Name of the role.

Type: string

Type: string

deleteIdentityGroupAliasIdId#

Parameters

id (required)#

ID of the group alias.

Type: string

deleteIdentityGroupIdId#

Update or delete an existing group using its ID.

Parameters

id (required)#

ID of the group. If set, updates the corresponding existing group.

Type: string

This operation has no parameters

deleteNomadConfigLease#

Configure the lease parameters for generated tokens

This operation has no parameters

Assign zero address as default CIDR block for select roles.

This operation has no parameters

Disable auditing of the given request header.

Parameters

Type: string

deleteSysConfigCors#

Remove any CORS settings.

This operation has no parameters

deleteSysConfigUiHeadersHeader#

This operation has no parameters

deleteSysRawPath#

Delete the key with given path.

Parameters

getConsulCredsRole#

Parameters

role (required)#

Name of the role

Type: string

getConsulRoles#

Parameters

list#

Return a list if true

Type: string

Return a list if true

Type: string

Parameters

list#

Return a list if true

Type: string

List the request headers that are configured to be audited.

This operation has no parameters

getSysConfigAuditingRequestHeadersHeader#

List the information for the given request header.

Type: string

getSysRawPath#

Read the value of the key at the given path.

Parameters

path (required)#

Type: string

list#

Return a list if true

Type: string

getSysRekeyBackup#

Return the backup copy of PGP-encrypted unseal keys.

This operation has no parameters

getSysRekeyInit#

Reads the configuration and progress of the current rekey attempt.

This operation has no parameters

getSysRekeyRecoveryKeyBackup#

Allows fetching or deleting the backup of the rotated unseal keys.

This operation has no parameters

getSysRekeyVerify#

Read the configuration and progress of the current rekey verification attempt.

This operation has no parameters

Type: object

{
  "last_rotation_tolerance" : "The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.",
  "bindpass" : "LDAP password for searching for the user DN (optional)",
  "max_ttl" : "In seconds, the maximum password time-to-live.",
  "request_timeout" : "Timeout, in seconds, for the connection when making requests against the server before returning back an error.",
  "certificate" : "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
  "use_pre111_group_cn_behavior" : "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.",
  "case_sensitive_names" : "If true, case sensitivity will be used when comparing usernames and groups for matching policies.",
  "groupattr" : "LDAP attribute to follow on objects returned by  in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn",
  "tls_min_version" : "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
  "upndomain" : "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
  "userattr" : "Attribute used for users (default: cn)",
  "starttls" : "Issue a StartTLS command after establishing unencrypted connection (optional)",
  "groupfilter" : "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&amp;(objectClass=group)(member:1.2.840.113556.1.4.1941:=)) Default: (|(memberUid=)(member=)(uniqueMember=))",
  "length" : "The desired length of passwords that Vault generates.",
  "insecure_tls" : "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
  "deny_null_bind" : "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true",
  "tls_max_version" : "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
  "ttl" : "In seconds, the default password time-to-live.",
  "url" : "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
  "formatter" : "Text to insert the password into, ex. \"customPrefixcustomSuffix\".",
  "binddn" : "LDAP DN for searching for the user DN (optional)",
  "groupdn" : "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
  "use_token_groups" : "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
  "discoverdn" : "Use anonymous bind to discover the bind DN of a user (optional)",
  "userdn" : "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)"
}

postAdLibraryManageNameCheckIn#

Check service accounts in to the library.

Parameters

name (required)#

Name of the set.

Type: string

$body#

Type: object

{
  "service_account_names" : [ "string" ]
}

postAdLibraryName#

Update a library set.

Parameters

name (required)#

Name of the set.

Type: string

$body#

Type: object

{
  "max_ttl" : "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.",
  "service_account_names" : [ "string" ],
  "disable_check_in_enforcement" : "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.",
  "ttl" : "In seconds, the amount of time a check-out should last. Defaults to 24 hours."
}

postAdLibraryNameCheckIn#

Check service accounts in to the library.

Parameters

name (required)#

Name of the set.

Type: string

$body#

Type: object

{
  "service_account_names" : [ "string" ]
}

postAdLibraryNameCheckOut#

Check a service account out from the library.

Parameters

name (required)#

Name of the set

Type: string

$body#

Type: object

{
  "ttl" : "The length of time before the check-out will expire, in seconds."
}

postAdRolesName#

Manage roles to build links between Vault and Active Directory service accounts.

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "service_account_name" : "The username/logon name for the service account with which this role will be associated.",
  "ttl" : "In seconds, the default password time-to-live."
}

postAlicloudConfig#

Configure the access key and secret to use for RAM and STS calls.

Parameters

$body#

Type: object

{
  "secret_key" : "Secret key with appropriate permissions.",
  "access_key" : "Access key with appropriate permissions."
}

postAlicloudRoleName#

Read, write and reference policies and roles that API keys or STS credentials can be made for.

Parameters

name (required)#

The name of the role.

Type: string

$body#

Type: object

{
  "max_ttl" : "The maximum allowed lifetime of tokens issued using this role.",
  "role_arn" : "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.",
  "remote_policies" : [ "string" ],
  "inline_policies" : "JSON of policies to be dynamically applied to users of this role.",
  "ttl" : "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults."
}

$body#

Type: object

{
  "token" : "Token to look up (unused, does not need to be set)"
}

postAuthTokenRenew#

This endpoint will renew the given token and prevent expiration.

