : "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified"
}

postGcpConfig

Parameters

$body

Type: object

{
"max_ttl" : "Maximum time a service account key is valid for. If <= 0, will use system default.",
"credentials" : "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies",
"ttl" : "Default lease for generated keys. If <= 0, will use system default."
}

postGcpKeyRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

$body

Type: object

{
"key_type" : "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"",
"key_algorithm" : "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\""
}

postGcpRolesetName

Parameters

name (required)

Required. Name of the role.

Type: string

$body

Type: object

{
"secret_type" : "Type of secret generated for this role set. Defaults to 'access_token'",
"token_scopes" : [ "string" ],
"bindings" : "Bindings configuration string.",
"project" : "Name of the GCP project that this roleset's service account will belong to."
}

postGcpRolesetNameRotate

Parameters

name (required)

Name of the role.

Type: string

postGcpRolesetNameRotateKey

Parameters

name (required)

Name of the role.

Type: string

postGcpTokenRoleset

Parameters

roleset (required)

Required. Name of the role set.

Type: string

postGcpkmsConfig

Parameters

$body

Type: object

{
"credentials" : "The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication.",
"scopes" : [ "string" ]
}

postGcpkmsDecryptKey

Parameters

key (required)

Name of the key in Vault to use for decryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
"ciphertext" : "Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation.",
"key_version" : "Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically.",
"additional_authenticated_data" : "Optional data that was specified during encryption of this payload."
}

postGcpkmsEncryptKey

Parameters

key (required)

Name of the key in Vault to use for encryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
"key_version" : "Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version.",
"plaintext" : "Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types.",
"additional_authenticated_data" : "Optional base64-encoded data that, if specified, must also be provided to decrypt this payload."
}

postGcpkmsKeysConfigKey

Parameters

key (required)

Name of the key in Vault.

Type: string

$body

Type: object

{
"min_version" : "Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation.",
"max_version" : "Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version."
}

postGcpkmsKeysDeregisterKey

Parameters

key (required)

Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.

Type: string

postGcpkmsKeysKey

Parameters

key (required)

Name of the key in Vault.

Type: string

$body

Type: object

{
"crypto_key" : "Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified.",
"protection_level" : "Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation.",
"purpose" : "Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation.",
"key_ring" : "Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation.",
"rotation_period" : "Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".",
"algorithm" : "Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256",
"labels" : { }
}

postGcpkmsKeysRegisterKey

Parameters

key (required)

Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.

Type: string

$body

Type: object

{
"crypto_key" : "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".",
"verify" : "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time."
}

postGcpkmsKeysRotateKey

Parameters

key (required)

Name of the key to rotate. This key must already be registered with Vault and point to a valid Google Cloud KMS crypto key.

Type: string

postGcpkmsKeysTrimKey

Parameters

key (required)

Name of the key in Vault.

Type: string

postGcpkmsReencryptKey

Parameters

key (required)

Name of the key to use for encryption. This key must already exist in Vault and Google Cloud KMS.

Type: string

$body

Type: object

{
"ciphertext" : "Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key.",
"key_version" : "Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version.",
"additional_authenticated_data" : "Optional data that, if specified, must also be provided during decryption."
}

postGcpkmsSignKey

Parameters

key (required)

Name of the key in Vault to use for signing. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
"key_version" : "Integer version of the crypto key version to use for signing. This field is required.",
"digest" : "Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postGcpkmsVerifyKey

Parameters

key (required)

Name of the key in Vault to use for verification. This key must already exist in Vault and must map back to a Google Cloud KMS key.

Type: string

$body

Type: object

{
"key_version" : "Integer version of the crypto key version to use for verification. This field is required.",
"signature" : "Base64-encoded signature to use for verification. This field is required.",
"digest" : "Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required."
}

postIdentityAlias

Parameters

$body

Type: object

{
"canonical_id" : "Entity ID to which this alias belongs to",
"name" : "Name of the alias",
"id" : "ID of the alias",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

$body

Type: object

{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "Name of the alias",
"entity_id" : "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.",
"mount_accessor" : "Mount accessor to which this alias belongs to"
}

postIdentityEntity

Parameters

$body

Type: object

{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityEntityAlias

Parameters

$body

Type: object

{
"canonical_id" : "Entity ID to which this alias belongs",
"name" : "Name of the alias; unused for a modify",
"id" : "ID of the entity alias. If set, updates the corresponding entity alias.",
"entity_id" : "Entity ID to which this alias belongs. This field is deprecated, use canonical_id.",
"mount_accessor" : "Mount accessor to which this alias belongs to; unused for a modify"
}

postIdentityEntityAliasIdId

Parameters

id (required)

