{ "openapi": "3.0.2", "info": { "title": "HashiCorp Vault API", "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.", "version": "1.5.3", "license": { "name": "Mozilla Public License 2.0", "url": "https://www.mozilla.org/en-US/MPL/2.0" } }, "paths": { "/Skywalker-kv/.*": {}, "/Skywalker-kv/config": { "description": "Configures settings for the KV store", "x-vault-createSupported": true, "get": { "summary": "Read the backend level settings.", "operationId": "getSkywalkerKvConfig", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure backend level settings that are applied to every key in the key-value store.", "operationId": "postSkywalkerKvConfig", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true, the backend will require the cas parameter to be set for each write" }, "delete_version_after": { "type": "integer", "description": "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep for each key. Defaults to 10" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/Skywalker-kv/data/{path}": { "description": "Write, Read, and Delete data in the Key-Value Store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "getSkywalkerKvDataPath", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "postSkywalkerKvDataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "description": "The contents of the data map will be stored and returned on read.", "format": "map" }, "options": { "type": "object", "description": "Options for writing a KV entry. Set the \"cas\" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter.", "format": "map" }, "version": { "type": "integer", "description": "If provided during a read, the value at the version number will be returned" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "deleteSkywalkerKvDataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/Skywalker-kv/delete/{path}": { "description": "Marks one or more versions as deleted in the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Marks one or more versions as deleted in the KV store.", "operationId": "postSkywalkerKvDeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/Skywalker-kv/destroy/{path}": { "description": "Permanently removes one or more versions in the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Permanently removes one or more versions in the KV store", "operationId": "postSkywalkerKvDestroyPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to destroy. Their data will be permanently deleted.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/Skywalker-kv/metadata/{path}": { "description": "Configures settings for the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Configures settings for the KV store", "operationId": "getSkywalkerKvMetadataPath", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configures settings for the KV store", "operationId": "postSkywalkerKvMetadataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used." }, "delete_version_after": { "type": "integer", "description": "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep. If not set, the backend’s configured max version is used." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Configures settings for the KV store", "operationId": "deleteSkywalkerKvMetadataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/Skywalker-kv/undelete/{path}": { "description": "Undeletes one or more versions from the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Undeletes one or more versions from the KV store.", "operationId": "postSkywalkerKvUndeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to unarchive. The versions will be restored and their data will be returned on normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/login": { "description": "Issue a token based on the credentials supplied", "x-vault-unauthenticated": true, "post": { "summary": "Issue a token based on the credentials supplied", "operationId": "postAuthApproleLogin", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "role_id": { "type": "string", "description": "Unique identifier of the Role. Required to be supplied when the 'bind_secret_id' constraint is set." }, "secret_id": { "type": "string", "description": "SecretID belong to the App role", "default": "" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role": { "description": "Lists all the roles registered with the backend.", "get": { "summary": "Lists all the roles registered with the backend.", "operationId": "getAuthApproleRole", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}": { "description": "Register an role with the backend.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Register an role with the backend.", "operationId": "getAuthApproleRoleRole_name", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Register an role with the backend.", "operationId": "postAuthApproleRoleRole_name", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "bind_secret_id": { "type": "boolean", "description": "Impose secret_id to be presented when logging in using this role. Defaults to 'true'.", "default": true }, "bound_cidr_list": { "type": "array", "description": "Use \"secret_id_bound_cidrs\" instead.", "items": { "type": "string" }, "deprecated": true }, "local_secret_ids": { "type": "boolean", "description": "If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later." }, "period": { "type": "integer", "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", "format": "seconds", "deprecated": true }, "policies": { "type": "array", "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", "items": { "type": "string" }, "deprecated": true }, "role_id": { "type": "string", "description": "Identifier of the role. Defaults to a UUID." }, "secret_id_bound_cidrs": { "type": "array", "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", "items": { "type": "string" } }, "secret_id_num_uses": { "type": "integer", "description": "Number of times a SecretID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the the secret_id is of unlimited use." }, "secret_id_ttl": { "type": "integer", "description": "Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.", "format": "seconds" }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Bound CIDRs", "group": "Tokens" } }, "token_explicit_max_ttl": { "type": "integer", "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Explicit Maximum TTL", "group": "Tokens" } }, "token_max_ttl": { "type": "integer", "description": "The maximum lifetime of the generated token", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Maximum TTL", "group": "Tokens" } }, "token_no_default_policy": { "type": "boolean", "description": "If true, the 'default' policy will not automatically be added to generated tokens", "x-vault-displayAttrs": { "name": "Do Not Attach 'default' Policy To Generated Tokens", "group": "Tokens" } }, "token_num_uses": { "type": "integer", "description": "The maximum number of times a token may be used, a value of zero means unlimited", "x-vault-displayAttrs": { "name": "Maximum Uses of Generated Tokens", "group": "Tokens" } }, "token_period": { "type": "integer", "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Period", "group": "Tokens" } }, "token_policies": { "type": "array", "description": "Comma-separated list of policies", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Policies", "group": "Tokens" } }, "token_ttl": { "type": "integer", "description": "The initial ttl of the token to generate", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Initial TTL", "group": "Tokens" } }, "token_type": { "type": "string", "description": "The type of token to generate, service or batch", "default": "default-service", "x-vault-displayAttrs": { "name": "Generated Token's Type", "group": "Tokens" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Register an role with the backend.", "operationId": "deleteAuthApproleRoleRole_name", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/bind-secret-id": { "description": "Impose secret_id to be presented during login using this role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Impose secret_id to be presented during login using this role.", "operationId": "getAuthApproleRoleRole_nameBindSecretId", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Impose secret_id to be presented during login using this role.", "operationId": "postAuthApproleRoleRole_nameBindSecretId", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "bind_secret_id": { "type": "boolean", "description": "Impose secret_id to be presented when logging in using this role.", "default": true } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Impose secret_id to be presented during login using this role.", "operationId": "deleteAuthApproleRoleRole_nameBindSecretId", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/bound-cidr-list": { "description": "Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "getAuthApproleRoleRole_nameBoundCidrList", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "postAuthApproleRoleRole_nameBoundCidrList", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "bound_cidr_list": { "type": "array", "description": "Deprecated: Please use \"secret_id_bound_cidrs\" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "deleteAuthApproleRoleRole_nameBoundCidrList", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/custom-secret-id": { "description": "Assign a SecretID of choice against the role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Assign a SecretID of choice against the role.", "operationId": "postAuthApproleRoleRole_nameCustomSecretId", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cidr_list": { "type": "array", "description": "Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", "items": { "type": "string" } }, "metadata": { "type": "string", "description": "Metadata to be tied to the SecretID. This should be a JSON formatted string containing metadata in key value pairs." }, "secret_id": { "type": "string", "description": "SecretID to be attached to the role." }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/local-secret-ids": { "description": "Enables cluster local secret IDs", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Enables cluster local secret IDs", "operationId": "getAuthApproleRoleRole_nameLocalSecretIds", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/period": { "description": "Updates the value of 'period' on the role", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Updates the value of 'period' on the role", "operationId": "getAuthApproleRoleRole_namePeriod", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Updates the value of 'period' on the role", "operationId": "postAuthApproleRoleRole_namePeriod", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "period": { "type": "integer", "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", "format": "seconds", "deprecated": true }, "token_period": { "type": "integer", "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Updates the value of 'period' on the role", "operationId": "deleteAuthApproleRoleRole_namePeriod", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/policies": { "description": "Policies of the role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Policies of the role.", "operationId": "getAuthApproleRoleRole_namePolicies", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Policies of the role.", "operationId": "postAuthApproleRoleRole_namePolicies", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "policies": { "type": "array", "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", "items": { "type": "string" }, "deprecated": true }, "token_policies": { "type": "array", "description": "Comma-separated list of policies", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Policies of the role.", "operationId": "deleteAuthApproleRoleRole_namePolicies", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/role-id": { "description": "Returns the 'role_id' of the role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Returns the 'role_id' of the role.", "operationId": "getAuthApproleRoleRole_nameRoleId", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Returns the 'role_id' of the role.", "operationId": "postAuthApproleRoleRole_nameRoleId", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "role_id": { "type": "string", "description": "Identifier of the role. Defaults to a UUID." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/secret-id": { "description": "Generate a SecretID against this role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Generate a SecretID against this role.", "operationId": "getAuthApproleRoleRole_nameSecretId", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Generate a SecretID against this role.", "operationId": "postAuthApproleRoleRole_nameSecretId", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cidr_list": { "type": "array", "description": "Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", "items": { "type": "string" } }, "metadata": { "type": "string", "description": "Metadata to be tied to the SecretID. This should be a JSON formatted string containing the metadata in key value pairs." }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/secret-id-accessor/destroy": { "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "operationId": "postAuthApproleRoleRole_nameSecretIdAccessorDestroy", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id_accessor": { "type": "string", "description": "Accessor of the SecretID" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteAuthApproleRoleRole_nameSecretIdAccessorDestroy", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/secret-id-accessor/lookup": { "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "operationId": "postAuthApproleRoleRole_nameSecretIdAccessorLookup", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id_accessor": { "type": "string", "description": "Accessor of the SecretID" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/secret-id-bound-cidrs": { "description": "Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "getAuthApproleRoleRole_nameSecretIdBoundCidrs", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "postAuthApproleRoleRole_nameSecretIdBoundCidrs", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id_bound_cidrs": { "type": "array", "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Comma separated list of CIDR blocks, if set, specifies blocks of IP\naddresses which can perform the login operation", "operationId": "deleteAuthApproleRoleRole_nameSecretIdBoundCidrs", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/secret-id-num-uses": { "description": "Use limit of the SecretID generated against the role.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Use limit of the SecretID generated against the role.", "operationId": "getAuthApproleRoleRole_nameSecretIdNumUses", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Use limit of the SecretID generated against the role.", "operationId": "postAuthApproleRoleRole_nameSecretIdNumUses", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id_num_uses": { "type": "integer", "description": "Number of times a SecretID can access the role, after which the SecretID will expire." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Use limit of the SecretID generated against the role.", "operationId": "deleteAuthApproleRoleRole_nameSecretIdNumUses", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/secret-id-ttl": { "description": "Duration in seconds, representing the lifetime of the SecretIDs that are generated against the role using 'role/\u003crole_name\u003e/secret-id' or 'role/\u003crole_name\u003e/custom-secret-id' endpoints.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Duration in seconds, representing the lifetime of the SecretIDs\nthat are generated against the role using 'role/\u003crole_name\u003e/secret-id' or\n'role/\u003crole_name\u003e/custom-secret-id' endpoints.", "operationId": "getAuthApproleRoleRole_nameSecretIdTtl", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Duration in seconds, representing the lifetime of the SecretIDs\nthat are generated against the role using 'role/\u003crole_name\u003e/secret-id' or\n'role/\u003crole_name\u003e/custom-secret-id' endpoints.", "operationId": "postAuthApproleRoleRole_nameSecretIdTtl", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id_ttl": { "type": "integer", "description": "Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Duration in seconds, representing the lifetime of the SecretIDs\nthat are generated against the role using 'role/\u003crole_name\u003e/secret-id' or\n'role/\u003crole_name\u003e/custom-secret-id' endpoints.", "operationId": "deleteAuthApproleRoleRole_nameSecretIdTtl", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/secret-id/destroy": { "description": "Invalidate an issued secret_id", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Invalidate an issued secret_id", "operationId": "postAuthApproleRoleRole_nameSecretIdDestroy", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id": { "type": "string", "description": "SecretID attached to the role." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Invalidate an issued secret_id", "operationId": "deleteAuthApproleRoleRole_nameSecretIdDestroy", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/secret-id/lookup": { "description": "Read the properties of an issued secret_id", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Read the properties of an issued secret_id", "operationId": "postAuthApproleRoleRole_nameSecretIdLookup", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "secret_id": { "type": "string", "description": "SecretID attached to the role." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/approle/role/{role_name}/token-bound-cidrs": { "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of\nIP addresses which can use the returned token.", "operationId": "getAuthApproleRoleRole_nameTokenBoundCidrs", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of\nIP addresses which can use the returned token.", "operationId": "postAuthApproleRoleRole_nameTokenBoundCidrs", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of\nIP addresses which can use the returned token.", "operationId": "deleteAuthApproleRoleRole_nameTokenBoundCidrs", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/token-max-ttl": { "description": "Duration in seconds, the maximum lifetime of the tokens issued by using the SecretIDs that were generated against this role, after which the tokens are not allowed to be renewed.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Duration in seconds, the maximum lifetime of the tokens issued by using\nthe SecretIDs that were generated against this role, after which the\ntokens are not allowed to be renewed.", "operationId": "getAuthApproleRoleRole_nameTokenMaxTtl", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Duration in seconds, the maximum lifetime of the tokens issued by using\nthe SecretIDs that were generated against this role, after which the\ntokens are not allowed to be renewed.", "operationId": "postAuthApproleRoleRole_nameTokenMaxTtl", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token_max_ttl": { "type": "integer", "description": "The maximum lifetime of the generated token", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Duration in seconds, the maximum lifetime of the tokens issued by using\nthe SecretIDs that were generated against this role, after which the\ntokens are not allowed to be renewed.", "operationId": "deleteAuthApproleRoleRole_nameTokenMaxTtl", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/token-num-uses": { "description": "Number of times issued tokens can be used", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Number of times issued tokens can be used", "operationId": "getAuthApproleRoleRole_nameTokenNumUses", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Number of times issued tokens can be used", "operationId": "postAuthApproleRoleRole_nameTokenNumUses", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token_num_uses": { "type": "integer", "description": "The maximum number of times a token may be used, a value of zero means unlimited" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Number of times issued tokens can be used", "operationId": "deleteAuthApproleRoleRole_nameTokenNumUses", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/role/{role_name}/token-ttl": { "description": "Duration in seconds, the lifetime of the token issued by using the SecretID that is generated against this role, before which the token needs to be renewed.", "parameters": [{ "name": "role_name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Duration in seconds, the lifetime of the token issued by using the SecretID that\nis generated against this role, before which the token needs to be renewed.", "operationId": "getAuthApproleRoleRole_nameTokenTtl", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Duration in seconds, the lifetime of the token issued by using the SecretID that\nis generated against this role, before which the token needs to be renewed.", "operationId": "postAuthApproleRoleRole_nameTokenTtl", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token_ttl": { "type": "integer", "description": "The initial ttl of the token to generate", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Duration in seconds, the lifetime of the token issued by using the SecretID that\nis generated against this role, before which the token needs to be renewed.", "operationId": "deleteAuthApproleRoleRole_nameTokenTtl", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/approle/tidy/secret-id": { "description": "Trigger the clean-up of expired SecretID entries.", "post": { "summary": "Trigger the clean-up of expired SecretID entries.", "operationId": "postAuthApproleTidySecretId", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/config": { "description": "Configure the LDAP server to connect to, along with its options.", "x-vault-displayAttrs": { "action": "Configure" }, "get": { "summary": "Configure the LDAP server to connect to, along with its options.", "operationId": "getAuthLdapConfig", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure the LDAP server to connect to, along with its options.", "operationId": "postAuthLdapConfig", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "anonymous_group_search": { "type": "boolean", "description": "Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).", "default": false, "x-vault-displayAttrs": { "name": "Anonymous