Parameters

$body#

Type: object

{
  "increment" : "The desired increment in seconds to the token expiration",
  "token" : "Token to renew (request body)"
}

postAuthTokenRenewAccessor#

This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.

Parameters

$body#

Type: object

{
  "accessor" : "Accessor of the token to renew (request body)",
  "increment" : "The desired increment in seconds to the token expiration"
}

postAuthTokenRenewSelf#

This endpoint will renew the token used to call it and prevent expiration.

Parameters

$body#

Type: object

{
  "increment" : "The desired increment in seconds to the token expiration",
  "token" : "Token to renew (unused, does not need to be set)"
}

postAuthTokenRevoke#

This endpoint will delete the given token and all of its child tokens.

Parameters

$body#

Type: object

{
  "token" : "Token to revoke (request body)"
}

postAuthTokenRevokeAccessor#

This endpoint will delete the token associated with the accessor and all of its child tokens.

Parameters

$body#

Type: object

{
  "accessor" : "Accessor of the token (request body)"
}

postAuthTokenRevokeOrphan#

This endpoint will delete the token and orphan its child tokens.

Parameters

$body#

Type: object

{
  "token" : "Token to revoke (request body)"
}

postAuthTokenRevokeSelf#

This endpoint will delete the token used to call it and all of its child tokens.

This operation has no parameters

postAuthTokenRolesRole_name#

Parameters

role_name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "bound_cidrs" : [ "string" ],
  "period" : "Use 'token_period' instead.",
  "token_num_uses" : "The maximum number of times a token may be used, a value of zero means unlimited",
  "allowed_entity_aliases" : [ "string" ],
  "token_explicit_max_ttl" : "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
  "path_suffix" : "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w",
  "token_period" : "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").",
  "orphan" : "If true, tokens created via this role will be orphan tokens (have no parent)",
  "token_type" : "The type of token to generate, service or batch",
  "explicit_max_ttl" : "Use 'token_explicit_max_ttl' instead.",
  "token_no_default_policy" : "If true, the 'default' policy will not automatically be added to generated tokens",
  "disallowed_policies" : [ "string" ],
  "allowed_policies" : [ "string" ],
  "renewable" : "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".",
  "token_bound_cidrs" : [ "string" ]
}

postAuthTokenTidy#

This endpoint performs cleanup tasks that can be run if certain error
conditions have occurred.

This operation has no parameters

postAwsConfigLease#

Configure the default lease information for generated credentials.

Parameters

$body#

Type: object

{
  "lease_max" : "Maximum time a credential is valid for.",
  "lease" : "Default lease for roles."
}

postAwsConfigRoot#

Configure the root credentials that are used to manage IAM.

Parameters

$body#

Type: object

{
  "secret_key" : "Secret key with permission to create new keys.",
  "max_retries" : "Maximum number of retries for recoverable exceptions of AWS APIs",
  "access_key" : "Access key with permission to create new keys.",
  "iam_endpoint" : "Endpoint to custom IAM server URL",
  "sts_endpoint" : "Endpoint to custom STS server URL",
  "region" : "Region for API calls."
}

postAwsConfigRotateRoot#

Request to rotate the AWS credentials used by Vault

This operation has no parameters

postAwsCreds#

Generate AWS credentials from a specific Vault role.

Parameters

$body#

Type: object

{
  "role_arn" : "ARN of role to assume when credential_type is assumed_role",
  "name" : "Name of the role",
  "ttl" : "Lifetime of the returned credentials in seconds"
}

postAwsRolesName#

Read, write and reference IAM policies that access keys can be made for.

Parameters

name (required)#

Name of the policy

Type: string

$body#

Type: object

{
  "credential_type" : "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token",
  "role_arns" : [ "string" ],
  "max_sts_ttl" : "Max allowed TTL for assumed_role and federation_token credential types",
  "user_path" : "Path for IAM User. Only valid when credential_type is iam_user",
  "permissions_boundary_arn" : "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user",
  "arn" : "Use role_arns or policy_arns instead.",
  "default_sts_ttl" : "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials",
  "policy_document" : "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.",
  "policy" : "Use policy_document instead.",
  "policy_arns" : [ "string" ]
}

postAwsStsName#

Generate AWS credentials from a specific Vault role.

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "role_arn" : "ARN of role to assume when credential_type is assumed_role",
  "ttl" : "Lifetime of the returned credentials in seconds"
}

postAzureConfig#

Configure the Azure Secret backend.

Parameters

$body#

Type: object

{
  "subscription_id" : "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.",
  "tenant_id" : "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.",
  "environment" : "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.",
  "client_secret" : "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.",
  "client_id" : "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable."
}

postAzureRolesName#

Manage the Vault roles used to generate Azure credentials.

Parameters

name (required)#

Name of the role.