ID of the alias

Type: string

$body

Type: object

{
"canonical_id" : "Entity ID to which this alias should be tied to",
"name" : "(Unused)",
"entity_id" : "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.",
"mount_accessor" : "(Unused)"
}

postIdentityEntityIdId

Parameters

id (required)

ID of the entity. If set, updates the corresponding existing entity.

Type: string

$body

Type: object

{
"metadata" : { },
"name" : "Name of the entity",
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)."
}

postIdentityEntityMerge

Parameters

$body

Type: object

{
"from_entity_ids" : [ "string" ],
"to_entity_id" : "Entity ID into which all the other entities need to get merged",
"force" : "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts."
}

postIdentityEntityNameName

Parameters

name (required)

Name of the entity

Type: string

$body

Type: object

{
"metadata" : { },
"policies" : [ "string" ],
"disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
"id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityGroup

Parameters

$body

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityGroupAlias

Parameters

$body

Type: object

{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"id" : "ID of the group alias.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupAliasIdId

Parameters

id (required)

ID of the group alias.

Type: string

$body

Type: object

{
"canonical_id" : "ID of the group to which this is an alias.",
"name" : "Alias of the group.",
"mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupIdId

Parameters

id (required)

ID of the group. If set, updates the corresponding existing group.

Type: string

$body

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"name" : "Name of the group.",
"policies" : [ "string" ],
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityGroupNameName

Parameters

name (required)

Name of the group.

Type: string

$body

Type: object

{
"member_group_ids" : [ "string" ],
"metadata" : { },
"policies" : [ "string" ],
"id" : "ID of the group. If set, updates the corresponding existing group.",
"type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
"member_entity_ids" : [ "string" ]
}

postIdentityLookupEntity

Parameters

$body

Type: object

{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the entity.",
"id" : "ID of the entity.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityLookupGroup

Parameters

$body

Type: object

{
"alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
"alias_id" : "ID of the alias.",
"name" : "Name of the group.",
"id" : "ID of the group.",
"alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityOidcConfig

Parameters

$body

Type: object

{
"issuer" : "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used."
}

postIdentityOidcIntrospect

Parameters

$body

Type: object

{
"client_id" : "Optional client_id to verify",
"token" : "Token to verify"
}

postIdentityOidcKeyName

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated.",
"rotation_period" : "How often to generate a new keypair.",
"allowed_client_ids" : [ "string" ],
"algorithm" : "Signing algorithm to use. This will default to RS256."
}

postIdentityOidcKeyNameRotate

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key."
}

postIdentityOidcRoleName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"template" : "The template string to use for generating tokens. This may be in string-ified JSON or base64 format.",
"ttl" : "TTL of the tokens generated against the role.",
"key" : "The OIDC key to use for generating tokens. The specified key must already exist."
}

postIdentityPersona

Parameters

$body

Type: object

{
"metadata" : { },
"name" : "Name of the persona",
"id" : "ID of the persona",
"entity_id" : "Entity ID to which this persona belongs to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}

postIdentityPersonaIdId

Parameters

id (required)

ID of the persona

Type: string

$body

Type: object

{
"metadata" : { },
"name" : "Name of the persona",
"entity_id" : "Entity ID to which this persona should be tied to",
"mount_accessor" : "Mount accessor to which this persona belongs to"
}

postNomadConfigAccess

Parameters

$body

Type: object

{
"max_token_name_length" : "Max length for name of generated Nomad tokens",
"address" : "Nomad server address",
"token" : "Token for API calls"
}

postNomadConfigLease

Parameters

$body

Type: object

{
"max_ttl" : "Duration after which the issued token should not be allowed to be renewed",
"ttl" : "Duration before which the issued token needs renewal"
}

postNomadRoleName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"policies" : [ "string" ],
"global" : "Boolean value describing if the token should be global or not. Defaults to false.",
"type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'."
}

postPkiConfigCa

Parameters

$body

Type: object

{
"pem_bundle" : "PEM-format, concatenated unencrypted secret key and certificate."
}

postPkiConfigCrl

Parameters

$body

Type: object

{
"disable" : "If set to true, disables generating the CRL entirely.",
"expiry" : "The amount of time the generated CRL should be valid; defaults to 72 hours"
}

postPkiConfigUrls

Parameters

$body

Type: object

{
"crl_distribution_points" : [ "string" ],
"issuing_certificates" : [ "string" ],
"ocsp_servers" : [ "string" ]
}

postPkiIntermediateGenerateExported

Parameters

exported (required)