group search" } }, "binddn": { "type": "string", "description": "LDAP DN for searching for the user DN (optional)", "x-vault-displayAttrs": { "name": "Name of Object to bind (binddn)" } }, "bindpass": { "type": "string", "description": "LDAP password for searching for the user DN (optional)", "x-vault-displayAttrs": { "sensitive": true } }, "case_sensitive_names": { "type": "boolean", "description": "If true, case sensitivity will be used when comparing usernames and groups for matching policies." }, "certificate": { "type": "string", "description": "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)", "x-vault-displayAttrs": { "name": "CA certificate", "editType": "file" } }, "client_tls_cert": { "type": "string", "description": "Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)", "x-vault-displayAttrs": { "name": "Client certificate", "editType": "file" } }, "client_tls_key": { "type": "string", "description": "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)", "x-vault-displayAttrs": { "name": "Client key", "editType": "file" } }, "deny_null_bind": { "type": "boolean", "description": "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true", "default": true }, "discoverdn": { "type": "boolean", "description": "Use anonymous bind to discover the bind DN of a user (optional)", "x-vault-displayAttrs": { "name": "Discover DN" } }, "groupattr": { "type": "string", "description": "LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn", "default": "cn", "x-vault-displayAttrs": { "name": "Group Attribute", "value": "cn" } }, "groupdn": { "type": "string", "description": "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)", "x-vault-displayAttrs": { "name": "Group DN" } }, "groupfilter": { "type": "string", "description": "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", "default": "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", "x-vault-displayAttrs": { "name": "Group Filter" } }, "insecure_tls": { "type": "boolean", "description": "Skip LDAP server SSL Certificate verification - VERY insecure (optional)", "x-vault-displayAttrs": { "name": "Insecure TLS" } }, "request_timeout": { "type": "integer", "description": "Timeout, in seconds, for the connection when making requests against the server before returning back an error.", "format": "seconds", "default": "90s" }, "starttls": { "type": "boolean", "description": "Issue a StartTLS command after establishing unencrypted connection (optional)", "x-vault-displayAttrs": { "name": "Issue StartTLS" } }, "tls_max_version": { "type": "string", "description": "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", "enum": ["tls10", "tls11", "tls12", "tls13"], "default": "tls12", "x-vault-displayAttrs": { "name": "Maximum TLS Version" } }, "tls_min_version": { "type": "string", "description": "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", "enum": ["tls10", "tls11", "tls12", "tls13"], "default": "tls12", "x-vault-displayAttrs": { "name": "Minimum TLS Version" } }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Bound CIDRs", "group": "Tokens" } }, "token_explicit_max_ttl": { "type": "integer", "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Explicit Maximum TTL", "group": "Tokens" } }, "token_max_ttl": { "type": "integer", "description": "The maximum lifetime of the generated token", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Maximum TTL", "group": "Tokens" } }, "token_no_default_policy": { "type": "boolean", "description": "If true, the 'default' policy will not automatically be added to generated tokens", "x-vault-displayAttrs": { "name": "Do Not Attach 'default' Policy To Generated Tokens", "group": "Tokens" } }, "token_num_uses": { "type": "integer", "description": "The maximum number of times a token may be used, a value of zero means unlimited", "x-vault-displayAttrs": { "name": "Maximum Uses of Generated Tokens", "group": "Tokens" } }, "token_period": { "type": "integer", "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Period", "group": "Tokens" } }, "token_policies": { "type": "array", "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Policies", "group": "Tokens" } }, "token_ttl": { "type": "integer", "description": "The initial ttl of the token to generate", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Initial TTL", "group": "Tokens" } }, "token_type": { "type": "string", "description": "The type of token to generate, service or batch", "default": "default-service", "x-vault-displayAttrs": { "name": "Generated Token's Type", "group": "Tokens" } }, "upndomain": { "type": "string", "description": "Enables userPrincipalDomain login with [username]@UPNDomain (optional)", "x-vault-displayAttrs": { "name": "User Principal (UPN) Domain" } }, "url": { "type": "string", "description": "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.", "default": "ldap://127.0.0.1", "x-vault-displayAttrs": { "name": "URL" } }, "use_pre111_group_cn_behavior": { "type": "boolean", "description": "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations." }, "use_token_groups": { "type": "boolean", "description": "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.", "default": false }, "userattr": { "type": "string", "description": "Attribute used for users (default: cn)", "default": "cn", "x-vault-displayAttrs": { "name": "User Attribute", "value": "cn" } }, "userdn": { "type": "string", "description": "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)", "x-vault-displayAttrs": { "name": "User DN" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/duo/access": { "description": "Configure the access keys and host for Duo API connections.", "x-vault-sudo": true, "post": { "summary": "Configure the access keys and host for Duo API connections.", "operationId": "postAuthLdapDuoAccess", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "host": { "type": "string", "description": "Duo api host" }, "ikey": { "type": "string", "description": "Duo integration key" }, "skey": { "type": "string", "description": "Duo secret key" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/duo/config": { "description": "Configure Duo second factor behavior.", "x-vault-sudo": true, "get": { "summary": "Configure Duo second factor behavior.", "operationId": "getAuthLdapDuoConfig", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure Duo second factor behavior.", "operationId": "postAuthLdapDuoConfig", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "push_info": { "type": "string", "description": "A string of URL-encoded key/value pairs that provides additional context about the authentication attempt in the Duo Mobile app" }, "user_agent": { "type": "string", "description": "User agent to connect to Duo (default \"\")" }, "username_format": { "type": "string", "description": "Format string given auth method username as argument to create Duo username (default '%s')" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/groups": { "description": "Manage additional groups for users allowed to authenticate.", "x-vault-displayAttrs": { "navigation": true, "itemType": "Group" }, "get": { "summary": "Manage additional groups for users allowed to authenticate.", "operationId": "getAuthLdapGroups", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/groups/{name}": { "description": "Manage additional groups for users allowed to authenticate.", "parameters": [{ "name": "name", "description": "Name of the LDAP group.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-displayAttrs": { "itemType": "Group", "action": "Create" }, "get": { "summary": "Manage additional groups for users allowed to authenticate.", "operationId": "getAuthLdapGroupsName", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Manage additional groups for users allowed to authenticate.", "operationId": "postAuthLdapGroupsName", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "policies": { "type": "array", "description": "Comma-separated list of policies associated to the group.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Manage additional groups for users allowed to authenticate.", "operationId": "deleteAuthLdapGroupsName", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/ldap/login/{username}": { "description": "Log in with a username and password.", "parameters": [{ "name": "username", "description": "DN (distinguished name) to be used for login.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-unauthenticated": true, "post": { "summary": "Log in with a username and password.", "operationId": "postAuthLdapLoginUsername", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "method": { "type": "string", "description": "Multi-factor auth method to use (optional)" }, "passcode": { "type": "string", "description": "One time passcode (optional)" }, "password": { "type": "string", "description": "Password for this user." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/mfa_config": { "description": "Configure multi factor backend.", "x-vault-sudo": true, "get": { "summary": "Configure multi factor backend.", "operationId": "getAuthLdapMfa_config", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure multi factor backend.", "operationId": "postAuthLdapMfa_config", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "type": { "type": "string", "description": "Enables MFA with given backend (available: duo)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/users": { "description": "Manage users allowed to authenticate.", "x-vault-displayAttrs": { "navigation": true, "itemType": "User" }, "get": { "summary": "Manage users allowed to authenticate.", "operationId": "getAuthLdapUsers", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/ldap/users/{name}": { "description": "Manage users allowed to authenticate.", "parameters": [{ "name": "name", "description": "Name of the LDAP user.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-displayAttrs": { "itemType": "User", "action": "Create" }, "get": { "summary": "Manage users allowed to authenticate.", "operationId": "getAuthLdapUsersName", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Manage users allowed to authenticate.", "operationId": "postAuthLdapUsersName", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "groups": { "type": "array", "description": "Comma-separated list of additional groups associated with the user.", "items": { "type": "string" } }, "policies": { "type": "array", "description": "Comma-separated list of policies associated with the user.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Manage users allowed to authenticate.", "operationId": "deleteAuthLdapUsersName", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/rancher/config": { "description": "Configures the JWT Public Key and Kubernetes API information.", "x-vault-createSupported": true, "get": { "summary": "Configures the JWT Public Key and Kubernetes API information.", "operationId": "getAuthRancherConfig", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configures the JWT Public Key and Kubernetes API information.", "operationId": "postAuthRancherConfig", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "disable_iss_validation": { "type": "boolean", "description": "Disable JWT issuer validation. Allows to skip ISS validation.", "default": false, "x-vault-displayAttrs": { "name": "Disable JWT Issuer Validation" } }, "issuer": { "type": "string", "description": "Optional JWT issuer. If no issuer is specified, then this plugin will use kubernetes.io/serviceaccount as the default issuer.", "x-vault-displayAttrs": { "name": "JWT Issuer" } }, "kubernetes_ca_cert": { "type": "string", "description": "PEM encoded CA cert for use by the TLS client used to talk with the API.", "x-vault-displayAttrs": { "name": "Kubernetes CA Certificate" } }, "kubernetes_host": { "type": "string", "description": "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server." }, "pem_keys": { "type": "array", "description": "Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kuberentes exposes these keys.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Service account verification keys" } }, "token_reviewer_jwt": { "type": "string", "description": "A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.", "x-vault-displayAttrs": { "name": "Token Reviewer JWT" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/rancher/login": { "description": "Authenticates Kubernetes service accounts with Vault.", "x-vault-unauthenticated": true, "post": { "summary": "Authenticates Kubernetes service accounts with Vault.", "operationId": "postAuthRancherLogin", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "jwt": { "type": "string", "description": "A signed JWT for authenticating a service account. This field is required." }, "role": { "type": "string", "description": "Name of the role against which the login is being attempted. This field is required" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/rancher/role": { "description": "Lists all the roles registered with the backend.", "x-vault-displayAttrs": { "navigation": true, "itemType": "Role" }, "get": { "summary": "Lists all the roles registered with the backend.", "operationId": "getAuthRancherRole", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/rancher/role/{name}": { "description": "Register an role with the backend.", "parameters": [{ "name": "name", "description": "Name of the role.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "x-vault-displayAttrs": { "itemType": "Role", "action": "Create" }, "get": { "summary": "Register an role with the backend.", "operationId": "getAuthRancherRoleName", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Register an role with the backend.", "operationId": "postAuthRancherRoleName", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "audience": { "type": "string", "description": "Optional Audience claim to verify in the jwt." }, "bound_cidrs": { "type": "array", "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", "items": { "type": "string" }, "deprecated": true }, "bound_service_account_names": { "type": "array", "description": "List of service account names able to access this role. If set to \"*\" all names are allowed.", "items": { "type": "string" } }, "bound_service_account_namespaces": { "type": "array", "description": "List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed.", "items": { "type": "string" } }, "max_ttl": { "type": "integer", "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", "format": "seconds", "deprecated": true }, "num_uses": { "type": "integer", "description": "Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.", "deprecated": true }, "period": { "type": "integer", "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", "format": "seconds", "deprecated": true }, "policies": { "type": "array", "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", "items": { "type": "string" }, "deprecated": true }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Bound CIDRs", "group": "Tokens" } }, "token_explicit_max_ttl": { "type": "integer", "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Explicit Maximum TTL", "group": "Tokens" } }, "token_max_ttl": { "type": "integer", "description": "The maximum lifetime of the generated token", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Maximum TTL", "group": "Tokens" } }, "token_no_default_policy": { "type": "boolean", "description": "If true, the 'default' policy will not automatically be added to generated tokens", "x-vault-displayAttrs": { "name": "Do Not Attach 'default' Policy To Generated Tokens", "group": "Tokens" } }, "token_num_uses": { "type": "integer", "description": "The maximum number of times a token may be used, a value of zero means unlimited", "x-vault-displayAttrs": { "name": "Maximum Uses of Generated Tokens", "group": "Tokens" } }, "token_period": { "type": "integer", "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Period", "group": "Tokens" } }, "token_policies": { "type": "array", "description": "Comma-separated list of policies", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Policies", "group": "Tokens" } }, "token_ttl": { "type": "integer", "description": "The initial ttl of the token to generate", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Initial TTL", "group": "Tokens" } }, "token_type": { "type": "string", "description": "The type of token to generate, service or batch", "default": "default-service", "x-vault-displayAttrs": { "name": "Generated Token's Type", "group": "Tokens" } }, "ttl": { "type": "integer", "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", "format": "seconds", "deprecated": true } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Register an role with the backend.", "operationId": "deleteAuthRancherRoleName", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/token/accessors/": { "description": "List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'.", "x-vault-sudo": true, "get": { "summary": "List token accessors, which can then be\nbe used to iterate and discover their properties\nor revoke them. Because this can be used to\ncause a denial of service, this endpoint\nrequires 'sudo' capability in addition to\n'list'.", "operationId": "getAuthTokenAccessors", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/token/create": { "description": "The token create path is used to create new tokens.", "post": { "summary": "The token create path is used to create new tokens.", "operationId": "postAuthTokenCreate", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/token/create-orphan": { "description": "The token create path is used to create new orphan tokens.", "post": { "summary": "The token create path is used to create new orphan tokens.", "operationId": "postAuthTokenCreateOrphan", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/token/create/{role_name}": { "description": "This token create path is used to create new tokens adhering to the given role.", "parameters": [{ "name": "role_name", "description": "Name of the role", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "This token create path is used to create new tokens adhering to the given role.", "operationId": "postAuthTokenCreateRole_name", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/token/lookup": { "description": "This endpoint will lookup a token and its properties.", "get": { "summary": "This endpoint will lookup a token and its properties.", "operationId": "getAuthTokenLookup", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "This endpoint will lookup a token and its properties.", "operationId": "postAuthTokenLookup", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string", "description": "Token to lookup (POST request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/lookup-accessor": { "description": "This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.", "post": { "summary": "This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.", "operationId": "postAuthTokenLookupAccessor", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "Accessor of the token to look up (request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/lookup-self": { "description": "This endpoint will lookup a token and its properties.", "get": { "summary": "This endpoint will lookup a token and its properties.", "operationId": "getAuthTokenLookupSelf", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "This endpoint will lookup a token and its properties.", "operationId": "postAuthTokenLookupSelf", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string", "description": "Token to look up (unused, does not need to be set)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/renew": { "description": "This endpoint will renew the given token and prevent expiration.", "post": { "summary": "This endpoint will renew the given token and prevent expiration.", "operationId": "postAuthTokenRenew", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the token expiration", "format": "seconds", "default": 0 }, "token": { "type": "string", "description": "Token to renew (request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/renew-accessor": { "description": "This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.", "post": { "summary": "This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.", "operationId": "postAuthTokenRenewAccessor", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "Accessor of the token to renew (request body)" }, "increment": { "type": "integer", "description": "The desired increment in seconds to the token expiration", "format": "seconds", "default": 0 } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/renew-self": { "description": "This endpoint will renew the token used to call it and prevent expiration.", "post": { "summary": "This endpoint will renew the token used to call it and prevent expiration.", "operationId": "postAuthTokenRenewSelf", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the token expiration", "format": "seconds", "default": 0 }, "token": { "type": "string", "description": "Token to renew (unused, does not need to be set)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/revoke": { "description": "This endpoint will delete the given token and all of its child tokens.", "post": { "summary": "This endpoint will delete the given token and all of its child tokens.", "operationId": "postAuthTokenRevoke", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string", "description": "Token to revoke (request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/revoke-accessor": { "description": "This endpoint will delete the token associated with the accessor and all of its child tokens.", "post": { "summary": "This endpoint will delete the token associated with the accessor and all of its child tokens.", "operationId": "postAuthTokenRevokeAccessor", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "Accessor of the token (request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/revoke-orphan": { "description": "This endpoint will delete the token and orphan its child tokens.", "post": { "summary": "This endpoint will delete the token and orphan its child tokens.", "operationId": "postAuthTokenRevokeOrphan", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string", "description": "Token to revoke (request body)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/auth/token/revoke-self": { "description": "This endpoint will delete the token used to call it and all of its child tokens.", "post": { "summary": "This endpoint will delete