Type: string

$body#

Type: object

{
  "max_ttl" : "Maximum time a service principal. If not set or set to 0, will use system default.",
  "application_object_id" : "Application Object ID to use for static service principal credentials.",
  "azure_roles" : "JSON list of Azure roles to assign.",
  "ttl" : "Default lease for generated credentials. If not set or set to 0, will use system default.",
  "azure_groups" : "JSON list of Azure groups to add the service principal to."
}

postConsulConfigAccess#

Parameters

$body#

Type: object

{
  "address" : "Consul server address",
  "scheme" : "URI scheme for the Consul address",
  "token" : "Token for API calls"
}

postConsulRolesName#

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "max_ttl" : "Max TTL for the Consul token created from the role.",
  "policies" : [ "string" ],
  "lease" : "Use ttl instead.",
  "token_type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\" parameter is not required. Defaults to 'client'.",
  "ttl" : "TTL for the Consul token created from the role.",
  "local" : "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.",
  "policy" : "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4."
}

name (required)#

Name of the role.

Type: string

$body#

Type: object

{
  "db_name" : "Name of the database this role acts on.",
  "rotation_statements" : [ "string" ],
  "rotation_period" : "Period for automatic credential rotation of the given username. Not valid unless used with \"username\".",
  "username" : "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified"
}

postGcpConfig#

Parameters

$body#

Type: object

{
  "max_ttl" : "Maximum time a service account key is valid for. If &lt;= 0, will use system default.",
  "credentials" : "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies",
  "ttl" : "Default lease for generated keys. If &lt;= 0, will use system default."
}

postGcpKeyRoleset#

Parameters

roleset (required)#

Required. Name of the role set.

Type: string

$body#

Type: object

{
  "key_type" : "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"",
  "key_algorithm" : "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\""
}

postGcpRolesetName#

Parameters

name (required)#

Required. Name of the role.

Type: string

$body#

Type: object

{
  "secret_type" : "Type of secret generated for this role set. Defaults to 'access_token'",
  "token_scopes" : [ "string" ],
  "bindings" : "Bindings configuration string.",
  "project" : "Name of the GCP project that this roleset's service account will belong to."
}

key (required)#

Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.

Type: string

$body#

Type: object

{
  "crypto_key" : "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".",
  "verify" : "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time."
}

postGcpkmsKeysRotateKey#

Rotate a crypto key to a new primary version

Parameters

$body#

Type: object

{
  "metadata" : { },
  "name" : "Name of the entity",
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
  "id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityEntityAlias#

Create a new alias.

Parameters

$body#

Type: object

{
  "canonical_id" : "Entity ID to which this alias belongs",
  "name" : "Name of the alias; unused for a modify",
  "id" : "ID of the entity alias. If set, updates the corresponding entity alias.",
  "entity_id" : "Entity ID to which this alias belongs. This field is deprecated, use canonical_id.",
  "mount_accessor" : "Mount accessor to which this alias belongs to; unused for a modify"
}

postIdentityEntityAliasIdId#

Update, read or delete an alias ID.

Parameters

id (required)#

ID of the alias

Type: string

$body#

Type: object

{
  "canonical_id" : "Entity ID to which this alias should be tied to",
  "name" : "(Unused)",
  "entity_id" : "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.",
  "mount_accessor" : "(Unused)"
}

postIdentityEntityIdId#

Update, read or delete an entity using entity ID

Parameters

id (required)#

ID of the entity. If set, updates the corresponding existing entity.

Type: string

$body#

Type: object

{
  "metadata" : { },
  "name" : "Name of the entity",
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)."
}

postIdentityEntityMerge#

Merge two or more entities together

Parameters

$body#

Type: object

{
  "from_entity_ids" : [ "string" ],
  "to_entity_id" : "Entity ID into which all the other entities need to get merged",
  "force" : "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts."
}

postIdentityEntityNameName#

Update, read or delete an entity using entity name

Parameters

name (required)#

Name of the entity

Type: string

$body#

Type: object

{
  "metadata" : { },
  "policies" : [ "string" ],
  "disabled" : "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
  "id" : "ID of the entity. If set, updates the corresponding existing entity."
}

postIdentityGroup#

Create a new group.

Parameters

$body#

Type: object

{
  "member_group_ids" : [ "string" ],
  "metadata" : { },
  "name" : "Name of the group.",
  "policies" : [ "string" ],
  "id" : "ID of the group. If set, updates the corresponding existing group.",
  "type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
  "member_entity_ids" : [ "string" ]
}

postIdentityGroupAlias#

Creates a new group alias, or updates an existing one.

Parameters

$body#

Type: object

{
  "canonical_id" : "ID of the group to which this is an alias.",
  "name" : "Alias of the group.",
  "id" : "ID of the group alias.",
  "mount_accessor" : "Mount accessor to which this alias belongs to."
}

postIdentityGroupAliasIdId#

name (required)#

Name of the group.

Type: string

$body#

Type: object

{
  "member_group_ids" : [ "string" ],
  "metadata" : { },
  "policies" : [ "string" ],
  "id" : "ID of the group. If set, updates the corresponding existing group.",
  "type" : "Type of the group, 'internal' or 'external'. Defaults to 'internal'",
  "member_entity_ids" : [ "string" ]
}

postIdentityLookupEntity#

Query entities based on various properties.

Parameters

$body#

Type: object

{
  "alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
  "alias_id" : "ID of the alias.",
  "name" : "Name of the entity.",
  "id" : "ID of the entity.",
  "alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityLookupGroup#

Query groups based on various properties.