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"add_basic_constraints" : "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.",
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiIntermediateSetSigned

Parameters

$body

Type: object

{
"certificate" : "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint."
}

postPkiIssueRole

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
"other_sans" : [ "string" ],
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiRevoke

Parameters

$body

Type: object

{
"serial_number" : "Certificate serial number, in colon- or hyphen-separated octal"
}

postPkiRolesName

Parameters

name (required)

Name of the role

Type: string

$body

Type: object

{
"country" : [ "string" ],
"street_address" : [ "string" ],
"allow_subdomains" : "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information.",
"allowed_domains" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"key_usage" : [ "string" ],
"max_ttl" : "The maximum allowed lease duration",
"allow_bare_domains" : "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"allowed_other_sans" : [ "string" ],
"province" : [ "string" ],
"allow_localhost" : "Whether to allow \"localhost\" as a valid common name in a request",
"enforce_hostnames" : "If set, only valid host names are allowed for CN and SANs. Defaults to true.",
"allowed_uri_sans" : [ "string" ],
"backend" : "Backend Type",
"email_protection_flag" : "If set, certificates are flagged for email protection use. Defaults to false.",
"no_store" : "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".",
"allowed_serial_numbers" : [ "string" ],
"ou" : [ "string" ],
"allow_any_name" : "If set, clients can request certificates for any CN they like. See the documentation for more information.",
"locality" : [ "string" ],
"basic_constraints_valid_for_non_ca" : "Mark Basic Constraints valid when issuing non-CA certificates.",
"server_flag" : "If set, certificates are flagged for server auth use. Defaults to true.",
"generate_lease" : "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.",
"ttl" : "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"use_csr_sans" : "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.",
"not_before_duration" : "The duration before now the cert needs to be created / signed.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"require_cn" : "If set to false, makes the 'common_name' field optional while generating a certificate.",
"allow_ip_sans" : "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.",
"code_signing_flag" : "If set, certificates are flagged for code signing use. Defaults to false.",
"policy_identifiers" : [ "string" ],
"allow_glob_domains" : "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.",
"organization" : [ "string" ],
"use_csr_common_name" : "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.",
"ext_key_usage" : [ "string" ],
"postal_code" : [ "string" ],
"ext_key_usage_oids" : [ "string" ],
"client_flag" : "If set, certificates are flagged for client auth use. Defaults to true."
}

postPkiRootGenerateExported

Parameters

exported (required)

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiRootSignIntermediate

Parameters

$body

Type: object

{
"other_sans" : [ "string" ],
"country" : [ "string" ],
"street_address" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ou" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"locality" : [ "string" ],
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"max_path_length" : "The maximum allowable path length",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
"permitted_dns_domains" : [ "string" ],
"province" : [ "string" ],
"ip_sans" : [ "string" ],
"organization" : [ "string" ],
"use_csr_values" : "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.",
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
"postal_code" : [ "string" ]
}

postPkiRootSignSelfIssued

Parameters

$body

Type: object

{
"certificate" : "PEM-format self-issued certificate to be signed."
}

postPkiSignRole

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed.",
"ip_sans" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiSignVerbatim

Parameters

$body

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"role" : "The desired role with configuration for this request",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}

postPkiSignVerbatimRole

Parameters

role (required)