the token used to call it and all of its child tokens.", "operationId": "postAuthTokenRevokeSelf", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/auth/token/roles": { "description": "This endpoint lists configured roles.", "get": { "summary": "This endpoint lists configured roles.", "operationId": "getAuthTokenRoles", "tags": ["auth"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/auth/token/roles/{role_name}": { "parameters": [{ "name": "role_name", "description": "Name of the role", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "operationId": "getAuthTokenRolesRole_name", "tags": ["auth"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postAuthTokenRolesRole_name", "tags": ["auth"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "allowed_entity_aliases": { "type": "array", "description": "String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing.", "items": { "type": "string" } }, "allowed_policies": { "type": "array", "description": "If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names.", "items": { "type": "string" } }, "bound_cidrs": { "type": "array", "description": "Use 'token_bound_cidrs' instead.", "items": { "type": "string" }, "deprecated": true }, "disallowed_policies": { "type": "array", "description": "If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names.", "items": { "type": "string" } }, "explicit_max_ttl": { "type": "integer", "description": "Use 'token_explicit_max_ttl' instead.", "format": "seconds", "deprecated": true }, "orphan": { "type": "boolean", "description": "If true, tokens created via this role will be orphan tokens (have no parent)" }, "path_suffix": { "type": "string", "description": "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w" }, "period": { "type": "integer", "description": "Use 'token_period' instead.", "format": "seconds", "deprecated": true }, "renewable": { "type": "boolean", "description": "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".", "default": true }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Generated Token's Bound CIDRs", "group": "Tokens" } }, "token_explicit_max_ttl": { "type": "integer", "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Explicit Maximum TTL", "group": "Tokens" } }, "token_no_default_policy": { "type": "boolean", "description": "If true, the 'default' policy will not automatically be added to generated tokens", "x-vault-displayAttrs": { "name": "Do Not Attach 'default' Policy To Generated Tokens", "group": "Tokens" } }, "token_num_uses": { "type": "integer", "description": "The maximum number of times a token may be used, a value of zero means unlimited", "x-vault-displayAttrs": { "name": "Maximum Uses of Generated Tokens", "group": "Tokens" } }, "token_period": { "type": "integer", "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", "format": "seconds", "x-vault-displayAttrs": { "name": "Generated Token's Period", "group": "Tokens" } }, "token_type": { "type": "string", "description": "The type of token to generate, service or batch", "default": "default-service", "x-vault-displayAttrs": { "name": "Generated Token's Type", "group": "Tokens" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteAuthTokenRolesRole_name", "tags": ["auth"], "responses": { "204": { "description": "empty body" } } } }, "/auth/token/tidy": { "description": "This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.", "post": { "summary": "This endpoint performs cleanup tasks that can be run if certain error\nconditions have occurred.", "operationId": "postAuthTokenTidy", "tags": ["auth"], "responses": { "200": { "description": "OK" } } } }, "/cubbyhole/{path}": { "description": "Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage.", "parameters": [{ "name": "path", "description": "Specifies the path of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Retrieve the secret at the specified location.", "operationId": "getCubbyholePath", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Store a secret at the specified location.", "operationId": "postCubbyholePath", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Deletes the secret at the specified location.", "operationId": "deleteCubbyholePath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/identity/alias": { "description": "Create a new alias.", "post": { "summary": "Create a new alias.", "operationId": "postIdentityAlias", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "Entity ID to which this alias belongs to" }, "entity_id": { "type": "string", "description": "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'." }, "id": { "type": "string", "description": "ID of the alias" }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this alias belongs to" }, "name": { "type": "string", "description": "Name of the alias" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/alias/id": { "description": "List all the alias IDs.", "get": { "summary": "List all the alias IDs.", "operationId": "getIdentityAliasId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/alias/id/{id}": { "description": "Update, read or delete an alias ID.", "parameters": [{ "name": "id", "description": "ID of the alias", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update, read or delete an alias ID.", "operationId": "getIdentityAliasIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update, read or delete an alias ID.", "operationId": "postIdentityAliasIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "Entity ID to which this alias should be tied to" }, "entity_id": { "type": "string", "description": "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'." }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this alias belongs to" }, "name": { "type": "string", "description": "Name of the alias" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update, read or delete an alias ID.", "operationId": "deleteIdentityAliasIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/entity": { "description": "Create a new entity", "post": { "summary": "Create a new entity", "operationId": "postIdentityEntity", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "disabled": { "type": "boolean", "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." }, "id": { "type": "string", "description": "ID of the entity. If set, updates the corresponding existing entity." }, "metadata": { "type": "object", "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "name": { "type": "string", "description": "Name of the entity" }, "policies": { "type": "array", "description": "Policies to be tied to the entity.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/entity-alias": { "description": "Create a new alias.", "post": { "summary": "Create a new alias.", "operationId": "postIdentityEntityAlias", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "Entity ID to which this alias belongs" }, "entity_id": { "type": "string", "description": "Entity ID to which this alias belongs. This field is deprecated, use canonical_id." }, "id": { "type": "string", "description": "ID of the entity alias. If set, updates the corresponding entity alias." }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this alias belongs to; unused for a modify" }, "name": { "type": "string", "description": "Name of the alias; unused for a modify" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/entity-alias/id": { "description": "List all the alias IDs.", "get": { "summary": "List all the alias IDs.", "operationId": "getIdentityEntityAliasId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/entity-alias/id/{id}": { "description": "Update, read or delete an alias ID.", "parameters": [{ "name": "id", "description": "ID of the alias", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update, read or delete an alias ID.", "operationId": "getIdentityEntityAliasIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update, read or delete an alias ID.", "operationId": "postIdentityEntityAliasIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "Entity ID to which this alias should be tied to" }, "entity_id": { "type": "string", "description": "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id." }, "mount_accessor": { "type": "string", "description": "(Unused)" }, "name": { "type": "string", "description": "(Unused)" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update, read or delete an alias ID.", "operationId": "deleteIdentityEntityAliasIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/entity/batch-delete": { "description": "Delete all of the entities provided", "post": { "summary": "Delete all of the entities provided", "operationId": "postIdentityEntityBatchDelete", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "entity_ids": { "type": "array", "description": "Entity IDs to delete", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/entity/id": { "description": "List all the entity IDs", "get": { "summary": "List all the entity IDs", "operationId": "getIdentityEntityId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/entity/id/{id}": { "description": "Update, read or delete an entity using entity ID", "parameters": [{ "name": "id", "description": "ID of the entity. If set, updates the corresponding existing entity.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update, read or delete an entity using entity ID", "operationId": "getIdentityEntityIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update, read or delete an entity using entity ID", "operationId": "postIdentityEntityIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "disabled": { "type": "boolean", "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." }, "metadata": { "type": "object", "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "name": { "type": "string", "description": "Name of the entity" }, "policies": { "type": "array", "description": "Policies to be tied to the entity.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update, read or delete an entity using entity ID", "operationId": "deleteIdentityEntityIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/entity/merge": { "description": "Merge two or more entities together", "post": { "summary": "Merge two or more entities together", "operationId": "postIdentityEntityMerge", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "force": { "type": "boolean", "description": "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts." }, "from_entity_ids": { "type": "array", "description": "Entity IDs which needs to get merged", "items": { "type": "string" } }, "to_entity_id": { "type": "string", "description": "Entity ID into which all the other entities need to get merged" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/entity/name": { "description": "List all the entity names", "get": { "summary": "List all the entity names", "operationId": "getIdentityEntityName", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/entity/name/{name}": { "description": "Update, read or delete an entity using entity name", "parameters": [{ "name": "name", "description": "Name of the entity", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update, read or delete an entity using entity name", "operationId": "getIdentityEntityNameName", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update, read or delete an entity using entity name", "operationId": "postIdentityEntityNameName", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "disabled": { "type": "boolean", "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." }, "id": { "type": "string", "description": "ID of the entity. If set, updates the corresponding existing entity." }, "metadata": { "type": "object", "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "policies": { "type": "array", "description": "Policies to be tied to the entity.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update, read or delete an entity using entity name", "operationId": "deleteIdentityEntityNameName", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/group": { "description": "Create a new group.", "post": { "summary": "Create a new group.", "operationId": "postIdentityGroup", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "ID of the group. If set, updates the corresponding existing group." }, "member_entity_ids": { "type": "array", "description": "Entity IDs to be assigned as group members.", "items": { "type": "string" } }, "member_group_ids": { "type": "array", "description": "Group IDs to be assigned as group members.", "items": { "type": "string" } }, "metadata": { "type": "object", "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "name": { "type": "string", "description": "Name of the group." }, "policies": { "type": "array", "description": "Policies to be tied to the group.", "items": { "type": "string" } }, "type": { "type": "string", "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/group-alias": { "description": "Creates a new group alias, or updates an existing one.", "post": { "summary": "Creates a new group alias, or updates an existing one.", "operationId": "postIdentityGroupAlias", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "ID of the group to which this is an alias." }, "id": { "type": "string", "description": "ID of the group alias." }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this alias belongs to." }, "name": { "type": "string", "description": "Alias of the group." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/group-alias/id": { "description": "List all the group alias IDs.", "get": { "summary": "List all the group alias IDs.", "operationId": "getIdentityGroupAliasId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/group-alias/id/{id}": { "parameters": [{ "name": "id", "description": "ID of the group alias.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "operationId": "getIdentityGroupAliasIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postIdentityGroupAliasIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "canonical_id": { "type": "string", "description": "ID of the group to which this is an alias." }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this alias belongs to." }, "name": { "type": "string", "description": "Alias of the group." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteIdentityGroupAliasIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/group/id": { "description": "List all the group IDs.", "get": { "summary": "List all the group IDs.", "operationId": "getIdentityGroupId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/group/id/{id}": { "description": "Update or delete an existing group using its ID.", "parameters": [{ "name": "id", "description": "ID of the group. If set, updates the corresponding existing group.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update or delete an existing group using its ID.", "operationId": "getIdentityGroupIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update or delete an existing group using its ID.", "operationId": "postIdentityGroupIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "member_entity_ids": { "type": "array", "description": "Entity IDs to be assigned as group members.", "items": { "type": "string" } }, "member_group_ids": { "type": "array", "description": "Group IDs to be assigned as group members.", "items": { "type": "string" } }, "metadata": { "type": "object", "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "name": { "type": "string", "description": "Name of the group." }, "policies": { "type": "array", "description": "Policies to be tied to the group.", "items": { "type": "string" } }, "type": { "type": "string", "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update or delete an existing group using its ID.", "operationId": "deleteIdentityGroupIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/group/name": { "get": { "operationId": "getIdentityGroupName", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/group/name/{name}": { "parameters": [{ "name": "name", "description": "Name of the group.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "operationId": "getIdentityGroupNameName", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postIdentityGroupNameName", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "ID of the group. If set, updates the corresponding existing group." }, "member_entity_ids": { "type": "array", "description": "Entity IDs to be assigned as group members.", "items": { "type": "string" } }, "member_group_ids": { "type": "array", "description": "Group IDs to be assigned as group members.", "items": { "type": "string" } }, "metadata": { "type": "object", "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "policies": { "type": "array", "description": "Policies to be tied to the group.", "items": { "type": "string" } }, "type": { "type": "string", "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteIdentityGroupNameName", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/lookup/entity": { "description": "Query entities based on various properties.", "post": { "summary": "Query entities based on various properties.", "operationId": "postIdentityLookupEntity", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alias_id": { "type": "string", "description": "ID of the alias." }, "alias_mount_accessor": { "type": "string", "description": "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'." }, "alias_name": { "type": "string", "description": "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'." }, "id": { "type": "string", "description": "ID of the entity." }, "name": { "type": "string", "description": "Name of the entity." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/lookup/group": { "description": "Query groups based on various properties.", "post": { "summary": "Query groups based on various properties.", "operationId": "postIdentityLookupGroup", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alias_id": { "type": "string", "description": "ID of the alias." }, "alias_mount_accessor": { "type": "string", "description": "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'." }, "alias_name": { "type": "string", "description": "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'." }, "id": { "type": "string", "description": "ID of the group." }, "name": { "type": "string", "description": "Name of the group." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/.well-known/keys": { "description": "Retrieve public keys", "x-vault-unauthenticated": true, "get": { "summary": "Retrieve public keys", "operationId": "getIdentityOidcWellKnownKeys", "tags": ["identity"], "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/.well-known/openid-configuration": { "description": "Query OIDC configurations", "x-vault-unauthenticated": true, "get": { "summary": "Query OIDC configurations", "operationId": "getIdentityOidcWellKnownOpenidConfiguration", "tags": ["identity"], "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/config": { "description": "OIDC configuration", "get": { "summary": "OIDC configuration", "operationId": "getIdentityOidcConfig", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "OIDC configuration", "operationId": "postIdentityOidcConfig", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "issuer": { "type": "string", "description": "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/introspect": { "description": "Verify the authenticity of an OIDC token", "post": { "summary": "Verify the authenticity of an OIDC token", "operationId": "postIdentityOidcIntrospect", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "client_id": { "type": "string", "description": "Optional client_id to verify" }, "token": { "type": "string", "description": "Token to verify" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/key": { "description": "List OIDC keys", "get": { "summary": "List OIDC keys", "operationId": "getIdentityOidcKey", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/key/{name}": { "description": "CRUD operations for OIDC keys.", "parameters": [{ "name": "name", "description": "Name of the key", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "CRUD operations for OIDC keys.", "operationId": "getIdentityOidcKeyName", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "CRUD operations for OIDC keys.", "operationId": "postIdentityOidcKeyName", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "algorithm": { "type": "string", "description": "Signing algorithm to use. This will default to RS256.", "default": "RS256" }, "allowed_client_ids": { "type": "array", "description": "Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If \"*\" all roles are allowed.", "items": { "type": "string" } }, "rotation_period": { "type": "integer", "description": "How often to generate a new keypair.", "format": "seconds", "default": "24h" }, "verification_ttl": { "type": "integer", "description": "Controls how long the public portion of a key will be available for verification after being rotated.", "format": "seconds", "default": "24h" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "CRUD operations for OIDC keys.", "operationId": "deleteIdentityOidcKeyName", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/oidc/key/{name}/rotate": { "description": "Rotate a named OIDC key.", "parameters": [{ "name": "name", "description": "Name of the key", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Rotate a named OIDC key.", "operationId": "postIdentityOidcKeyNameRotate", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "verification_ttl": { "type": "integer", "description": "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/role": { "description": "List configured OIDC roles", "get": { "summary": "List configured OIDC roles", "operationId": "getIdentityOidcRole", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/oidc/role/{name}": { "description": "CRUD operations on OIDC Roles", "parameters": [{ "name": "name", "description": "Name of the role", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "CRUD operations on OIDC Roles", "operationId": "getIdentityOidcRoleName", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "CRUD operations on OIDC Roles", "operationId": "postIdentityOidcRoleName", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "client_id": { "type": "string", "description": "Optional client_id" }, "key": { "type": "string", "description": "The OIDC key to use for generating tokens. The specified key must already exist." }, "template": { "type": "string", "description": "The template string to use for generating tokens. This may be in string-ified JSON or base64 format." }, "ttl": { "type": "integer", "description": "TTL of the tokens generated against the role.", "format": "seconds", "default": "24h" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "CRUD operations on OIDC Roles", "operationId": "deleteIdentityOidcRoleName", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/identity/oidc/token/{name}": { "description": "Generate an OIDC token", "parameters": [{ "name": "name", "description": "Name of the role", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Generate an OIDC token", "operationId": "getIdentityOidcTokenName", "tags": ["identity"], "responses": { "200": { "description": "OK" } } } }, "/identity/persona": { "description": "Create a new alias.", "post": { "summary": "Create a new alias.", "operationId": "postIdentityPersona", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "entity_id": { "type": "string", "description": "Entity ID to which this persona belongs to" }, "id": { "type": "string", "description": "ID of the persona" }, "metadata": { "type": "object", "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this persona belongs to" }, "name": { "type": "string", "description": "Name of the persona" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/identity/persona/id": { "description": "List all the alias IDs.", "get": { "summary": "List all the alias IDs.", "operationId": "getIdentityPersonaId", "tags": ["identity"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/identity/persona/id/{id}": { "description": "Update, read or delete an alias ID.", "parameters": [{ "name": "id", "description": "ID of the persona", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Update, read or delete an alias ID.", "operationId": "getIdentityPersonaIdId", "tags": ["identity"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Update, read or delete an alias ID.", "operationId": "postIdentityPersonaIdId", "tags": ["identity"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "entity_id": { "type": "string", "description": "Entity ID to which this persona should be tied to" }, "metadata": { "type": "object", "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault \u003ccommand\u003e \u003cpath\u003e metadata=key1=value1 metadata=key2=value2", "format": "kvpairs" }, "mount_accessor": { "type": "string", "description": "Mount accessor to which this persona belongs to" }, "name": { "type": "string", "description": "Name of the persona" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Update, read or delete an alias ID.", "operationId": "deleteIdentityPersonaIdId", "tags": ["identity"], "responses": { "204": { "description": "empty body" } } } }, "/jedi-users/.