Parameters

$body#

Type: object

{
  "alias_mount_accessor" : "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
  "alias_id" : "ID of the alias.",
  "name" : "Name of the group.",
  "id" : "ID of the group.",
  "alias_name" : "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'."
}

postIdentityOidcConfig#

OIDC configuration

Parameters

$body#

Type: object

{
  "issuer" : "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used."
}

postIdentityOidcIntrospect#

Verify the authenticity of an OIDC token

Parameters

$body#

Type: object

{
  "client_id" : "Optional client_id to verify",
  "token" : "Token to verify"
}

postIdentityOidcKeyName#

CRUD operations for OIDC keys.

Parameters

name (required)#

Name of the key

Type: string

$body#

Type: object

{
  "verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated.",
  "rotation_period" : "How often to generate a new keypair.",
  "allowed_client_ids" : [ "string" ],
  "algorithm" : "Signing algorithm to use. This will default to RS256."
}

postIdentityOidcKeyNameRotate#

Rotate a named OIDC key.

Parameters

name (required)#

Name of the key

Type: string

$body#

Type: object

{
  "verification_ttl" : "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key."
}

postIdentityOidcRoleName#

CRUD operations on OIDC Roles

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "template" : "The template string to use for generating tokens. This may be in string-ified JSON or base64 format.",
  "ttl" : "TTL of the tokens generated against the role.",
  "key" : "The OIDC key to use for generating tokens. The specified key must already exist."
}

postIdentityPersona#

Create a new alias.

Parameters

$body#

Type: object

{
  "metadata" : { },
  "name" : "Name of the persona",
  "id" : "ID of the persona",
  "entity_id" : "Entity ID to which this persona belongs to",
  "mount_accessor" : "Mount accessor to which this persona belongs to"
}

postIdentityPersonaIdId#

Update, read or delete an alias ID.

Parameters

id (required)#

ID of the persona

Type: string

$body#

Type: object

{
  "metadata" : { },
  "name" : "Name of the persona",
  "entity_id" : "Entity ID to which this persona should be tied to",
  "mount_accessor" : "Mount accessor to which this persona belongs to"
}

postNomadConfigAccess#

Parameters

$body#

Type: object

{
  "max_token_name_length" : "Max length for name of generated Nomad tokens",
  "address" : "Nomad server address",
  "token" : "Token for API calls"
}

postNomadConfigLease#

Configure the lease parameters for generated tokens

Parameters

$body#

Type: object

{
  "max_ttl" : "Duration after which the issued token should not be allowed to be renewed",
  "ttl" : "Duration before which the issued token needs renewal"
}

postNomadRoleName#

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "policies" : [ "string" ],
  "global" : "Boolean value describing if the token should be global or not. Defaults to false.",
  "type" : "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'."
}

postPkiConfigCa#

Set the CA certificate and private key used for generated credentials.

Parameters

$body#

Type: object

{
  "pem_bundle" : "PEM-format, concatenated unencrypted secret key and certificate."
}

postPkiConfigCrl#

Configure the CRL expiration.

Parameters

$body#

Type: object

{
  "disable" : "If set to true, disables generating the CRL entirely.",
  "expiry" : "The amount of time the generated CRL should be valid; defaults to 72 hours"
}

postPkiConfigUrls#

Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.

Parameters

$body#

Type: object

{
  "crl_distribution_points" : [ "string" ],
  "issuing_certificates" : [ "string" ],
  "ocsp_servers" : [ "string" ]
}

postPkiIntermediateGenerateExported#

Generate a new CSR and private key used for signing.

Parameters

exported (required)#

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "add_basic_constraints" : "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.",
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiIntermediateSetSigned#

Provide the signed intermediate CA cert.

Parameters

$body#

Type: object

{
  "certificate" : "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint."
}

postPkiIssueRole#

Request a certificate using a certain role with the provided details.

Parameters

role (required)#

The desired role with configuration for this request

Type: string

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "ip_sans" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiRevoke#

Revoke a certificate by serial number.

Parameters

$body#

Type: object

{
  "serial_number" : "Certificate serial number, in colon- or hyphen-separated octal"
}

postPkiRolesName#

Manage the roles that can be created with this backend.

Parameters

name (required)#

Name of the role

Type: string

$body#

Type: object

{
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "allow_subdomains" : "If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information.",
  "allowed_domains" : [ "string" ],
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "key_usage" : [ "string" ],
  "max_ttl" : "The maximum allowed lease duration",
  "allow_bare_domains" : "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
  "allowed_other_sans" : [ "string" ],
  "province" : [ "string" ],
  "allow_localhost" : "Whether to allow \"localhost\" as a valid common name in a request",
  "enforce_hostnames" : "If set, only valid host names are allowed for CN and SANs. Defaults to true.",
  "allowed_uri_sans" : [ "string" ],
  "backend" : "Backend Type",
  "email_protection_flag" : "If set, certificates are flagged for email protection use. Defaults to false.",
  "no_store" : "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".",
  "allowed_serial_numbers" : [ "string" ],
  "ou" : [ "string" ],
  "allow_any_name" : "If set, clients can request certificates for any CN they like. See the documentation for more information.",
  "locality" : [ "string" ],
  "basic_constraints_valid_for_non_ca" : "Mark Basic Constraints valid when issuing non-CA certificates.",
  "server_flag" : "If set, certificates are flagged for server auth use. Defaults to true.",
  "generate_lease" : "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.",
  "ttl" : "The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
  "use_csr_sans" : "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.",
  "not_before_duration" : "The duration before now the cert needs to be created / signed.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "require_cn" : "If set to false, makes the 'common_name' field optional while generating a certificate.",
  "allow_ip_sans" : "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.",
  "code_signing_flag" : "If set, certificates are flagged for code signing use. Defaults to false.",
  "policy_identifiers" : [ "string" ],
  "allow_glob_domains" : "If set, domains specified in \"allowed_domains\" can include glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.",
  "organization" : [ "string" ],
  "use_csr_common_name" : "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.",
  "ext_key_usage" : [ "string" ],
  "postal_code" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ],
  "client_flag" : "If set, certificates are flagged for client auth use. Defaults to true."
}