The desired role with configuration for this request

Type: string

$body

Type: object

{
"other_sans" : [ "string" ],
"csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
"key_usage" : [ "string" ],
"format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
"private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
"alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
"serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
"exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
"uri_sans" : [ "string" ],
"ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
"ip_sans" : [ "string" ],
"common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
"ext_key_usage" : [ "string" ],
"ext_key_usage_oids" : [ "string" ]
}

postPkiTidy

Parameters

$body

Type: object

{
"tidy_revocation_list" : "Deprecated; synonym for 'tidy_revoked_certs",
"tidy_cert_store" : "Set to true to enable tidying up the certificate store",
"tidy_revoked_certs" : "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.",
"safety_buffer" : "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours."
}

postRabbitmqConfigConnection

Parameters

$body

Type: object

{
"verify_connection" : "If set, connection_uri is verified by actually connecting to the RabbitMQ management API",
"connection_uri" : "RabbitMQ Management URI",
"password" : "Password of the provided RabbitMQ management user",
"username" : "Username of a RabbitMQ management administrator"
}

postRabbitmqConfigLease

Parameters

$body

Type: object

{
"max_ttl" : "Duration after which the issued credentials should not be allowed to be renewed",
"ttl" : "Duration before which the issued credentials needs renewal"
}

postRabbitmqRolesName

Parameters

name (required)

Name of the role.

Type: string

$body

Type: object

{
"vhosts" : "A map of virtual hosts to permissions.",
"vhost_topics" : "A nested map of virtual hosts and exchanges to topic permissions.",
"tags" : "Comma-separated list of tags for this role."
}

postSecretConfig

Parameters

$body

Type: object

{
"cas_required" : "If true, the backend will require the cas parameter to be set for each write",
"delete_version_after" : "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.",
"max_versions" : "The number of versions to keep for each key. Defaults to 10"
}

postSecretDataPath

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
"data" : { },
"options" : { },
"version" : "If provided during a read, the value at the version number will be returned"
}

postSecretDeletePath

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
"versions" : [ "integer" ]
}

postSecretDestroyPath

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
"versions" : [ "integer" ]
}

postSecretMetadataPath

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
"cas_required" : "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.",
"delete_version_after" : "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.",
"max_versions" : "The number of versions to keep. If not set, the backend’s configured max version is used."
}

postSecretUndeletePath

Parameters

path (required)

Location of the secret.

Type: string

$body

Type: object

{
"versions" : [ "integer" ]
}

postSshConfigCa

Parameters

$body

Type: object

{
"public_key" : "Public half of the SSH key that will be used to sign certificates.",
"private_key" : "Private half of the SSH key that will be used to sign certificates.",
"generate_signing_key" : "Generate SSH key pair internally rather than use the private_key and public_key fields."
}

postSshConfigZeroaddress

Parameters

$body

Type: object

{
"roles" : [ "string" ]
}

postSshCredsRole

Parameters

role (required)

[Required] Name of the role

Type: string

$body

Type: object

{
"ip" : "[Required] IP of the remote host",
"username" : "[Optional] Username in remote host"
}

postSshKeysKey_name

Parameters

key_name (required)

[Required] Name of the key

Type: string

$body

Type: object

{
"key" : "[Required] SSH private key with super user privileges in host"
}

postSshLookup

Parameters

$body

Type: object

{
"ip" : "[Required] IP address of remote host"
}

postSshRolesRole

Parameters

role (required)

[Required for all types] Name of the role being created.

Type: string

$body

Type: object

{
"allow_subdomains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".",
"allow_host_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.",
"allowed_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.",
"key_type" : "[Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.",
"max_ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration",
"default_critical_options" : { },
"allow_bare_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
"install_script" : "[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type] Script used to install and uninstall public keys in the target machine. The inbuilt default install script will be for Linux hosts. For sample script, refer the project documentation website.",
"allowed_extensions" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string.",
"allowed_user_key_lengths" : { },
"key" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Name of the registered key in Vault. Before creating the role, use the 'keys/' endpoint to create a named key.",
"allow_user_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.",
"exclude_cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.",
"ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
"allowed_critical_options" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.",
"key_bits" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.",
"key_id_format" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '' - The display name of the token used to make the request. '' - The name of the role signing the request. '' - A SHA256 checksum of the public key that is being signed.",
"key_option_specs" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Comma separated option specifications which will be prefixed to RSA key in authorized_keys file. Options should be valid and comply with authorized_keys file format and should not contain spaces.",
"allowed_users" : "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.",
"allow_user_key_ids" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.",
"port" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.",
"default_user" : "[Required for Dynamic type] [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.",
"default_extensions" : { },
"cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.",
"admin_user" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Admin user at remote host. The shared key being registered should be for this user and should have root privileges. Everytime a dynamic credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user."
}

postSshSignRole

Parameters

role (required)

The desired role with configuration for this request.