*": {}, "/jedi-users/config": { "description": "Configures settings for the KV store", "x-vault-createSupported": true, "get": { "summary": "Read the backend level settings.", "operationId": "getJediUsersConfig", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure backend level settings that are applied to every key in the key-value store.", "operationId": "postJediUsersConfig", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true, the backend will require the cas parameter to be set for each write" }, "delete_version_after": { "type": "integer", "description": "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep for each key. Defaults to 10" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/jedi-users/data/{path}": { "description": "Write, Read, and Delete data in the Key-Value Store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "getJediUsersDataPath", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "postJediUsersDataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "description": "The contents of the data map will be stored and returned on read.", "format": "map" }, "options": { "type": "object", "description": "Options for writing a KV entry. Set the \"cas\" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter.", "format": "map" }, "version": { "type": "integer", "description": "If provided during a read, the value at the version number will be returned" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "deleteJediUsersDataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/jedi-users/delete/{path}": { "description": "Marks one or more versions as deleted in the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Marks one or more versions as deleted in the KV store.", "operationId": "postJediUsersDeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/jedi-users/destroy/{path}": { "description": "Permanently removes one or more versions in the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Permanently removes one or more versions in the KV store", "operationId": "postJediUsersDestroyPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to destroy. Their data will be permanently deleted.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/jedi-users/metadata/{path}": { "description": "Configures settings for the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Configures settings for the KV store", "operationId": "getJediUsersMetadataPath", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configures settings for the KV store", "operationId": "postJediUsersMetadataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used." }, "delete_version_after": { "type": "integer", "description": "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep. If not set, the backend’s configured max version is used." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Configures settings for the KV store", "operationId": "deleteJediUsersMetadataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/jedi-users/undelete/{path}": { "description": "Undeletes one or more versions from the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Undeletes one or more versions from the KV store.", "operationId": "postJediUsersUndeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to unarchive. The versions will be restored and their data will be returned on normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/kv/.*": {}, "/kv/config": { "description": "Configures settings for the KV store", "x-vault-createSupported": true, "get": { "summary": "Read the backend level settings.", "operationId": "getKvConfig", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure backend level settings that are applied to every key in the key-value store.", "operationId": "postKvConfig", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true, the backend will require the cas parameter to be set for each write" }, "delete_version_after": { "type": "integer", "description": "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep for each key. Defaults to 10" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/kv/data/{path}": { "description": "Write, Read, and Delete data in the Key-Value Store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "getKvDataPath", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "postKvDataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "type": "object", "description": "The contents of the data map will be stored and returned on read.", "format": "map" }, "options": { "type": "object", "description": "Options for writing a KV entry. Set the \"cas\" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter.", "format": "map" }, "version": { "type": "integer", "description": "If provided during a read, the value at the version number will be returned" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Write, Read, and Delete data in the Key-Value Store.", "operationId": "deleteKvDataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/kv/delete/{path}": { "description": "Marks one or more versions as deleted in the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Marks one or more versions as deleted in the KV store.", "operationId": "postKvDeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/kv/destroy/{path}": { "description": "Permanently removes one or more versions in the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Permanently removes one or more versions in the KV store", "operationId": "postKvDestroyPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to destroy. Their data will be permanently deleted.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/kv/metadata/{path}": { "description": "Configures settings for the KV store", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "get": { "summary": "Configures settings for the KV store", "operationId": "getKvMetadataPath", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configures settings for the KV store", "operationId": "postKvMetadataPath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "cas_required": { "type": "boolean", "description": "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used." }, "delete_version_after": { "type": "integer", "description": "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.", "format": "seconds" }, "max_versions": { "type": "integer", "description": "The number of versions to keep. If not set, the backend’s configured max version is used." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Configures settings for the KV store", "operationId": "deleteKvMetadataPath", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/kv/undelete/{path}": { "description": "Undeletes one or more versions from the KV store.", "parameters": [{ "name": "path", "description": "Location of the secret.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-createSupported": true, "post": { "summary": "Undeletes one or more versions from the KV store.", "operationId": "postKvUndeletePath", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "versions": { "type": "array", "description": "The versions to unarchive. The versions will be restored and their data will be returned on normal get requests.", "items": { "type": "integer" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/ca": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCa", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/ca/pem": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCaPem", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/ca_chain": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCa_chain", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/cert/ca_chain": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCertCa_chain", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/cert/crl": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCertCrl", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/cert/{serial}": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [{ "name": "serial", "description": "Certificate serial number, in colon- or hyphen-separated octal", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCertSerial", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/certs": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCerts", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/pki/config/ca": { "description": "Set the CA certificate and private key used for generated credentials.", "post": { "summary": "Set the CA certificate and private key used for generated credentials.", "operationId": "postPkiConfigCa", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "pem_bundle": { "type": "string", "description": "PEM-format, concatenated unencrypted secret key and certificate." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/config/crl": { "description": "Configure the CRL expiration.", "get": { "summary": "Configure the CRL expiration.", "operationId": "getPkiConfigCrl", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure the CRL expiration.", "operationId": "postPkiConfigCrl", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "disable": { "type": "boolean", "description": "If set to true, disables generating the CRL entirely." }, "expiry": { "type": "string", "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", "default": "72h" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/config/urls": { "description": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", "get": { "summary": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", "operationId": "getPkiConfigUrls", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", "operationId": "postPkiConfigUrls", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "crl_distribution_points": { "type": "array", "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute", "items": { "type": "string" } }, "issuing_certificates": { "type": "array", "description": "Comma-separated list of URLs to be used for the issuing certificate attribute", "items": { "type": "string" } }, "ocsp_servers": { "type": "array", "description": "Comma-separated list of URLs to be used for the OCSP servers attribute", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/crl": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCrl", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/crl/pem": { "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "x-vault-unauthenticated": true, "get": { "summary": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "operationId": "getPkiCrlPem", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/crl/rotate": { "description": "Force a rebuild of the CRL.", "get": { "summary": "Force a rebuild of the CRL.", "operationId": "getPkiCrlRotate", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } } }, "/pki/intermediate/generate/{exported}": { "description": "Generate a new CSR and private key used for signing.", "parameters": [{ "name": "exported", "description": "Must be \"internal\" or \"exported\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Generate a new CSR and private key used for signing.", "operationId": "postPkiIntermediateGenerateExported", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "add_basic_constraints": { "type": "boolean", "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." }, "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." }, "country": { "type": "array", "description": "If set, Country will be set to this value.", "items": { "type": "string" } }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "key_bits": { "type": "integer", "description": "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.", "default": 2048, "x-vault-displayAttrs": { "value": 2048 } }, "key_type": { "type": "string", "description": "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.", "enum": ["rsa", "ec"], "default": "rsa", "x-vault-displayAttrs": { "value": "rsa" } }, "locality": { "type": "array", "description": "If set, Locality will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Locality/City" } }, "organization": { "type": "array", "description": "If set, O (Organization) will be set to this value.", "items": { "type": "string" } }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "ou": { "type": "array", "description": "If set, OU (OrganizationalUnit) will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "OU (Organizational Unit)" } }, "postal_code": { "type": "array", "description": "If set, Postal Code will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Postal Code" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "province": { "type": "array", "description": "If set, Province will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Province/State" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "street_address": { "type": "array", "description": "If set, Street Address will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Street Address" } }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/intermediate/set-signed": { "description": "Provide the signed intermediate CA cert.", "post": { "summary": "Provide the signed intermediate CA cert.", "operationId": "postPkiIntermediateSetSigned", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "certificate": { "type": "string", "description": "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/issue/{role}": { "description": "Request a certificate using a certain role with the provided details.", "parameters": [{ "name": "role", "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Request a certificate using a certain role with the provided details.", "operationId": "postPkiIssueRole", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/revoke": { "description": "Revoke a certificate by serial number.", "post": { "summary": "Revoke a certificate by serial number.", "operationId": "postPkiRevoke", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "serial_number": { "type": "string", "description": "Certificate serial number, in colon- or hyphen-separated octal" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/roles": { "description": "List the existing roles in this backend", "get": { "summary": "List the existing roles in this backend", "operationId": "getPkiRoles", "tags": ["secrets"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/pki/roles/{name}": { "description": "Manage the roles that can be created with this backend.", "parameters": [{ "name": "name", "description": "Name of the role", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Manage the roles that can be created with this backend.", "operationId": "getPkiRolesName", "tags": ["secrets"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Manage the roles that can be created with this backend.", "operationId": "postPkiRolesName", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "allow_any_name": { "type": "boolean", "description": "If set, clients can request certificates for any CN they like. See the documentation for more information." }, "allow_bare_domains": { "type": "boolean", "description": "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat." }, "allow_glob_domains": { "type": "boolean", "description": "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information." }, "allow_ip_sans": { "type": "boolean", "description": "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.", "default": true, "x-vault-displayAttrs": { "name": "Allow IP Subject Alternative Names", "value": true } }, "allow_localhost": { "type": "boolean", "description": "Whether to allow \"localhost\" as a valid common name in a request", "default": true, "x-vault-displayAttrs": { "value": true } }, "allow_subdomains": { "type": "boolean", "description": "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information." }, "allowed_domains": { "type": "array", "description": "If set, clients can request certificates for subdomains directly beneath these domains, including the wildcard subdomains. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.", "items": { "type": "string" } }, "allowed_domains_template": { "type": "boolean", "description": "If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.", "default": false }, "allowed_other_sans": { "type": "array", "description": "If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format \u003coid\u003e;\u003ctype\u003e:\u003cvalue\u003e. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Allowed Other Subject Alternative Names" } }, "allowed_serial_numbers": { "type": "array", "description": "If set, an array of allowed serial numbers to put in Subject. These values support globbing.", "items": { "type": "string" } }, "allowed_uri_sans": { "type": "array", "description": "If set, an array of allowed URIs to put in the URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Allowed URI Subject Alternative Names" } }, "backend": { "type": "string", "description": "Backend Type" }, "basic_constraints_valid_for_non_ca": { "type": "boolean", "description": "Mark Basic Constraints valid when issuing non-CA certificates.", "x-vault-displayAttrs": { "name": "Basic Constraints Valid for Non-CA" } }, "client_flag": { "type": "boolean", "description": "If set, certificates are flagged for client auth use. Defaults to true.", "default": true, "x-vault-displayAttrs": { "value": true } }, "code_signing_flag": { "type": "boolean", "description": "If set, certificates are flagged for code signing use. Defaults to false." }, "country": { "type": "array", "description": "If set, Country will be set to this value in certificates issued by this role.", "items": { "type": "string" } }, "email_protection_flag": { "type": "boolean", "description": "If set, certificates are flagged for email protection use. Defaults to false." }, "enforce_hostnames": { "type": "boolean", "description": "If set, only valid host names are allowed for CN and SANs. Defaults to true.", "default": true, "x-vault-displayAttrs": { "value": true } }, "ext_key_usage": { "type": "array", "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": [], "x-vault-displayAttrs": { "name": "Extended Key Usage" } }, "ext_key_usage_oids": { "type": "array", "description": "A comma-separated string or list of extended key usage oids.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Extended Key Usage OIDs" } }, "generate_lease": { "type": "boolean", "description": "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \u003clease_id\u003e\" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault." }, "key_bits": { "type": "integer", "description": "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.", "default": 2048 }, "key_type": { "type": "string", "description": "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.", "enum": ["rsa", "ec"], "default": "rsa" }, "key_usage": { "type": "array", "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": ["DigitalSignature", "KeyAgreement", "KeyEncipherment"], "x-vault-displayAttrs": { "value": "DigitalSignature,KeyAgreement,KeyEncipherment" } }, "locality": { "type": "array", "description": "If set, Locality will be set to this value in certificates issued by this role.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Locality/City" } }, "max_ttl": { "type": "integer", "description": "The maximum allowed lease duration", "format": "seconds", "x-vault-displayAttrs": { "name": "Max TTL" } }, "no_store": { "type": "boolean", "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\"." }, "not_before_duration": { "type": "integer", "description": "The duration before now the cert needs to be created / signed.", "format": "seconds", "default": 30, "x-vault-displayAttrs": { "value": 30 } }, "organization": { "type": "array", "description": "If set, O (Organization) will be set to this value in certificates issued by this role.", "items": { "type": "string" } }, "ou": { "type": "array", "description": "If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Organizational Unit" } }, "policy_identifiers": { "type": "array", "description": "A comma-separated string or list of policy oids.", "items": { "type": "string" } }, "postal_code": { "type": "array", "description": "If set, Postal Code will be set to this value in certificates issued by this role.", "items": { "type": "string" } }, "province": { "type": "array", "description": "If set, Province will be set to this value in certificates issued by this role.