postPkiRootGenerateExported#

Generate a new CA certificate and private key used for signing.

Parameters

exported (required)#

Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your only chance to retrieve the private key!

Type: string

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "key_type" : "The type of key to use; defaults to RSA. \"rsa\" and \"ec\" are the only valid values.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "max_path_length" : "The maximum allowable path length",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "key_bits" : "The number of bits to use. You will almost certainly want to change this if you adjust the key_type.",
  "permitted_dns_domains" : [ "string" ],
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiRootSignIntermediate#

Issue an intermediate CA certificate based on the provided CSR.

Parameters

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "country" : [ "string" ],
  "street_address" : [ "string" ],
  "csr" : "PEM-format CSR to be signed.",
  "ou" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "locality" : [ "string" ],
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "max_path_length" : "The maximum allowable path length",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.",
  "permitted_dns_domains" : [ "string" ],
  "province" : [ "string" ],
  "ip_sans" : [ "string" ],
  "organization" : [ "string" ],
  "use_csr_values" : "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.",
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.",
  "postal_code" : [ "string" ]
}

postPkiRootSignSelfIssued#

Signs another CA's self-issued certificate.

Parameters

$body#

Type: object

{
  "certificate" : "PEM-format self-issued certificate to be signed."
}

postPkiSignRole#

Request certificates using a certain role with the provided details.

Parameters

role (required)#

The desired role with configuration for this request

Type: string

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed.",
  "ip_sans" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL."
}

postPkiSignVerbatim#

Request certificates using a certain role with the provided details.

Parameters

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
  "role" : "The desired role with configuration for this request",
  "key_usage" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
  "ip_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ext_key_usage" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ]
}

postPkiSignVerbatimRole#

Request certificates using a certain role with the provided details.

Parameters

role (required)#

The desired role with configuration for this request

Type: string

$body#

Type: object

{
  "other_sans" : [ "string" ],
  "csr" : "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.",
  "key_usage" : [ "string" ],
  "format" : "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\" any private key and issuing cert will be appended to the certificate pem. Defaults to \"pem\".",
  "private_key_format" : "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".",
  "alt_names" : "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.",
  "serial_number" : "The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.",
  "exclude_cn_from_sans" : "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).",
  "uri_sans" : [ "string" ],
  "ttl" : "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.",
  "ip_sans" : [ "string" ],
  "common_name" : "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.",
  "ext_key_usage" : [ "string" ],
  "ext_key_usage_oids" : [ "string" ]
}

postPkiTidy#

Tidy up the backend by removing expired certificates, revocation information,
or both.

Parameters

$body#

Type: object

{
  "tidy_revocation_list" : "Deprecated; synonym for 'tidy_revoked_certs",
  "tidy_cert_store" : "Set to true to enable tidying up the certificate store",
  "tidy_revoked_certs" : "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.",
  "safety_buffer" : "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours."
}

postRabbitmqConfigConnection#

Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.

Parameters

$body#

Type: object

{
  "verify_connection" : "If set, connection_uri is verified by actually connecting to the RabbitMQ management API",
  "connection_uri" : "RabbitMQ Management URI",
  "password" : "Password of the provided RabbitMQ management user",
  "username" : "Username of a RabbitMQ management administrator"
}

postRabbitmqConfigLease#

Configure the lease parameters for generated credentials

Parameters

$body#

Type: object

{
  "max_ttl" : "Duration after which the issued credentials should not be allowed to be renewed",
  "ttl" : "Duration before which the issued credentials needs renewal"
}

postRabbitmqRolesName#

Manage the roles that can be created with this backend.

Parameters

name (required)#

Name of the role.

Type: string

$body#

Type: object

{
  "vhosts" : "A map of virtual hosts to permissions.",
  "vhost_topics" : "A nested map of virtual hosts and exchanges to topic permissions.",
  "tags" : "Comma-separated list of tags for this role."
}

postSecretConfig#

Configure backend level settings that are applied to every key in the key-value store.

Parameters

$body#

Type: object

{
  "cas_required" : "If true, the backend will require the cas parameter to be set for each write",
  "delete_version_after" : "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.",
  "max_versions" : "The number of versions to keep for each key. Defaults to 10"
}

postSecretDataPath#

Write, Read, and Delete data in the Key-Value Store.

Parameters

path (required)#

Location of the secret.

Type: string

$body#

Type: object

{
  "data" : { },
  "options" : { },
  "version" : "If provided during a read, the value at the version number will be returned"
}

postSecretDeletePath#

Marks one or more versions as deleted in the KV store.

Parameters

path (required)#

Location of the secret.