Type: string

$body

Type: object

{
"public_key" : "SSH public key that should be signed.",
"cert_type" : "Type of certificate to be created; either \"user\" or \"host\".",
"extensions" : { },
"critical_options" : { },
"key_id" : "Key id that the created certificate should have. If not specified, the display name of the token will be used.",
"valid_principals" : "Valid principals, either usernames or hostnames, that the certificate should be signed for.",
"ttl" : "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL."
}

postSshVerify

Parameters

$body

Type: object

{
"otp" : "[Required] One-Time-Key that needs to be validated"
}

postSysAuditHashPath

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body

Type: object

{
"input" : "string"
}

postSysAuditPath

Parameters

path (required)

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body

Type: object

{
"options" : { },
"description" : "User-friendly description for this audit backend.",
"type" : "The type of the backend. Example: \"mysql\"",
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPath

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

For example, enable the "foo" auth method will make it accessible at /auth/foo.

Parameters

path (required)

The path to mount to. Cannot be delimited. Example: "user"

Type: string

$body

Type: object

{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the auth plugin to use based from the name in the plugin catalog.",
"type" : "The type of the backend. Example: \"userpass\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPathTune

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Parameters

path (required)

Tune the configuration parameters for an auth path.

Type: string

$body

Type: object

{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}

postSysCapabilities

Parameters

$body

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}

postSysCapabilitiesAccessor

Parameters

$body

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"accessor" : "Accessor of the token for which capabilities are being queried."
}

postSysCapabilitiesSelf

Parameters

$body

Type: object

{
"path" : [ "string" ],
"paths" : [ "string" ],
"token" : "Token for which capabilities are being queried."
}

postSysConfigAuditingRequestHeadersHeader

Parameters

header (required)

Type: string

$body

Type: object

{
"hmac" : "boolean"
}

postSysConfigCors

Parameters

$body

Type: object

{
"allowed_headers" : [ "string" ],
"enable" : "Enables or disables CORS headers on requests.",
"allowed_origins" : [ "string" ]
}

postSysConfigUiHeadersHeader

Parameters

header (required)

The name of the header.

Type: string

$body

Type: object

{
"values" : [ "string" ]
}

postSysGenerateRoot

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body

Type: object

{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootAttempt

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body

Type: object

{
"pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootUpdate

If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.

Parameters

$body

Type: object

{
"nonce" : "Specifies the nonce of the attempt.",
"key" : "Specifies a single master key share."
}

postSysInit

The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.

Parameters

$body

Type: object

{
"recovery_pgp_keys" : [ "string" ],
"stored_shares" : "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
"recovery_shares" : "Specifies the number of shares to split the recovery key into.",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ],
"recovery_threshold" : "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
"root_token_pgp_key" : "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation."
}

postSysLeasesLookup

Parameters

$body

Type: object

{
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenew

Parameters

$body

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenewUrl_lease_id

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevoke

Parameters

$body

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevokeForcePrefix

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysLeasesRevokePrefixPrefix

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously"
}

postSysLeasesRevokeUrl_lease_id

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesTidy

This operation has no parameters

postSysMountsPath

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

$body

Type: object

{
"seal_wrap" : "Whether to turn on seal wrapping for the mount.",
"options" : { },
"description" : "User-friendly description for this mount.",
"external_entropy_access" : "Whether to give the mount access to Vault's external entropy.",
"plugin_name" : "Name of the plugin to mount based from the name registered in the plugin catalog.",
"type" : "The type of the backend. Example: \"passthrough\"",
"config" : { },
"local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysMountsPathTune

Parameters

path (required)

The path to mount to. Example: "aws/east"

Type: string

$body

Type: object

{
"listing_visibility" : "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''.",
"audit_non_hmac_request_keys" : [ "string" ],
"max_lease_ttl" : "The max lease TTL for this mount.",
"passthrough_request_headers" : [ "string" ],
"default_lease_ttl" : "The default lease TTL for this mount.",
"options" : { },
"description" : "User-friendly description for this credential backend.",
"allowed_response_headers" : [ "string" ],
"token_type" : "The type of token to issue (service or batch).",
"audit_non_hmac_response_keys" : [ "string" ]
}

postSysPluginsCatalogName

Parameters

name (required)