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Province/State" } }, "require_cn": { "type": "boolean", "description": "If set to false, makes the 'common_name' field optional while generating a certificate.", "default": true, "x-vault-displayAttrs": { "name": "Require Common Name" } }, "server_flag": { "type": "boolean", "description": "If set, certificates are flagged for server auth use. Defaults to true.", "default": true, "x-vault-displayAttrs": { "value": true } }, "street_address": { "type": "array", "description": "If set, Street Address will be set to this value in certificates issued by this role.", "items": { "type": "string" } }, "ttl": { "type": "integer", "description": "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "use_csr_common_name": { "type": "boolean", "description": "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.", "default": true, "x-vault-displayAttrs": { "name": "Use CSR Common Name", "value": true } }, "use_csr_sans": { "type": "boolean", "description": "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.", "default": true, "x-vault-displayAttrs": { "name": "Use CSR Subject Alternative Names", "value": true } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Manage the roles that can be created with this backend.", "operationId": "deletePkiRolesName", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/pki/root": { "description": "Deletes the root CA key to allow a new one to be generated.", "x-vault-sudo": true, "delete": { "summary": "Deletes the root CA key to allow a new one to be generated.", "operationId": "deletePkiRoot", "tags": ["secrets"], "responses": { "204": { "description": "empty body" } } } }, "/pki/root/generate/{exported}": { "description": "Generate a new CA certificate and private key used for signing.", "parameters": [{ "name": "exported", "description": "Must be \"internal\" or \"exported\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Generate a new CA certificate and private key used for signing.", "operationId": "postPkiRootGenerateExported", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." }, "country": { "type": "array", "description": "If set, Country will be set to this value.", "items": { "type": "string" } }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "key_bits": { "type": "integer", "description": "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.", "default": 2048, "x-vault-displayAttrs": { "value": 2048 } }, "key_type": { "type": "string", "description": "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.", "enum": ["rsa", "ec"], "default": "rsa", "x-vault-displayAttrs": { "value": "rsa" } }, "locality": { "type": "array", "description": "If set, Locality will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Locality/City" } }, "max_path_length": { "type": "integer", "description": "The maximum allowable path length", "default": -1 }, "organization": { "type": "array", "description": "If set, O (Organization) will be set to this value.", "items": { "type": "string" } }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "ou": { "type": "array", "description": "If set, OU (OrganizationalUnit) will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "OU (Organizational Unit)" } }, "permitted_dns_domains": { "type": "array", "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Permitted DNS Domains" } }, "postal_code": { "type": "array", "description": "If set, Postal Code will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Postal Code" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "province": { "type": "array", "description": "If set, Province will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Province/State" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "street_address": { "type": "array", "description": "If set, Street Address will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Street Address" } }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/root/sign-intermediate": { "description": "Issue an intermediate CA certificate based on the provided CSR.", "post": { "summary": "Issue an intermediate CA certificate based on the provided CSR.", "operationId": "postPkiRootSignIntermediate", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." }, "country": { "type": "array", "description": "If set, Country will be set to this value.", "items": { "type": "string" } }, "csr": { "type": "string", "description": "PEM-format CSR to be signed.", "default": "" }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "locality": { "type": "array", "description": "If set, Locality will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Locality/City" } }, "max_path_length": { "type": "integer", "description": "The maximum allowable path length", "default": -1 }, "organization": { "type": "array", "description": "If set, O (Organization) will be set to this value.", "items": { "type": "string" } }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "ou": { "type": "array", "description": "If set, OU (OrganizationalUnit) will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "OU (Organizational Unit)" } }, "permitted_dns_domains": { "type": "array", "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Permitted DNS Domains" } }, "postal_code": { "type": "array", "description": "If set, Postal Code will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Postal Code" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "province": { "type": "array", "description": "If set, Province will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Province/State" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "street_address": { "type": "array", "description": "If set, Street Address will be set to this value.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Street Address" } }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } }, "use_csr_values": { "type": "boolean", "description": "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.", "default": false } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/root/sign-self-issued": { "description": "Signs another CA's self-issued certificate.", "x-vault-sudo": true, "post": { "summary": "Signs another CA's self-issued certificate.", "operationId": "postPkiRootSignSelfIssued", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "certificate": { "type": "string", "description": "PEM-format self-issued certificate to be signed." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/sign-verbatim": { "description": "Request certificates using a certain role with the provided details.", "post": { "summary": "Request certificates using a certain role with the provided details.", "operationId": "postPkiSignVerbatim", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." }, "csr": { "type": "string", "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", "default": "" }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "ext_key_usage": { "type": "array", "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": [] }, "ext_key_usage_oids": { "type": "array", "description": "A comma-separated string or list of extended key usage oids.", "items": { "type": "string" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "key_usage": { "type": "array", "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": ["DigitalSignature", "KeyAgreement", "KeyEncipherment"] }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "role": { "type": "string", "description": "The desired role with configuration for this request" }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/sign-verbatim/{role}": { "description": "Request certificates using a certain role with the provided details.", "parameters": [{ "name": "role", "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Request certificates using a certain role with the provided details.", "operationId": "postPkiSignVerbatimRole", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." }, "csr": { "type": "string", "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", "default": "" }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "ext_key_usage": { "type": "array", "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": [] }, "ext_key_usage_oids": { "type": "array", "description": "A comma-separated string or list of extended key usage oids.", "items": { "type": "string" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "key_usage": { "type": "array", "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", "items": { "type": "string" }, "default": ["DigitalSignature", "KeyAgreement", "KeyEncipherment"] }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/sign/{role}": { "description": "Request certificates using a certain role with the provided details.", "parameters": [{ "name": "role", "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Request certificates using a certain role with the provided details.", "operationId": "postPkiSignRole", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "alt_names": { "type": "string", "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", "x-vault-displayAttrs": { "name": "DNS/Email Subject Alternative Names (SANs)" } }, "common_name": { "type": "string", "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." }, "csr": { "type": "string", "description": "PEM-format CSR to be signed.", "default": "" }, "exclude_cn_from_sans": { "type": "boolean", "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", "default": false, "x-vault-displayAttrs": { "name": "Exclude Common Name from Subject Alternative Names (SANs)" } }, "format": { "type": "string", "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".", "enum": ["pem", "der", "pem_bundle"], "default": "pem", "x-vault-displayAttrs": { "value": "pem" } }, "ip_sans": { "type": "array", "description": "The requested IP SANs, if any, in a comma-delimited list", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "IP Subject Alternative Names (SANs)" } }, "other_sans": { "type": "array", "description": "Requested other SANs, in an array with the format \u003coid\u003e;UTF8:\u003cutf8 string value\u003e for each entry.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "Other SANs" } }, "private_key_format": { "type": "string", "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", "enum": ["", "der", "pem", "pkcs8"], "default": "der", "x-vault-displayAttrs": { "value": "der" } }, "serial_number": { "type": "string", "description": "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5." }, "ttl": { "type": "integer", "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", "format": "seconds", "x-vault-displayAttrs": { "name": "TTL" } }, "uri_sans": { "type": "array", "description": "The requested URI SANs, if any, in a comma-delimited list.", "items": { "type": "string" }, "x-vault-displayAttrs": { "name": "URI Subject Alternative Names (SANs)" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/pki/tidy": { "description": "Tidy up the backend by removing expired certificates, revocation information, or both.", "post": { "summary": "Tidy up the backend by removing expired certificates, revocation information,\nor both.", "operationId": "postPkiTidy", "tags": ["secrets"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "safety_buffer": { "type": "integer", "description": "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.", "format": "seconds", "default": 259200 }, "tidy_cert_store": { "type": "boolean", "description": "Set to true to enable tidying up the certificate store" }, "tidy_revocation_list": { "type": "boolean", "description": "Deprecated; synonym for 'tidy_revoked_certs" }, "tidy_revoked_certs": { "type": "boolean", "description": "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/audit": { "description": "List the currently enabled audit backends.", "x-vault-sudo": true, "get": { "summary": "List the enabled audit devices.", "operationId": "getSysAudit", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/audit-hash/{path}": { "description": "The hash of the given string via the given audit backend", "parameters": [{ "name": "path", "description": "The name of the backend. Cannot be delimited. Example: \"mysql\"", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "The hash of the given string via the given audit backend", "operationId": "postSysAuditHashPath", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "input": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/audit/{path}": { "description": "Enable or disable audit backends.", "parameters": [{ "name": "path", "description": "The name of the backend. Cannot be delimited. Example: \"mysql\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Enable a new audit device at the supplied path.", "operationId": "postSysAuditPath", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "description": { "type": "string", "description": "User-friendly description for this audit backend." }, "local": { "type": "boolean", "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", "default": false }, "options": { "type": "object", "description": "Configuration options for the audit backend.", "format": "kvpairs" }, "type": { "type": "string", "description": "The type of the backend. Example: \"mysql\"" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Disable the audit device at the given path.", "operationId": "deleteSysAuditPath", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/auth": { "description": "List the currently enabled credential backends.", "get": { "summary": "List the currently enabled credential backends.", "operationId": "getSysAuth", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/auth/{path}": { "description": "Enable a new credential backend with a name.", "parameters": [{ "name": "path", "description": "The path to mount to. Cannot be delimited. Example: \"user\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Enables a new auth method.", "description": "After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.\n\nFor example, enable the \"foo\" auth method will make it accessible at /auth/foo.", "operationId": "postSysAuthPath", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "config": { "type": "object", "description": "Configuration for this mount, such as plugin_name.", "format": "map" }, "description": { "type": "string", "description": "User-friendly description for this credential backend." }, "external_entropy_access": { "type": "boolean", "description": "Whether to give the mount access to Vault's external entropy.", "default": false }, "local": { "type": "boolean", "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", "default": false }, "options": { "type": "object", "description": "The options to pass into the backend. Should be a json object with string keys and values.", "format": "kvpairs" }, "plugin_name": { "type": "string", "description": "Name of the auth plugin to use based from the name in the plugin catalog." }, "seal_wrap": { "type": "boolean", "description": "Whether to turn on seal wrapping for the mount.", "default": false }, "type": { "type": "string", "description": "The type of the backend. Example: \"userpass\"" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Disable the auth method at the given auth path", "operationId": "deleteSysAuthPath", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/auth/{path}/tune": { "description": "Tune the configuration parameters for an auth path.", "parameters": [{ "name": "path", "description": "Tune the configuration parameters for an auth path.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "Reads the given auth path's configuration.", "description": "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.", "operationId": "getSysAuthPathTune", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Tune configuration parameters for a given auth path.", "description": "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.", "operationId": "postSysAuthPathTune", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "allowed_response_headers": { "type": "array", "description": "A list of headers to whitelist and allow a plugin to set on responses.", "items": { "type": "string" } }, "audit_non_hmac_request_keys": { "type": "array", "description": "The list of keys in the request data object that will not be HMAC'ed by audit devices.", "items": { "type": "string" } }, "audit_non_hmac_response_keys": { "type": "array", "description": "The list of keys in the response data object that will not be HMAC'ed by audit devices.", "items": { "type": "string" } }, "default_lease_ttl": { "type": "string", "description": "The default lease TTL for this mount." }, "description": { "type": "string", "description": "User-friendly description for this credential backend." }, "listing_visibility": { "type": "string", "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''." }, "max_lease_ttl": { "type": "string", "description": "The max lease TTL for this mount." }, "options": { "type": "object", "description": "The options to pass into the backend. Should be a json object with string keys and values.", "format": "kvpairs" }, "passthrough_request_headers": { "type": "array", "description": "A list of headers to whitelist and pass from the request to the plugin.", "items": { "type": "string" } }, "token_type": { "type": "string", "description": "The type of token to issue (service or batch)." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/capabilities": { "description": "Fetches the capabilities of the given token on the given path.", "post": { "summary": "Fetches the capabilities of the given token on the given path.", "operationId": "postSysCapabilities", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "path": { "type": "array", "description": "Use 'paths' instead.", "items": { "type": "string" }, "deprecated": true }, "paths": { "type": "array", "description": "Paths on which capabilities are being queried.", "items": { "type": "string" } }, "token": { "type": "string", "description": "Token for which capabilities are being queried." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/capabilities-accessor": { "description": "Fetches the capabilities of the token associated with the given token, on the given path.", "post": { "summary": "Fetches the capabilities of the token associated with the given token, on the given path.", "operationId": "postSysCapabilitiesAccessor", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "Accessor of the token for which capabilities are being queried." }, "path": { "type": "array", "description": "Use 'paths' instead.", "items": { "type": "string" }, "deprecated": true }, "paths": { "type": "array", "description": "Paths on which capabilities are being queried.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/capabilities-self": { "description": "Fetches the capabilities of the given token on the given path.", "post": { "summary": "Fetches the capabilities of the given token on the given path.", "operationId": "postSysCapabilitiesSelf", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "path": { "type": "array", "description": "Use 'paths' instead.", "items": { "type": "string" }, "deprecated": true }, "paths": { "type": "array", "description": "Paths on which capabilities are being queried.", "items": { "type": "string" } }, "token": { "type": "string", "description": "Token for which capabilities are being queried." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/config/auditing/request-headers": { "description": "Lists the headers configured to be audited.", "x-vault-sudo": true, "get": { "summary": "List the request headers that are configured to be audited.", "operationId": "getSysConfigAuditingRequestHeaders", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/config/auditing/request-headers/{header}": { "description": "Configures the headers sent to the audit logs.", "parameters": [{ "name": "header", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "List the information for the given request header.", "operationId": "getSysConfigAuditingRequestHeadersHeader", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Enable auditing of a header.", "operationId": "postSysConfigAuditingRequestHeadersHeader", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "hmac": { "type": "boolean" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Disable auditing of the given request header.", "operationId": "deleteSysConfigAuditingRequestHeadersHeader", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/config/control-group": { "description": "Configure control group global settings.", "get": { "summary": "Configure control group global settings.", "operationId": "getSysConfigControlGroup", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure control group global settings.", "operationId": "postSysConfigControlGroup", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "max_ttl": { "type": "integer", "description": "The max TTL for a control group token.", "format": "seconds" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Configure control group global settings.", "operationId": "deleteSysConfigControlGroup", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/config/cors": { "description": "This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests.", "x-vault-sudo": true, "get": { "summary": "Return the current CORS settings.", "operationId": "getSysConfigCors", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure the CORS settings.", "operationId": "postSysConfigCors", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "allowed_headers": { "type": "array", "description": "A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.", "items": { "type": "string" } }, "allowed_origins": { "type": "array", "description": "A comma-separated string or array of strings indicating origins that may make cross-origin requests.", "items": { "type": "string" } }, "enable": { "type": "boolean", "description": "Enables or disables CORS headers on requests." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Remove any CORS settings.", "operationId": "deleteSysConfigCors", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/config/state/sanitized": { "get": { "summary": "Return a sanitized version of the Vault server configuration.", "description": "The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.", "operationId": "getSysConfigStateSanitized", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/config/ui/headers/": { "description": "This path responds to the following HTTP methods. GET /\u003cheader\u003e Returns the header value. POST /\u003cheader\u003e Sets the header value for the UI. DELETE /\u003cheader\u003e Clears the header value for UI. LIST / List the headers configured for the UI.", "x-vault-sudo": true, "get": { "summary": "Return a list of configured UI headers.", "operationId": "getSysConfigUiHeaders", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/config/ui/headers/{header}": { "description": "This path responds to the following HTTP methods. GET /\u003cheader\u003e Returns the header value. POST /\u003cheader\u003e Sets the header value for the UI. DELETE /\u003cheader\u003e Clears the header value for UI. LIST / List the headers configured for the UI.", "parameters": [{ "name": "header", "description": "The name of the header.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "Return the given UI header's configuration", "operationId": "getSysConfigUiHeadersHeader", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Configure the values to be returned for the UI header.", "operationId": "postSysConfigUiHeadersHeader", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "values": { "type": "array", "description": "The values to set the header.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Remove a UI header.", "operationId": "deleteSysConfigUiHeadersHeader", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/control-group/authorize": { "description": "Authorize a control group request", "post": { "summary": "Authorize a control group request", "operationId": "postSysControlGroupAuthorize", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "The accessor of the request to authorize." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/control-group/request": { "description": "Check the status of a control group request", "post": { "summary": "Check the status of a control group request", "operationId": "postSysControlGroupRequest", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "accessor": { "type": "string", "description": "The accessor of the request." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/generate-root": { "description": "Reads, generates, or deletes a root token regeneration process.", "get": { "summary": "Read the configuration and progress of the current root generation attempt.", "operationId": "getSysGenerateRoot", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Initializes a new root generation attempt.", "description": "Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.", "operationId": "postSysGenerateRoot", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "pgp_key": { "type": "string", "description": "Specifies a base64-encoded PGP public key." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Cancels any in-progress root generation attempt.", "operationId": "deleteSysGenerateRoot", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/generate-root/attempt": { "description": "Reads, generates, or deletes a root token regeneration process.", "x-vault-unauthenticated": true, "get": { "summary": "Read the configuration and progress of the current root generation attempt.", "operationId": "getSysGenerateRootAttempt", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Initializes a new root generation attempt.", "description": "Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.", "operationId": "postSysGenerateRootAttempt", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "pgp_key": { "type": "string", "description": "Specifies a base64-encoded PGP public key." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Cancels any in-progress root generation attempt.", "operationId": "deleteSysGenerateRootAttempt", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/generate-root/update": { "description": "Reads, generates, or deletes a root token regeneration process.", "x-vault-unauthenticated": true, "post": { "summary": "Enter a single master key share to progress the root generation attempt.", "description": "If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.", "operationId": "postSysGenerateRootUpdate", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "key": { "type": "string", "description": "Specifies a single master key share." }, "nonce": { "type": "string", "description": "Specifies the nonce of the attempt." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/health": { "description": "Checks the health status of the Vault.", "x-vault-unauthenticated": true, "get": { "summary": "Returns the health status of Vault.", "operationId": "getSysHealth", "tags": ["system"], "responses": { "200": { "description": "initialized, unsealed, and active" }, "429": { "description": "unsealed and standby" }, "472": { "description": "data recovery mode replication secondary and active" }, "501": { "description": "not initialized" }, "503": { "description": "sealed" } } } }, "/sys/host-info": { "description": "Information about the host instance that this Vault server is running on.", "get": { "summary": "Information about the host instance that this Vault server is running on.", "description": "Information about the host instance that this Vault server is running on.\n\t\tThe information that gets collected includes host hardware information, and CPU,\n\t\tdisk, and memory utilization", "operationId": "getSysHostInfo", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/init": { "description": "Initializes or returns the initialization status of the Vault.", "x-vault-unauthenticated": true, "get": { "summary": "Returns the initialization status of Vault.", "operationId": "getSysInit", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Initialize a new Vault.", "description": "The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.", "operationId": "postSysInit", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "pgp_keys": { "type": "array", "description": "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`.", "items": { "type": "string" } }, "recovery_pgp_keys": { "type": "array", "description": "Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`.", "items": { "type": "string" } }, "recovery_shares": { "type": "integer", "description": "Specifies the number of shares to split the recovery key into." }, "recovery_threshold": { "type": "integer", "description": "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`." }, "root_token_pgp_key": { "type": "string", "description": "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation." }, "secret_shares": { "type": "integer", "description": "Specifies the number of shares to split the master key into." }, "secret_threshold": { "type": "integer", "description": "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`." }, "stored_shares": { "type": "integer", "description": "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/internal/counters/entities": { "description": "Count of active entities in this Vault cluster." }, "/sys/internal/counters/requests": { "description": "Count of requests seen by this Vault cluster over time." }, "/sys/internal/counters/tokens": { "description": "Count of active tokens in this Vault cluster." }, "/sys/internal/specs/openapi": { "x-vault-unauthenticated": true, "get": { "summary": "Generate an OpenAPI 3 document of all mounted paths.", "operationId": "getSysInternalSpecsOpenapi", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/internal/ui/mounts": { "description": "Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change.", "x-vault-unauthenticated": true, "get": { "summary": "Lists all enabled and visible auth and secrets mounts.", "operationId": "getSysInternalUiMounts", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/internal/ui/mounts/{path}": { "description": "Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change.", "parameters": [{ "name": "path", "description": "The path of the mount.", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-unauthenticated": true, "get": { "summary": "Return information about the given mount.", "operationId": "getSysInternalUiMountsPath", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/internal/ui/namespaces": { "description": "Information about visible child namespaces. Internal API; its location, inputs, and outputs may change.", "x-vault-unauthenticated": true }, "/sys/internal/ui/resultant-acl": { "description": "Information about a token's resultant ACL. Internal API; its location, inputs, and outputs may change." }, "/sys/key-status": { "description": "Provides information about the backend encryption key.", "get": { "summary": "Provides information about the backend encryption key.", "operationId": "getSysKeyStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/leader": { "description": "Check the high availability status and current leader of Vault", "x-vault-unauthenticated": true, "get": { "summary": "Returns the high availability status and current leader instance of Vault.", "operationId": "getSysLeader", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/leases/lookup": { "description": "View or list lease metadata.", "post": { "summary": "Retrieve lease metadata.", "operationId": "postSysLeasesLookup", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/lookup/": { "description": "View or list lease metadata.", "x-vault-sudo": true, "get": { "summary": "Returns a list of lease ids.", "operationId": "getSysLeasesLookup", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/leases/lookup/{prefix}": { "description": "View or list lease metadata.", "parameters": [{ "name": "prefix", "description": "The path to list leases under. Example: \"aws/creds/deploy\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "Returns a list of lease ids.", "operationId": "getSysLeasesLookupPrefix", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/leases/renew": { "description": "Renew a lease on a secret", "post": { "summary": "Renews a lease, requesting to extend the lease.", "operationId": "postSysLeasesRenew", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the lease", "format": "seconds" }, "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "url_lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/renew/{url_lease_id}": { "description": "Renew a lease on a secret", "parameters": [{ "name": "url_lease_id", "description": "The lease identifier to renew. This is included with a lease.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Renews a lease, requesting to extend the lease.", "operationId": "postSysLeasesRenewUrl_lease_id", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the lease", "format": "seconds" }, "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/revoke": { "description": "Revoke a leased secret immediately", "post": { "summary": "Revokes a lease immediately.", "operationId": "postSysLeasesRevoke", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true }, "url_lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/revoke-force/{prefix}": { "description": "Revoke all secrets generated in a given prefix, ignoring errors.", "parameters": [{ "name": "prefix", "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Revokes all secrets or tokens generated under a given prefix immediately", "description": "Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.\n\nBy ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.", "operationId": "postSysLeasesRevokeForcePrefix", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/leases/revoke-prefix/{prefix}": { "description": "Revoke all secrets generated in a given prefix", "parameters": [{ "name": "prefix", "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.", "operationId": "postSysLeasesRevokePrefixPrefix", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/revoke/{url_lease_id}": { "description": "Revoke a leased secret immediately", "parameters": [{ "name": "url_lease_id", "description": "The lease identifier to renew. This is included with a lease.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Revokes a lease immediately.", "operationId": "postSysLeasesRevokeUrl_lease_id", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/leases/tidy": { "description": "This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.", "post": { "summary": "This endpoint performs cleanup tasks that can be run if certain error\nconditions have occurred.", "operationId": "postSysLeasesTidy", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/license": { "description": "The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server", "get": { "summary": "The path responds to the following HTTP methods.\n\n GET /\n Returns information on the installed license\n\n POST\n Sets the license for the server", "operationId": "getSysLicense", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "The path responds to the following HTTP methods.\n\n GET /\n Returns information on the installed license\n\n POST\n Sets the license for the server", "operationId": "postSysLicense", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "text": { "type": "string", "description": "The text of the license." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/metrics": { "description": "Export the metrics aggregated for telemetry purpose.", "parameters": [{ "name": "format", "description": "Format to export metrics into. Currently accepts only \"prometheus\".", "in": "query", "schema": { "type": "string" } }], "get": { "summary": "Export the metrics aggregated for telemetry purpose.", "operationId": "getSysMetrics", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/mfa/method": { "description": "Lists all the available MFA methods by their name.", "get": { "summary": "Lists all the available MFA methods by their name.", "operationId": "getSysMfaMethod", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/mfa/method/duo/{name}": { "description": "Defines or updates a Duo MFA method.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Defines or updates a Duo MFA method.", "operationId": "getSysMfaMethodDuoName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Defines or updates a Duo MFA method.", "operationId": "postSysMfaMethodDuoName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "api_hostname": { "type": "string", "description": "API host name for Duo." }, "integration_key": { "type": "string", "description": "Integration key for Duo." }, "mount_accessor": { "type": "string", "description": "The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping." }, "push_info": { "type": "string", "description": "Push information for Duo." }, "secret_key": { "type": "string", "description": "Secret key for Duo." }, "username_format": { "type": "string", "description": "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Defines or updates a Duo MFA method.", "operationId": "deleteSysMfaMethodDuoName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/mfa/method/okta/{name}": { "description": "Defines or updates an Okta MFA method.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Defines or updates an Okta MFA method.", "operationId": "getSysMfaMethodOktaName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Defines or updates an Okta MFA method.", "operationId": "postSysMfaMethodOktaName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "api_token": { "type": "string", "description": "Okta API key." }, "base_url": { "type": "string", "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used." }, "mount_accessor": { "type": "string", "description": "The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping." }, "org_name": { "type": "string", "description": "Name of the organization to be used in the Okta API." }, "primary_email": { "type": "boolean", "description": "If true, the username will only match the primary email for the account. Defaults to false." }, "production": { "type": "boolean", "description": "(DEPRECATED) Use base_url instead." }, "username_format": { "type": "string", "description": "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Defines or updates an Okta MFA method.", "operationId": "deleteSysMfaMethodOktaName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/mfa/method/pingid/{name}": { "description": "Defines or updates a PingID MFA method.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Defines or updates a PingID MFA method.", "operationId": "getSysMfaMethodPingidName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Defines or updates a PingID MFA method.", "operationId": "postSysMfaMethodPingidName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "mount_accessor": { "type": "string", "description": "The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping." }, "settings_file_base64": { "type": "string", "description": "The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate." }, "username_format": { "type": "string", "description": "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Defines or updates a PingID MFA method.", "operationId": "deleteSysMfaMethodPingidName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/mfa/method/totp/{name}": { "description": "Defines or updates a TOTP MFA method.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Defines or updates a TOTP MFA method.", "operationId": "getSysMfaMethodTotpName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Defines or updates a TOTP MFA method.", "operationId": "postSysMfaMethodTotpName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "algorithm": { "type": "string", "description": "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.", "default": "SHA1" }, "digits": { "type": "integer", "description": "The number of digits in the generated TOTP token. This value can either be 6 or 8.", "default": 6 }, "issuer": { "type": "string", "description": "The name of the key's issuing organization." }, "key_size": { "type": "integer", "description": "Determines the size in bytes of the generated key.", "default": 20 }, "period": { "type": "integer", "description": "The length of time used to generate a counter for the TOTP token calculation.", "format": "seconds", "default": 30 }, "qr_size": { "type": "integer", "description": "The pixel size of the generated square QR code.", "default": 200 }, "skew": { "type": "integer", "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.", "default": 1 } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Defines or updates a TOTP MFA method.", "operationId": "deleteSysMfaMethodTotpName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/mfa/method/totp/{name}/admin-destroy": { "description": "Deletes the TOTP secret for the given method name on the given entity.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Deletes the TOTP secret for the given method name on the given entity.", "operationId": "postSysMfaMethodTotpNameAdminDestroy", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "entity_id": { "type": "string", "description": "Identifier of the entity from which the MFA method secret needs to be removed." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/mfa/method/totp/{name}/admin-generate": { "description": "Generates a TOTP secret for the given method name on the given entity.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Generates a TOTP secret for the given method name on the given entity.", "operationId": "postSysMfaMethodTotpNameAdminGenerate", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "entity_id": { "type": "string", "description": "Entity ID on which the generated secret needs to get stored." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/mfa/method/totp/{name}/generate": { "description": "Generates a TOTP secret for the given method name on the entity of the calling token.", "parameters": [{ "name": "name", "description": "Name of the MFA method.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Generates a TOTP secret for the given method name on the entity of the\n\t\tcalling token.", "operationId": "getSysMfaMethodTotpNameGenerate", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/monitor": { "parameters": [{ "name": "log_level", "description": "Log level to view system logs at. Currently supported values are \"trace\", \"debug\", \"info\", \"warn\", \"error\".", "in": "query", "schema": { "type": "string" } }], "get": { "operationId": "getSysMonitor", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/mounts": { "description": "List the currently mounted backends.", "get": { "summary": "List the currently mounted backends.", "operationId": "getSysMounts", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/mounts/{path}": { "description": "Mount a new backend at a new path.", "parameters": [{ "name": "path", "description": "The path to mount to. Example: \"aws/east\"", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Enable a new secrets engine at the given path.", "operationId": "postSysMountsPath", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "config": { "type": "object", "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", "format": "map" }, "description": { "type": "string", "description": "User-friendly description for this mount." }, "external_entropy_access": { "type": "boolean", "description": "Whether to give the mount access to Vault's external entropy.", "default": false }, "local": { "type": "boolean", "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", "default": false }, "options": { "type": "object", "description": "The options to pass into the backend. Should be a json object with string keys and values.", "format": "kvpairs" }, "plugin_name": { "type": "string", "description": "Name of the plugin to mount based from the name registered in the plugin catalog." }, "seal_wrap": { "type": "boolean", "description": "Whether to turn on seal wrapping for the mount.", "default": false }, "type": { "type": "string", "description": "The type of the backend. Example: \"passthrough\"" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Disable the mount point specified at the given path.", "operationId": "deleteSysMountsPath", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/mounts/{path}/tune": { "description": "Tune backend configuration parameters for this mount.", "parameters": [{ "name": "path", "description": "The path to mount to. Example: \"aws/east\"", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Tune backend configuration parameters for this mount.", "operationId": "getSysMountsPathTune", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Tune backend configuration parameters for this mount.", "operationId": "postSysMountsPathTune", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "allowed_response_headers": { "type": "array", "description": "A list of headers to whitelist and allow a plugin to set on responses.", "items": { "type": "string" } }, "audit_non_hmac_request_keys": { "type": "array", "description": "The list of keys in the request data object that will not be HMAC'ed by audit devices.", "items": { "type": "string" } }, "audit_non_hmac_response_keys": { "type": "array", "description": "The list of keys in the response data object that will not be HMAC'ed by audit devices.", "items": { "type": "string" } }, "default_lease_ttl": { "type": "string", "description": "The default lease TTL for this mount." }, "description": { "type": "string", "description": "User-friendly description for this credential backend." }, "listing_visibility": { "type": "string", "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''." }, "max_lease_ttl": { "type": "string", "description": "The max lease TTL for this mount." }, "options": { "type": "object", "description": "The options to pass into the backend. Should be a json object with string keys and values.", "format": "kvpairs" }, "passthrough_request_headers": { "type": "array", "description": "A list of headers to whitelist and pass from the request to the plugin.", "items": { "type": "string" } }, "token_type": { "type": "string", "description": "The type of token to issue (service or batch)." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/namespaces": { "get": { "operationId": "getSysNamespaces", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/namespaces/{path}": { "parameters": [{ "name": "path", "description": "Path of the namespace.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "operationId": "getSysNamespacesPath", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysNamespacesPath", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteSysNamespacesPath", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/plugins/catalog": { "description": "Lists all the plugins known to Vault", "get": { "summary": "Lists all the plugins known to Vault", "operationId": "getSysPluginsCatalog", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/plugins/catalog/{name}": { "description": "Configures the plugins known to Vault", "parameters": [{ "name": "name", "description": "The name of the plugin", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "Return the configuration data for the plugin with the given name.", "operationId": "getSysPluginsCatalogName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Register a new plugin, or updates an existing one with the supplied name.", "operationId": "postSysPluginsCatalogName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "args": { "type": "array", "description": "The args passed to plugin command.", "items": { "type": "string" } }, "command": { "type": "string", "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." }, "env": { "type": "array", "description": "The environment variables passed to plugin command. Each entry is of the form \"key=value\".", "items": { "type": "string" } }, "sha256": { "type": "string", "description": "The SHA256 sum of the executable used in the command field. This should be HEX encoded." }, "sha_256": { "type": "string", "description": "The SHA256 sum of the executable used in the command field. This should be HEX encoded." }, "type": { "type": "string", "description": "The type of the plugin, may be auth, secret, or database" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Remove the plugin with the given name.", "operationId": "deleteSysPluginsCatalogName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/plugins/catalog/{type}": { "description": "Configures the plugins known to Vault", "parameters": [{ "name": "type", "description": "The type of the plugin, may be auth, secret, or database", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "List the plugins in the catalog.", "operationId": "getSysPluginsCatalogType", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/plugins/catalog/{type}/{name}": { "description": "Configures the plugins known to Vault", "parameters": [{ "name": "name", "description": "The name of the plugin", "in": "path", "schema": { "type": "string" }, "required": true }, { "name": "type", "description": "The type of the plugin, may be auth, secret, or database", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "get": { "summary": "Return the configuration data for the plugin with the given name.", "operationId": "getSysPluginsCatalogTypeName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Register a new plugin, or updates an existing one with the supplied name.", "operationId": "postSysPluginsCatalogTypeName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "args": { "type": "array", "description": "The args passed to plugin command.", "items": { "type": "string" } }, "command": { "type": "string", "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." }, "env": { "type": "array", "description": "The environment variables passed to plugin command. Each entry is of the form \"key=value\".", "items": { "type": "string" } }, "sha256": { "type": "string", "description": "The SHA256 sum of the executable used in the command field. This should be HEX encoded." }, "sha_256": { "type": "string", "description": "The SHA256 sum of the executable used in the command field. This should be HEX encoded." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Remove the plugin with the given name.", "operationId": "deleteSysPluginsCatalogTypeName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/plugins/reload/backend": { "description": "Reload mounts that use a particular backend plugin.", "post": { "summary": "Reload mounted plugin backends.", "description": "Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally.", "operationId": "postSysPluginsReloadBackend", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "mounts": { "type": "array", "description": "The mount paths of the plugin backends to reload.", "items": { "type": "string" } }, "plugin": { "type": "string", "description": "The name of the plugin to reload, as registered in the plugin catalog." }, "scope": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/plugins/reload/backend/status": { "get": { "summary": "Get the status of a cluster-scoped reload.", "description": "The reload_id returned by a cluster scoped reload must be provided.", "operationId": "getSysPluginsReloadBackendStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/policies/acl": { "description": "List the configured access control policies.", "get": { "summary": "List the configured access control policies.", "operationId": "getSysPoliciesAcl", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/policies/acl/{name}": { "description": "Read, Modify, or Delete an access control policy.", "parameters": [{ "name": "name", "description": "The name of the policy. Example: \"ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Retrieve information about the named ACL policy.", "operationId": "getSysPoliciesAclName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Add a new or update an existing ACL policy.", "operationId": "postSysPoliciesAclName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "policy": { "type": "string", "description": "The rules of the policy." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Delete the ACL policy with the given name.", "operationId": "deleteSysPoliciesAclName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/policies/egp": { "description": "List the configured access control policies.", "get": { "summary": "List the configured access control policies.", "operationId": "getSysPoliciesEgp", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/policies/egp/{name}": { "description": "Read, Modify, or Delete an access control policy.", "parameters": [{ "name": "name", "description": "The name of the policy. Example: \"ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "getSysPoliciesEgpName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "postSysPoliciesEgpName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "enforcement_level": { "type": "string", "description": "The enforcement level to apply to the policy." }, "paths": { "type": "array", "description": "The paths on which the policy should be applied.", "items": { "type": "string" } }, "policy": { "type": "string", "description": "The rules of the policy." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "deleteSysPoliciesEgpName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/policies/password/{name}": { "description": "Read, Modify, or Delete a password policy.", "parameters": [{ "name": "name", "description": "The name of the password policy.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Retrieve an existing password policy.", "operationId": "getSysPoliciesPasswordName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Add a new or update an existing password policy.", "operationId": "postSysPoliciesPasswordName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "policy": { "type": "string", "description": "The password policy" } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Delete a password policy.", "operationId": "deleteSysPoliciesPasswordName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/policies/password/{name}/generate": { "description": "Generate a password from an existing password policy.", "parameters": [{ "name": "name", "description": "The name of the password policy.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Generate a password from an existing password policy.", "operationId": "getSysPoliciesPasswordNameGenerate", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/policies/rgp": { "description": "List the configured access control policies.", "get": { "summary": "List the configured access control policies.", "operationId": "getSysPoliciesRgp", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/policies/rgp/{name}": { "description": "Read, Modify, or Delete an access control policy.", "parameters": [{ "name": "name", "description": "The name of the policy. Example: \"ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "getSysPoliciesRgpName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "postSysPoliciesRgpName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "enforcement_level": { "type": "string", "description": "The enforcement level to apply to the policy." }, "policy": { "type": "string", "description": "The rules of the policy." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Read, Modify, or Delete an access control policy.", "operationId": "deleteSysPoliciesRgpName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/policy": { "description": "List the configured access control policies.", "get": { "summary": "List the configured access control policies.", "operationId": "getSysPolicy", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/policy/{name}": { "description": "Read, Modify, or Delete an access control policy.", "parameters": [{ "name": "name", "description": "The name of the policy. Example: \"ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "summary": "Retrieve the policy body for the named policy.", "operationId": "getSysPolicyName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Add a new or update an existing policy.", "operationId": "postSysPolicyName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "policy": { "type": "string", "description": "The rules of the policy." }, "rules": { "type": "string", "description": "The rules of the policy.", "deprecated": true } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Delete the policy with the given name.", "operationId": "deleteSysPolicyName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/pprof/": { "get": { "summary": "Returns an HTML page listing the available profiles.", "description": "Returns an HTML page listing the available \nprofiles. This should be mainly accessed via browsers or applications that can \nrender pages.", "operationId": "getSysPprof", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/cmdline": { "get": { "summary": "Returns the running program's command line.", "description": "Returns the running program's command line, with arguments separated by NUL bytes.", "operationId": "getSysPprofCmdline", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/goroutine": { "get": { "summary": "Returns stack traces of all current goroutines.", "description": "Returns stack traces of all current goroutines.", "operationId": "getSysPprofGoroutine", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/heap": { "get": { "summary": "Returns a sampling of memory allocations of live object.", "description": "Returns a sampling of memory allocations of live object.", "operationId": "getSysPprofHeap", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/profile": { "get": { "summary": "Returns a pprof-formatted cpu profile payload.", "description": "Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.", "operationId": "getSysPprofProfile", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/symbol": { "get": { "summary": "Returns the program counters listed in the request.", "description": "Returns the program counters listed in the request.", "operationId": "getSysPprofSymbol", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/pprof/trace": { "get": { "summary": "Returns the execution trace in binary form.", "description": "Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.", "operationId": "getSysPprofTrace", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/quotas/config": { "description": "Create, update and read the quota configuration.", "get": { "operationId": "getSysQuotasConfig", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysQuotasConfig", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "enable_rate_limit_audit_logging": { "type": "boolean", "description": "If set, starts audit logging of requests that get rejected due to rate limit quota rule violations." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/quotas/lease-count": { "description": "Lists the names of all the lease count quotas.", "get": { "operationId": "getSysQuotasLeaseCount", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/quotas/lease-count/{name}": { "description": "Get, create or update lease count resource quota for an optional namespace or mount.", "parameters": [{ "name": "name", "description": "Name of the quota rule.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "operationId": "getSysQuotasLeaseCountName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysQuotasLeaseCountName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "max_leases": { "type": "integer", "description": "Maximum number of leases allowed by the quota rule." }, "path": { "type": "string", "description": "Path including the applicable namespace prefix." }, "type": { "type": "string", "description": "Type of the quota rule." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteSysQuotasLeaseCountName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/quotas/rate-limit": { "description": "Lists the names of all the rate limit quotas.", "get": { "operationId": "getSysQuotasRateLimit", "tags": ["system"], "parameters": [{ "name": "list", "description": "Return a list if `true`", "in": "query", "schema": { "type": "string" } }], "responses": { "200": { "description": "OK" } } } }, "/sys/quotas/rate-limit/{name}": { "description": "Get, create or update rate limit resource quota for an optional namespace or mount.", "parameters": [{ "name": "name", "description": "Name of the quota rule.", "in": "path", "schema": { "type": "string" }, "required": true }], "get": { "operationId": "getSysQuotasRateLimitName", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysQuotasRateLimitName", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "path": { "type": "string", "description": "Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1." }, "rate": { "description": "The maximum number of requests at any given second to be allowed by the quota rule. The 'rate' must be positive.", "format": "unknown" }, "type": { "type": "string", "description": "Type of the quota rule." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteSysQuotasRateLimitName", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/rekey/backup": { "description": "Allows fetching or deleting the backup of the rotated unseal keys.", "get": { "summary": "Return the backup copy of PGP-encrypted unseal keys.", "operationId": "getSysRekeyBackup", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Delete the backup copy of PGP-encrypted unseal keys.", "operationId": "deleteSysRekeyBackup", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/rekey/init": { "x-vault-unauthenticated": true, "get": { "summary": "Reads the configuration and progress of the current rekey attempt.", "operationId": "getSysRekeyInit", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Initializes a new rekey attempt.", "description": "Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.", "operationId": "postSysRekeyInit", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "backup": { "type": "boolean", "description": "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys." }, "pgp_keys": { "type": "array", "description": "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.", "items": { "type": "string" } }, "require_verification": { "type": "boolean", "description": "Turns on verification functionality" }, "secret_shares": { "type": "integer", "description": "Specifies the number of shares to split the master key into." }, "secret_threshold": { "type": "integer", "description": "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Cancels any in-progress rekey.", "description": "This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.", "operationId": "deleteSysRekeyInit", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/rekey/recovery-key-backup": { "description": "Allows fetching or deleting the backup of the rotated unseal keys.", "get": { "summary": "Allows fetching or deleting the backup of the rotated unseal keys.", "operationId": "getSysRekeyRecoveryKeyBackup", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Allows fetching or deleting the backup of the rotated unseal keys.", "operationId": "deleteSysRekeyRecoveryKeyBackup", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/rekey/update": { "x-vault-unauthenticated": true, "post": { "summary": "Enter a single master key share to progress the rekey of the Vault.", "operationId": "postSysRekeyUpdate", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "key": { "type": "string", "description": "Specifies a single master key share." }, "nonce": { "type": "string", "description": "Specifies the nonce of the rekey attempt." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/rekey/verify": { "x-vault-unauthenticated": true, "get": { "summary": "Read the configuration and progress of the current rekey verification attempt.", "operationId": "getSysRekeyVerify", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Enter a single new key share to progress the rekey verification operation.", "operationId": "postSysRekeyVerify", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "key": { "type": "string", "description": "Specifies a single master share key from the new set of shares." }, "nonce": { "type": "string", "description": "Specifies the nonce of the rekey verification operation." } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "summary": "Cancel any in-progress rekey verification operation.", "description": "This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt.", "operationId": "deleteSysRekeyVerify", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/remount": { "description": "Move the mount point of an already-mounted backend.", "x-vault-sudo": true, "post": { "summary": "Move the mount point of an already-mounted backend.", "operationId": "postSysRemount", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "from": { "type": "string", "description": "The previous mount point." }, "to": { "type": "string", "description": "The new mount point." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/renew": { "description": "Renew a lease on a secret", "post": { "summary": "Renews a lease, requesting to extend the lease.", "operationId": "postSysRenew", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the lease", "format": "seconds" }, "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "url_lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/renew/{url_lease_id}": { "description": "Renew a lease on a secret", "parameters": [{ "name": "url_lease_id", "description": "The lease identifier to renew. This is included with a lease.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Renews a lease, requesting to extend the lease.", "operationId": "postSysRenewUrl_lease_id", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "increment": { "type": "integer", "description": "The desired increment in seconds to the lease", "format": "seconds" }, "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/primary/demote": { "post": { "operationId": "postSysReplicationDrPrimaryDemote", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/primary/disable": { "post": { "operationId": "postSysReplicationDrPrimaryDisable", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/primary/enable": { "post": { "operationId": "postSysReplicationDrPrimaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/primary/revoke-secondary": { "post": { "operationId": "postSysReplicationDrPrimaryRevokeSecondary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "The secondary cluster ID to revoke" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/primary/secondary-token": { "x-vault-sudo": true, "post": { "operationId": "postSysReplicationDrPrimarySecondaryToken", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "An opaque identifier that can be used to identify and revoke a secondary cluster's access later.", "pattern": "\\w([\\w-.]