Type: string

$body#

Type: object

{
  "versions" : [ "integer" ]
}

postSecretDestroyPath#

Permanently removes one or more versions in the KV store

Parameters

path (required)#

Location of the secret.

Type: string

$body#

Type: object

{
  "versions" : [ "integer" ]
}

postSecretMetadataPath#

Configures settings for the KV store

Parameters

path (required)#

Location of the secret.

Type: string

$body#

Type: object

{
  "cas_required" : "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.",
  "delete_version_after" : "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.",
  "max_versions" : "The number of versions to keep. If not set, the backend’s configured max version is used."
}

postSecretUndeletePath#

Undeletes one or more versions from the KV store.

Parameters

path (required)#

Location of the secret.

Type: string

$body#

Type: object

{
  "versions" : [ "integer" ]
}

postSshConfigCa#

Set the SSH private key used for signing certificates.

Parameters

$body#

Type: object

{
  "public_key" : "Public half of the SSH key that will be used to sign certificates.",
  "private_key" : "Private half of the SSH key that will be used to sign certificates.",
  "generate_signing_key" : "Generate SSH key pair internally rather than use the private_key and public_key fields."
}

postSshConfigZeroaddress#

Assign zero address as default CIDR block for select roles.

Parameters

$body#

Type: object

{
  "roles" : [ "string" ]
}

postSshCredsRole#

Creates a credential for establishing SSH connection with the remote host.

Parameters

role (required)#

[Required] Name of the role

Type: string

$body#

Type: object

{
  "ip" : "[Required] IP of the remote host",
  "username" : "[Optional] Username in remote host"
}

postSshKeysKey_name#

Parameters

key_name (required)#

[Required] Name of the key

Type: string

$body#

Type: object

{
  "key" : "[Required] SSH private key with super user privileges in host"
}

postSshLookup#

List all the roles associated with the given IP address.

Parameters

$body#

Type: object

{
  "ip" : "[Required] IP address of remote host"
}

postSshRolesRole#

Manage the 'roles' that can be created with this backend.

Parameters

role (required)#

[Required for all types] Name of the role being created.

Type: string

$body#

Type: object

{
  "allow_subdomains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".",
  "allow_host_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.",
  "allowed_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.",
  "key_type" : "[Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.",
  "max_ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration",
  "default_critical_options" : { },
  "allow_bare_domains" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.",
  "install_script" : "[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type] Script used to install and uninstall public keys in the target machine. The inbuilt default install script will be for Linux hosts. For sample script, refer the project documentation website.",
  "allowed_extensions" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string.",
  "allowed_user_key_lengths" : { },
  "key" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Name of the registered key in Vault. Before creating the role, use the 'keys/' endpoint to create a named key.",
  "allow_user_certificates" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.",
  "exclude_cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.",
  "ttl" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.",
  "allowed_critical_options" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.",
  "key_bits" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.",
  "key_id_format" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '' - The display name of the token used to make the request. '' - The name of the role signing the request. '' - A SHA256 checksum of the public key that is being signed.",
  "key_option_specs" : "[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Comma separated option specifications which will be prefixed to RSA key in authorized_keys file. Options should be valid and comply with authorized_keys file format and should not contain spaces.",
  "allowed_users" : "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.",
  "allow_user_key_ids" : "[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.",
  "port" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.",
  "default_user" : "[Required for Dynamic type] [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.",
  "default_extensions" : { },
  "cidr_list" : "[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.",
  "admin_user" : "[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type] Admin user at remote host. The shared key being registered should be for this user and should have root privileges. Everytime a dynamic credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user."
}

postSshSignRole#

Request signing an SSH key using a certain role with the provided details.

Parameters

role (required)#

The desired role with configuration for this request.

Type: string

$body#

Type: object

{
  "public_key" : "SSH public key that should be signed.",
  "cert_type" : "Type of certificate to be created; either \"user\" or \"host\".",
  "extensions" : { },
  "critical_options" : { },
  "key_id" : "Key id that the created certificate should have. If not specified, the display name of the token will be used.",
  "valid_principals" : "Valid principals, either usernames or hostnames, that the certificate should be signed for.",
  "ttl" : "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL."
}

postSshVerify#

Validate the OTP provided by Vault SSH Agent.

Parameters

$body#

Type: object

{
  "otp" : "[Required] One-Time-Key that needs to be validated"
}

postSysAuditHashPath#

The hash of the given string via the given audit backend

Parameters

path (required)#

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body#

Type: object

{
  "input" : "string"
}

postSysAuditPath#

Enable a new audit device at the supplied path.

Parameters

path (required)#

The name of the backend. Cannot be delimited. Example: "mysql"

Type: string

$body#

Type: object

{
  "options" : { },
  "description" : "User-friendly description for this audit backend.",
  "type" : "The type of the backend. Example: \"mysql\"",
  "local" : "Mark the mount as a local mount, which is not replicated and is unaffected by replication."
}

postSysAuthPath#

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

Enable auditing of a header.

Parameters

Type: string

$body#

Type: object

{
  "hmac" : "boolean"
}

postSysConfigCors#

Configure the CORS settings.

Parameters

$body#

Type: object

{
  "allowed_headers" : [ "string" ],
  "enable" : "Enables or disables CORS headers on requests.",
  "allowed_origins" : [ "string" ]
}

postSysConfigUiHeadersHeader#

Configure the values to be returned for the UI header.