The name of the plugin

Type: string

$body

Type: object

{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"type" : "The type of the plugin, may be auth, secret, or database",
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsCatalogTypeName

Parameters

name (required)

The name of the plugin

Type: string

type (required)

The type of the plugin, may be auth, secret, or database

Type: string

$body

Type: object

{
"args" : [ "string" ],
"sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
"env" : [ "string" ],
"command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsReloadBackend

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

Parameters

$body

Type: object

{
"plugin" : "The name of the plugin to reload, as registered in the plugin catalog.",
"mounts" : [ "string" ]
}

postSysPoliciesAclName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

$body

Type: object

{
"policy" : "The rules of the policy."
}

postSysPolicyName

Parameters

name (required)

The name of the policy. Example: "ops"

Type: string

$body

Type: object

{
"rules" : "The rules of the policy.",
"policy" : "The rules of the policy."
}

postSysRaw

Parameters

$body

Type: object

{
"path" : "string",
"value" : "string"
}

postSysRawPath

Parameters

path (required)

Type: string

$body

Type: object

{
"value" : "string"
}

postSysRekeyInit

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Parameters

$body

Type: object

{
"backup" : "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
"secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
"require_verification" : "Turns on verification functionality",
"secret_shares" : "Specifies the number of shares to split the master key into.",
"pgp_keys" : [ "string" ]
}

postSysRekeyUpdate

Parameters

$body

Type: object

{
"nonce" : "Specifies the nonce of the rekey attempt.",
"key" : "Specifies a single master key share."
}

postSysRekeyVerify

Parameters

$body

Type: object

{
"nonce" : "Specifies the nonce of the rekey verification operation.",
"key" : "Specifies a single master share key from the new set of shares."
}

postSysRemount

Parameters

$body

Type: object

{
"from" : "The previous mount point.",
"to" : "The new mount point."
}

postSysRenew

Parameters

$body

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRenewUrl_lease_id

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
"increment" : "The desired increment in seconds to the lease",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevoke

Parameters

$body

Type: object

{
"url_lease_id" : "The lease identifier to renew. This is included with a lease.",
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevokeForcePrefix

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

postSysRevokePrefixPrefix

Parameters

prefix (required)

The path to revoke keys under. Example: "prod/aws/ops"

Type: string

$body

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously"
}

postSysRevokeUrl_lease_id

Parameters

url_lease_id (required)

The lease identifier to renew. This is included with a lease.

Type: string

$body

Type: object

{
"sync" : "Whether or not to perform the revocation synchronously",
"lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRotate

This operation has no parameters

postSysSeal

This operation has no parameters

postSysStepDown

This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.

This operation has no parameters

postSysToolsHash

Parameters

$body

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsHashUrlalgorithm

Parameters

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsRandom

Parameters

$body

Type: object

{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysToolsRandomUrlbytes

Parameters

urlbytes (required)

The number of bytes to generate (POST URL parameter)

Type: string

$body

Type: object

{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysUnseal

Parameters

$body

Type: object

{
"reset" : "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
"key" : "Specifies a single master key share. This is required unless reset is true."
}

postSysWrappingLookup

Parameters

$body

Type: object

{
"token" : "string"
}

postSysWrappingRewrap

Parameters

$body

Type: object

{
"token" : "string"
}

postSysWrappingUnwrap

Parameters

$body

Type: object

{
"token" : "string"
}

postSysWrappingWrap

This operation has no parameters

postTotpCodeName

Parameters

name (required)

Name of the key.

Type: string

$body

Type: object

{
"code" : "TOTP code to be validated."
}

postTotpKeysName

Parameters

name (required)

Name of the key.