*\\w)?" }, "secondary_public_key": { "type": "string", "description": "A base64-encoded public key generated by the secondary cluster." }, "ttl": { "type": "integer", "description": "The TTL to use for the secondary activation token. Defaults to 30 minutes.", "format": "seconds", "default": "30m" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/disable": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryDisable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/enable": { "post": { "operationId": "postSysReplicationDrSecondaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/generate-public-key": { "post": { "operationId": "postSysReplicationDrSecondaryGeneratePublicKey", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/license": { "description": "The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server", "x-vault-unauthenticated": true, "get": { "summary": "The path responds to the following HTTP methods.\n\n GET /\n Returns information on the installed license\n\n POST\n Sets the license for the server", "operationId": "getSysReplicationDrSecondaryLicense", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "The path responds to the following HTTP methods.\n\n GET /\n Returns information on the installed license\n\n POST\n Sets the license for the server", "operationId": "postSysReplicationDrSecondaryLicense", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." }, "text": { "type": "string", "description": "The text of the license." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/operation-token/delete": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryOperationTokenDelete", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/promote": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryPromote", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." }, "force": { "type": "boolean", "description": "Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary" }, "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/recover": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryRecover", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/reindex": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryReindex", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "diff": { "type": "boolean", "description": "Enables a slower re-indexing which will perform a key level check to diagnose issues. Defaults false." }, "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." }, "force": { "type": "boolean", "description": "Forces a complete re-indexing which only scans data available in the storage. Defaults false." }, "skip_flush": { "type": "boolean", "description": "Skips the tree flushing stage of the reindex process. This setting can be used to reduce the amount of time the tree is locked during a reindex process. If this node is killed before the full tree has been asynchronously flushed the reindex may not have applied fully and a new reindex may need to be done. Shutting down this node cleanly will cause the tree to be flushed prior to shutdown. Defaults false." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/secondary/update-primary": { "x-vault-unauthenticated": true, "post": { "operationId": "postSysReplicationDrSecondaryUpdatePrimary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "dr_operation_token": { "type": "string", "description": "DR operation token used to authorize this request." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/dr/status": { "x-vault-unauthenticated": true, "get": { "operationId": "getSysReplicationDrStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/demote": { "post": { "operationId": "postSysReplicationPerformancePrimaryDemote", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/disable": { "post": { "operationId": "postSysReplicationPerformancePrimaryDisable", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/dynamic-filter/{id}": { "parameters": [{ "name": "id", "description": "The opaque identifier used to identify the secondary.", "in": "path", "schema": { "type": "string", "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }], "get": { "operationId": "getSysReplicationPerformancePrimaryDynamicFilterId", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/enable": { "post": { "operationId": "postSysReplicationPerformancePrimaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/mount-filter/{id}": { "parameters": [{ "name": "id", "description": "The opaque identifier used to identify the secondary.", "in": "path", "schema": { "type": "string", "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }], "get": { "operationId": "getSysReplicationPerformancePrimaryMountFilterId", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysReplicationPerformancePrimaryMountFilterId", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "mode": { "type": "string", "description": "The filter mode for the mount paths (whitelist or blacklist). Defaults to whitelist.", "default": "allow" }, "paths": { "type": "array", "description": "The paths to the mount to filter in replication.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteSysReplicationPerformancePrimaryMountFilterId", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/replication/performance/primary/paths-filter/{id}": { "parameters": [{ "name": "id", "description": "The opaque identifier used to identify the secondary.", "in": "path", "schema": { "type": "string", "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }], "get": { "operationId": "getSysReplicationPerformancePrimaryPathsFilterId", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "operationId": "postSysReplicationPerformancePrimaryPathsFilterId", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "mode": { "type": "string", "description": "The filter mode for the paths filter (allow or deny). Defaults to allow.", "default": "allow" }, "paths": { "type": "array", "description": "The paths to filter in replication. Must be a mount or a namespace.", "items": { "type": "string" } } } } } } }, "responses": { "200": { "description": "OK" } } }, "delete": { "operationId": "deleteSysReplicationPerformancePrimaryPathsFilterId", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/replication/performance/primary/revoke-secondary": { "post": { "operationId": "postSysReplicationPerformancePrimaryRevokeSecondary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "The secondary cluster ID to revoke" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/primary/secondary-token": { "x-vault-sudo": true, "post": { "operationId": "postSysReplicationPerformancePrimarySecondaryToken", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "An opaque identifier that can be used to identify and revoke a secondary cluster's access later.", "pattern": "\\w([\\w-.]*\\w)?" }, "secondary_public_key": { "type": "string", "description": "A base64-encoded public key generated by the secondary cluster." }, "ttl": { "type": "integer", "description": "The TTL to use for the secondary activation token. Defaults to 30 minutes.", "format": "seconds", "default": "30m" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/disable": { "post": { "operationId": "postSysReplicationPerformanceSecondaryDisable", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/dynamic-filter/{id}": { "parameters": [{ "name": "id", "description": "The opaque identifier used to identify the secondary.", "in": "path", "schema": { "type": "string", "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }], "get": { "operationId": "getSysReplicationPerformanceSecondaryDynamicFilterId", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/enable": { "post": { "operationId": "postSysReplicationPerformanceSecondaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/generate-public-key": { "post": { "operationId": "postSysReplicationPerformanceSecondaryGeneratePublicKey", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/promote": { "post": { "operationId": "postSysReplicationPerformanceSecondaryPromote", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "force": { "type": "boolean", "description": "Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary" }, "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/secondary/update-primary": { "post": { "operationId": "postSysReplicationPerformanceSecondaryUpdatePrimary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/performance/status": { "x-vault-unauthenticated": true, "get": { "operationId": "getSysReplicationPerformanceStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/primary/demote": { "post": { "operationId": "postSysReplicationPrimaryDemote", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/primary/disable": { "post": { "operationId": "postSysReplicationPrimaryDisable", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/primary/enable": { "post": { "operationId": "postSysReplicationPrimaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/primary/revoke-secondary": { "post": { "operationId": "postSysReplicationPrimaryRevokeSecondary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "The secondary cluster ID to revoke", "pattern": "\\w([\\w-.]*\\w)?" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/primary/secondary-token": { "x-vault-sudo": true, "post": { "operationId": "postSysReplicationPrimarySecondaryToken", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "id": { "type": "string", "description": "An opaque identifier that can be used to identify and revoke a secondary cluster's access later.", "pattern": "\\w([\\w-.]*\\w)?" }, "secondary_public_key": { "type": "string", "description": "A base64-encoded public key generated by the secondary cluster." }, "ttl": { "type": "integer", "description": "The TTL to use for the secondary activation token. Defaults to 30 minutes.", "format": "seconds", "default": "30m" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/recover": { "post": { "operationId": "postSysReplicationRecover", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/reindex": { "x-vault-sudo": true, "post": { "operationId": "postSysReplicationReindex", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "diff": { "type": "boolean", "description": "Enables a slower re-indexing which will perform a key level check to diagnose issues. Defaults false." }, "force": { "type": "boolean", "description": "Forces a complete re-indexing which only scans data available in the storage. Defaults false." }, "skip_flush": { "type": "boolean", "description": "Skips the tree flushing stage of the reindex process. This setting can be used to reduce the amount of time the tree is locked during a reindex process. If this node is killed before the full tree has been asynchronously flushed the reindex may not have applied fully and a new reindex may need to be done. Shutting down this node cleanly will cause the tree to be flushed prior to shutdown. Defaults false." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/secondary/disable": { "post": { "operationId": "postSysReplicationSecondaryDisable", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/replication/secondary/enable": { "post": { "operationId": "postSysReplicationSecondaryEnable", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/secondary/promote": { "post": { "operationId": "postSysReplicationSecondaryPromote", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "force": { "type": "boolean", "description": "Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary" }, "primary_cluster_addr": { "type": "string", "description": "The address the secondary cluster should connect to. Defaults to the primary's cluster address." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/secondary/update-primary": { "post": { "operationId": "postSysReplicationSecondaryUpdatePrimary", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "ca_file": { "type": "string", "description": "A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address" }, "ca_path": { "type": "string", "description": "A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address" }, "client_cert_pem": { "type": "string", "description": "The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher." }, "client_key_pem": { "type": "string", "description": "The client key to use for authentication, in PEM format." }, "primary_api_addr": { "type": "string", "description": "The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address." }, "token": { "type": "string", "description": "The token given by the primary to activate secondary status for this cluster." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/replication/status": { "x-vault-unauthenticated": true, "get": { "operationId": "getSysReplicationStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/revoke": { "description": "Revoke a leased secret immediately", "post": { "summary": "Revokes a lease immediately.", "operationId": "postSysRevoke", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true }, "url_lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/revoke-force/{prefix}": { "description": "Revoke all secrets generated in a given prefix, ignoring errors.", "parameters": [{ "name": "prefix", "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Revokes all secrets or tokens generated under a given prefix immediately", "description": "Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.\n\nBy ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.", "operationId": "postSysRevokeForcePrefix", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/revoke-prefix/{prefix}": { "description": "Revoke all secrets generated in a given prefix", "parameters": [{ "name": "prefix", "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", "in": "path", "schema": { "type": "string" }, "required": true }], "x-vault-sudo": true, "post": { "summary": "Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.", "operationId": "postSysRevokePrefixPrefix", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/revoke/{url_lease_id}": { "description": "Revoke a leased secret immediately", "parameters": [{ "name": "url_lease_id", "description": "The lease identifier to renew. This is included with a lease.", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Revokes a lease immediately.", "operationId": "postSysRevokeUrl_lease_id", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "lease_id": { "type": "string", "description": "The lease identifier to renew. This is included with a lease." }, "sync": { "type": "boolean", "description": "Whether or not to perform the revocation synchronously", "default": true } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/rotate": { "description": "Rotates the backend encryption key used to persist data.", "x-vault-sudo": true, "post": { "summary": "Rotates the backend encryption key used to persist data.", "operationId": "postSysRotate", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/seal": { "description": "Seals the Vault.", "post": { "summary": "Seal the Vault.", "operationId": "postSysSeal", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/seal-status": { "description": "Returns the seal status of the Vault.", "x-vault-unauthenticated": true, "get": { "summary": "Check the seal status of a Vault.", "operationId": "getSysSealStatus", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/sealwrap/rewrap": { "description": "Rewrap all seal wrapped items with the latest seal key", "get": { "summary": "Retrieve the state of any ongoing seal rewrap process", "operationId": "getSysSealwrapRewrap", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Start a seal rewrap process", "operationId": "postSysSealwrapRewrap", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/step-down": { "post": { "summary": "Cause the node to give up active status.", "description": "This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.", "operationId": "postSysStepDown", "tags": ["system"], "responses": { "204": { "description": "empty body" } } } }, "/sys/storage/raft/bootstrap/answer": { "description": "Accepts an answer from the peer to be joined to the fact cluster.", "x-vault-unauthenticated": true, "post": { "summary": "Accepts an answer from the peer to be joined to the fact cluster.", "operationId": "postSysStorageRaftBootstrapAnswer", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "answer": { "type": "string" }, "cluster_addr": { "type": "string" }, "non_voter": { "type": "boolean" }, "server_id": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/storage/raft/bootstrap/challenge": { "description": "Creates a challenge for the new peer to be joined to the raft cluster.", "x-vault-unauthenticated": true, "post": { "summary": "Creates a challenge for the new peer to be joined to the raft cluster.", "operationId": "postSysStorageRaftBootstrapChallenge", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "server_id": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/storage/raft/configuration": { "description": "Returns the raft cluster configuration.", "get": { "summary": "Returns the configuration of the raft cluster.", "operationId": "getSysStorageRaftConfiguration", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/storage/raft/remove-peer": { "description": "Removes a peer from the raft cluster.", "post": { "summary": "Remove a peer from the raft cluster.", "operationId": "postSysStorageRaftRemovePeer", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "server_id": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/storage/raft/snapshot": { "description": "Restores and saves snapshots from the raft cluster.", "get": { "summary": "Returns a snapshot of the current state of vault.", "operationId": "getSysStorageRaftSnapshot", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Installs the provided snapshot, returning the cluster to the state defined in it.", "operationId": "postSysStorageRaftSnapshot", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/storage/raft/snapshot-force": { "description": "Force restore a raft cluster snapshot", "post": { "summary": "Installs the provided snapshot, returning the cluster to the state defined in it. This bypasses checks ensuring the current Autounseal or Shamir keys are consistent with the snapshot data.", "operationId": "postSysStorageRaftSnapshotForce", "tags": ["system"], "responses": { "200": { "description": "OK" } } } }, "/sys/tools/hash": { "description": "Generate a hash sum for input data", "post": { "summary": "Generate a hash sum for input data", "operationId": "postSysToolsHash", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "algorithm": { "type": "string", "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".", "default": "sha2-256" }, "format": { "type": "string", "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", "default": "hex" }, "input": { "type": "string", "description": "The base64-encoded input data" }, "urlalgorithm": { "type": "string", "description": "Algorithm to use (POST URL parameter)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/tools/hash/{urlalgorithm}": { "description": "Generate a hash sum for input data", "parameters": [{ "name": "urlalgorithm", "description": "Algorithm to use (POST URL parameter)", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Generate a hash sum for input data", "operationId": "postSysToolsHashUrlalgorithm", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "algorithm": { "type": "string", "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".", "default": "sha2-256" }, "format": { "type": "string", "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", "default": "hex" }, "input": { "type": "string", "description": "The base64-encoded input data" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/tools/random": { "description": "Generate random bytes", "post": { "summary": "Generate random bytes", "operationId": "postSysToolsRandom", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "bytes": { "type": "integer", "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", "default": 32 }, "format": { "type": "string", "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", "default": "base64" }, "urlbytes": { "type": "string", "description": "The number of bytes to generate (POST URL parameter)" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/tools/random/{urlbytes}": { "description": "Generate random bytes", "parameters": [{ "name": "urlbytes", "description": "The number of bytes to generate (POST URL parameter)", "in": "path", "schema": { "type": "string" }, "required": true }], "post": { "summary": "Generate random bytes", "operationId": "postSysToolsRandomUrlbytes", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "bytes": { "type": "integer", "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", "default": 32 }, "format": { "type": "string", "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", "default": "base64" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/unseal": { "description": "Unseals the Vault.", "x-vault-unauthenticated": true, "post": { "summary": "Unseal the Vault.", "operationId": "postSysUnseal", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "key": { "type": "string", "description": "Specifies a single master key share. This is required unless reset is true." }, "reset": { "type": "boolean", "description": "Specifies if previously-provided unseal keys are discarded and the unseal process is reset." } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/wrapping/lookup": { "description": "Looks up the properties of a response-wrapped token.", "x-vault-unauthenticated": true, "get": { "summary": "Look up wrapping properties for the requester's token.", "operationId": "getSysWrappingLookup", "tags": ["system"], "responses": { "200": { "description": "OK" } } }, "post": { "summary": "Look up wrapping properties for the given token.", "operationId": "postSysWrappingLookup", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/wrapping/rewrap": { "description": "Rotates a response-wrapped token.", "post": { "summary": "Rotates a response-wrapped token.", "operationId": "postSysWrappingRewrap", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/wrapping/unwrap": { "description": "Unwraps a response-wrapped token.", "post": { "summary": "Unwraps a response-wrapped token.", "operationId": "postSysWrappingUnwrap", "tags": ["system"], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "token": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK" } } } }, "/sys/wrapping/wrap": { "description": "Response-wraps an arbitrary JSON object.", "post": { "summary": "Response-wraps an arbitrary JSON object.", "operationId": "postSysWrappingWrap", "tags": ["system"], "responses": { "200": { "description": "OK" } } } } } }