Parameters

The name of the header.

Type: string

$body#

Type: object

{
  "values" : [ "string" ]
}

postSysGenerateRoot#

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body#

Type: object

{
  "pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootAttempt#

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Parameters

$body#

Type: object

{
  "pgp_key" : "Specifies a base64-encoded PGP public key."
}

postSysGenerateRootUpdate#

If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.

Parameters

$body#

Type: object

{
  "nonce" : "Specifies the nonce of the attempt.",
  "key" : "Specifies a single master key share."
}

postSysInit#

The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.

Parameters

$body#

Type: object

{
  "recovery_pgp_keys" : [ "string" ],
  "stored_shares" : "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
  "secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.",
  "recovery_shares" : "Specifies the number of shares to split the recovery key into.",
  "secret_shares" : "Specifies the number of shares to split the master key into.",
  "pgp_keys" : [ "string" ],
  "recovery_threshold" : "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.",
  "root_token_pgp_key" : "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation."
}

postSysLeasesLookup#

Retrieve lease metadata.

Parameters

$body#

Type: object

{
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenew#

Renews a lease, requesting to extend the lease.

Parameters

$body#

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRenewUrl_lease_id#

Renews a lease, requesting to extend the lease.

Parameters

url_lease_id (required)#

The lease identifier to renew. This is included with a lease.

Type: string

$body#

Type: object

{
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevoke#

Revokes a lease immediately.

Parameters

$body#

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysLeasesRevokeForcePrefix#

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

Parameters

name (required)#

The name of the plugin

Type: string

$body#

Type: object

{
  "args" : [ "string" ],
  "sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "env" : [ "string" ],
  "type" : "The type of the plugin, may be auth, secret, or database",
  "command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsCatalogTypeName#

Parameters

name (required)#

The name of the plugin

Type: string

type (required)#

The type of the plugin, may be auth, secret, or database

Type: string

$body#

Type: object

{
  "args" : [ "string" ],
  "sha256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "sha_256" : "The SHA256 sum of the executable used in the command field. This should be HEX encoded.",
  "env" : [ "string" ],
  "command" : "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory."
}

postSysPluginsReloadBackend#

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

Parameters

$body#

Type: object

{
  "plugin" : "The name of the plugin to reload, as registered in the plugin catalog.",
  "mounts" : [ "string" ]
}

postSysPoliciesAclName#

Add a new or update an existing ACL policy.

Parameters

name (required)#

The name of the policy. Example: "ops"

Type: string

$body#

Type: object

{
  "policy" : "The rules of the policy."
}

postSysPolicyName#

Add a new or update an existing policy.

Parameters

name (required)#

The name of the policy. Example: "ops"

Type: string

$body#

Type: object

{
  "rules" : "The rules of the policy.",
  "policy" : "The rules of the policy."
}

postSysRaw#

Update the value of the key at the given path.

Parameters

$body#

Type: object

{
  "path" : "string",
  "value" : "string"
}

postSysRawPath#

Update the value of the key at the given path.

Parameters

path (required)#

Type: string

$body#

Type: object

{
  "value" : "string"
}

postSysRekeyInit#

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Parameters

$body#

Type: object

{
  "backup" : "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
  "secret_threshold" : "Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
  "require_verification" : "Turns on verification functionality",
  "secret_shares" : "Specifies the number of shares to split the master key into.",
  "pgp_keys" : [ "string" ]
}

postSysRekeyUpdate#

Enter a single master key share to progress the rekey of the Vault.

Parameters

$body#

Type: object

{
  "nonce" : "Specifies the nonce of the rekey attempt.",
  "key" : "Specifies a single master key share."
}

postSysRekeyVerify#

Enter a single new key share to progress the rekey verification operation.

Parameters

$body#

Type: object

{
  "nonce" : "Specifies the nonce of the rekey verification operation.",
  "key" : "Specifies a single master share key from the new set of shares."
}

postSysRemount#

Move the mount point of an already-mounted backend.

Parameters

$body#

Type: object

{
  "from" : "The previous mount point.",
  "to" : "The new mount point."
}

postSysRenew#

Renews a lease, requesting to extend the lease.

Parameters

$body#

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRenewUrl_lease_id#

Renews a lease, requesting to extend the lease.

Parameters

url_lease_id (required)#

The lease identifier to renew. This is included with a lease.

Type: string

$body#

Type: object

{
  "increment" : "The desired increment in seconds to the lease",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevoke#

Revokes a lease immediately.

Parameters

$body#

Type: object

{
  "url_lease_id" : "The lease identifier to renew. This is included with a lease.",
  "sync" : "Whether or not to perform the revocation synchronously",
  "lease_id" : "The lease identifier to renew. This is included with a lease."
}

postSysRevokeForcePrefix#

{
  "input" : "The base64-encoded input data",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postSysToolsRandom#

Generate random bytes

Parameters

$body#

Type: object

{
  "urlbytes" : "The number of bytes to generate (POST URL parameter)",
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysToolsRandomUrlbytes#

Generate random bytes

Parameters

urlbytes (required)#

The number of bytes to generate (POST URL parameter)

Type: string

$body#

Type: object

{
  "bytes" : "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\"."
}

postSysUnseal#

Unseal the Vault.