Type: string

$body

Type: object

{
"exported" : "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.",
"period" : "The length of time used to generate a counter for the TOTP token calculation.",
"qr_size" : "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.",
"account_name" : "The name of the account associated with the key. Required if generate is true.",
"digits" : "The number of digits in the generated TOTP token. This value can either be 6 or 8.",
"generate" : "Determines if a key should be generated by Vault or if a key is being passed from another service.",
"issuer" : "The name of the key's issuing organization. Required if generate is true.",
"key" : "The shared master key used to generate a TOTP token. Only used if generate is false.",
"url" : "A TOTP url string containing all of the parameters for key setup. Only used if generate is false.",
"algorithm" : "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.",
"key_size" : "Determines the size in bytes of the generated key. Only used if generate is true.",
"skew" : "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true."
}

postTransitCacheConfig

Parameters

$body

Type: object

{
"size" : "Size of cache, use 0 for an unlimited cache size, defaults to 0"
}

postTransitDatakeyPlaintextName

Parameters

name (required)

The backend key used for encrypting the data key

Type: string

plaintext (required)

"plaintext" will return the key in both plaintext and ciphertext; "wrapped" will return the ciphertext only.

Type: string

$body

Type: object

{
"key_version" : "The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"bits" : "Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.",
"context" : "Context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)"
}

postTransitDecryptName

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
"ciphertext" : "The ciphertext to decrypt, provided as returned by encrypt.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled.",
"nonce" : "Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+."
}

postTransitEncryptName

Parameters

name (required)

Name of the policy

Type: string

$body

Type: object

{
"convergent_encryption" : "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled",
"plaintext" : "Base64 encoded plaintext value to be encrypted",
"type" : "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".",
"nonce" : "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**."
}

postTransitHash

Parameters

$body

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHashUrlalgorithm

Parameters

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
"input" : "The base64-encoded input data",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacName

Parameters

name (required)

The key to use for the HMAC function

Type: string

$body

Type: object

{
"input" : "The base64-encoded input data",
"urlalgorithm" : "Algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacNameUrlalgorithm

Parameters

name (required)

The key to use for the HMAC function

Type: string

urlalgorithm (required)

Algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitKeysName

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"exportable" : "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.",
"convergent_encryption" : "Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
"context" : "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"type" : "The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".",
"derived" : "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations."
}

postTransitKeysNameConfig

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"deletion_allowed" : "Whether to allow deletion of the key",
"exportable" : "Enables export of the key. Once set, this cannot be disabled.",
"allow_plaintext_backup" : "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.",
"min_decryption_version" : "If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification.",
"min_encryption_version" : "If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed."
}

postTransitKeysNameRotate

Parameters

name (required)

Name of the key

Type: string

postTransitKeysNameTrim

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"min_available_version" : "The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero."
}

postTransitRandom

Parameters

$body

Type: object

{
"urlbytes" : "The number of bytes to generate (POST URL parameter)",
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRandomUrlbytes

Parameters

urlbytes (required)

The number of bytes to generate (POST URL parameter)

Type: string

$body

Type: object

{
"bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
"format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postTransitRestore

Parameters

$body

Type: object

{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"name" : "If set, this will be the name of the restored key.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRestoreName

Parameters

name (required)

If set, this will be the name of the restored key.

Type: string

$body

Type: object

{
"backup" : "Backed up key data to be restored. This should be the output from the 'backup/' endpoint.",
"force" : "If set and a key by the given name exists, force the restore operation and override the key."
}

postTransitRewrapName

Parameters

name (required)

Name of the key

Type: string

$body

Type: object

{
"ciphertext" : "Ciphertext value to rewrap",
"key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required for derived keys.",
"nonce" : "Nonce for when convergent encryption is used"
}

postTransitSignName

Parameters

name (required)

The key to use

Type: string

$body

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitSignNameUrlalgorithm

Parameters

name (required)

The key to use

Type: string

urlalgorithm (required)

Hash algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data",
"key_version" : "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types, including ed25519.",
"signature_algorithm" : "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyName

Parameters

name (required)

The key to use

Type: string

$body

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"urlalgorithm" : "Hash algorithm to use (POST URL parameter)",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}

postTransitVerifyNameUrlalgorithm

Parameters

name (required)

The key to use

Type: string

urlalgorithm (required)

Hash algorithm to use (POST URL parameter)

Type: string

$body

Type: object

{
"prehashed" : "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.",
"input" : "The base64-encoded input data to verify",
"signature" : "The signature, including vault header/key version",
"hmac" : "The HMAC, including vault header/key version",
"context" : "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.",
"hash_algorithm" : "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\". Not valid for all key types.",
"signature_algorithm" : "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'",
"algorithm" : "Deprecated: use \"hash_algorithm\" instead.",
"marshaling_algorithm" : "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\"."
}