Parameters

$body#

Type: object

{
  "reset" : "Specifies if previously-provided unseal keys are discarded and the unseal process is reset.",
  "key" : "Specifies a single master key share. This is required unless reset is true."
}

postSysWrappingLookup#

Look up wrapping properties for the given token.

Parameters

$body#

Type: object

{
  "token" : "string"
}

postSysWrappingRewrap#

Rotates a response-wrapped token.

Parameters

$body#

Type: object

{
  "token" : "string"
}

postSysWrappingUnwrap#

Unwraps a response-wrapped token.

Parameters

$body#

Type: object

{
  "token" : "string"
}

postSysWrappingWrap#

Response-wraps an arbitrary JSON object.

This operation has no parameters

postTotpCodeName#

Request time-based one-time use password or validate a password for a certain key .

Parameters

name (required)#

Name of the key.

Type: string

$body#

Type: object

{
  "code" : "TOTP code to be validated."
}

postTotpKeysName#

Manage the keys that can be created with this backend.

Parameters

name (required)#

Name of the key.

Type: string

$body#

Type: object

{
  "exported" : "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.",
  "period" : "The length of time used to generate a counter for the TOTP token calculation.",
  "qr_size" : "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.",
  "account_name" : "The name of the account associated with the key. Required if generate is true.",
  "digits" : "The number of digits in the generated TOTP token. This value can either be 6 or 8.",
  "generate" : "Determines if a key should be generated by Vault or if a key is being passed from another service.",
  "issuer" : "The name of the key's issuing organization. Required if generate is true.",
  "key" : "The shared master key used to generate a TOTP token. Only used if generate is false.",
  "url" : "A TOTP url string containing all of the parameters for key setup. Only used if generate is false.",
  "algorithm" : "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.",
  "key_size" : "Determines the size in bytes of the generated key. Only used if generate is true.",
  "skew" : "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true."
}

postTransitCacheConfig#

Configures a new cache of the specified size

Parameters

$body#

Type: object

{
  "size" : "Size of cache, use 0 for an unlimited cache size, defaults to 0"
}

$body#

Type: object

{
  "convergent_encryption" : "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.",
  "key_version" : "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "context" : "Base64 encoded context for key derivation. Required if key derivation is enabled",
  "plaintext" : "Base64 encoded plaintext value to be encrypted",
  "type" : "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".",
  "nonce" : "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**."
}

postTransitHash#

Generate a hash sum for input data

Parameters

$body#

Type: object

{
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Algorithm to use (POST URL parameter)",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHashUrlalgorithm#

Generate a hash sum for input data

Parameters

urlalgorithm (required)#

Algorithm to use (POST URL parameter)

Type: string

$body#

Type: object

{
  "input" : "The base64-encoded input data",
  "format" : "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

postTransitHmacName#

Generate an HMAC for input data using the named key

Parameters

name (required)#

The key to use for the HMAC function

Type: string

$body#

Type: object

{
  "input" : "The base64-encoded input data",
  "urlalgorithm" : "Algorithm to use (POST URL parameter)",
  "key_version" : "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.",
  "algorithm" : "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\"."
}

Vault (version v1.*.*)

deleteAdConfig#

deleteAdLibraryName#

name (required)#

deleteAdRolesName#

name (required)#

deleteAlicloudConfig#

deleteAlicloudRoleName#

name (required)#

deleteAuthTokenRolesRole_name#

role_name (required)#

deleteAwsRolesName#

name (required)#

deleteAzureConfig#

deleteAzureRolesName#

name (required)#

deleteConsulRolesName#

name (required)#

deleteCubbyholePath#

path (required)#

deleteDatabaseConfigName#

name (required)#

deleteDatabaseRolesName#

name (required)#

deleteDatabaseStaticRolesName#

name (required)#

deleteGcpRolesetName#

name (required)#

deleteGcpkmsConfig#

deleteGcpkmsKeysDeregisterKey#

key (required)#

deleteGcpkmsKeysKey#

key (required)#

deleteGcpkmsKeysTrimKey#

key (required)#

deleteIdentityAliasIdId#

id (required)#

deleteIdentityEntityAliasIdId#

id (required)#

deleteIdentityEntityIdId#

id (required)#

deleteIdentityEntityNameName#

name (required)#

deleteIdentityGroupAliasIdId#

id (required)#

deleteIdentityGroupIdId#

id (required)#

deleteIdentityGroupNameName#

name (required)#

deleteIdentityOidcKeyName#

name (required)#

deleteIdentityOidcRoleName#

name (required)#

deleteIdentityPersonaIdId#

id (required)#

deleteNomadConfigAccess#

deleteNomadConfigLease#

deleteNomadRoleName#

name (required)#

deletePkiRolesName#

name (required)#

deletePkiRoot#

deleteRabbitmqRolesName#

name (required)#

deleteSecretDataPath#

path (required)#

deleteSecretMetadataPath#

path (required)#

deleteSshConfigCa#

deleteSshConfigZeroaddress#

deleteSshKeysKey_name#

key_name (required)#

deleteSshRolesRole#

role (required)#

deleteSysAuditPath#

path (required)#

deleteSysAuthPath#

path (required)#

deleteSysConfigAuditingRequestHeadersHeader#

header (required)#

Vault (version v1..)