/sys/internal/ui/mounts"
5 | sidebar_current: "api-http-system-internal-ui-mounts"
6 | description: |-
7 | The `/sys/internal/ui/mounts` endpoint is used to manage mount listing visibility.
8 | ---
9 |
10 | # `/sys/internal/ui/mounts`
11 |
12 | The `/sys/internal/ui/mounts` endpoint is used to manage mount listing
13 | visibility. The response generated by this endpoint is based on the
14 | `listing_visibility` value on the mount, which can be set during mount time or
15 | via mount tuning. This is currently only being used internally for the UI and is
16 | an unauthenticated endpoint.
17 |
18 | Due to the nature of its intended usage, there is no guarantee on backwards
19 | compatibility for this endpoint.
20 |
21 | ## Get Available Visible Mounts
22 |
23 | This endpoint lists all enabled auth methods.
24 |
25 | | Method | Path |
26 | | :------------------------ | :--------------------- |
27 | | `GET` | `/sys/internal/ui/mounts` |
28 |
29 |
30 | ### Sample Request
31 |
32 | ```
33 | $ curl \
34 | http://127.0.0.1:8200/v1/sys/internal/ui/mounts
35 | ```
36 |
37 | ### Sample Response
38 |
39 | ```json
40 | {
41 | "auth": {
42 | "github/": {
43 | "description": "GitHub auth",
44 | "type": "github"
45 | }
46 | },
47 | "secret": {
48 | "custom-secrets/": {
49 | "description": "Custom secrets",
50 | "type": "kv"
51 | }
52 | }
53 | }
54 | ```
--------------------------------------------------------------------------------
/website/source/api/system/key-status.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/key-status - HTTP API"
4 | sidebar_title: "/sys/key-status"
5 | sidebar_current: "api-http-system-key-status"
6 | description: |-
7 | The `/sys/key-status` endpoint is used to query info about the current
8 | encryption key of Vault.
9 | ---
10 |
11 | # `/sys/key-status`
12 |
13 | The `/sys/key-status` endpoint is used to query info about the current
14 | encryption key of Vault.
15 |
16 | ## Get Encryption Key Status
17 |
18 | This endpoint returns information about the current encryption key used by
19 | Vault.
20 |
21 | | Method | Path |
22 | | :--------------------------- | :--------------------- |
23 | | `GET` | `/sys/key-status` |
24 |
25 |
26 | ### Sample Request
27 |
28 | ```
29 | $ curl \
30 | --header "X-Vault-Token: ..." \
31 | --request GET \
32 | http://127.0.0.1:8200/v1/sys/key-status
33 |
34 | ```
35 |
36 | ### Sample Response
37 |
38 | ```json
39 | {
40 | "term": 3,
41 | "install_time": "2015-05-29T14:50:46.223692553-07:00"
42 | }
43 | ```
44 |
45 | The `term` parameter is the sequential key number, and `install_time` is the
46 | time that encryption key was installed.
47 |
--------------------------------------------------------------------------------
/website/source/api/system/leader.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/leader - HTTP API"
4 | sidebar_title: "/sys/leader"
5 | sidebar_current: "api-http-system-leader"
6 | description: |-
7 | The `/sys/leader` endpoint is used to check the high availability status and
8 | current leader of Vault.
9 | ---
10 |
11 | # `/sys/leader`
12 |
13 | The `/sys/leader` endpoint is used to check the high availability status and
14 | current leader of Vault.
15 |
16 | ## Read Leader Status
17 |
18 | This endpoint returns the high availability status and current leader instance
19 | of Vault.
20 |
21 | | Method | Path |
22 | | :--------------------------- | :--------------------- |
23 | | `GET` | `/sys/leader` |
24 |
25 | ### Sample Request
26 |
27 | ```
28 | $ curl \
29 | http://127.0.0.1:8200/v1/sys/leader
30 | ```
31 |
32 | ### Sample Response
33 |
34 | ```json
35 | {
36 | "ha_enabled": true,
37 | "is_self": false,
38 | "leader_address": "https://127.0.0.1:8200/",
39 | "leader_cluster_address": "https://127.0.0.1:8201/",
40 | "performance_standby": false,
41 | "performance_standby_last_remote_wal": 0
42 | }
43 | ```
44 |
--------------------------------------------------------------------------------
/website/source/api/system/mfa/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/mfa - HTTP API"
4 | sidebar_title: "/sys/mfa"
5 | sidebar_current: "api-http-system-mfa"
6 | description: |-
7 | The '/sys/mfa' endpoint focuses on managing MFA behaviors in Vault Enterprise MFA.
8 | ---
9 |
10 | # `/sys/mfa`
11 |
12 | ~> **Enterprise Only** – These endpoints require Vault Enterprise.
13 |
14 | ## Supported MFA types.
15 |
16 | * [TOTP](/api/system/mfa/totp.html)
17 |
18 | * [Okta](/api/system/mfa/okta.html)
19 |
20 | * [Duo](/api/system/mfa/duo.html)
21 |
22 | * [PingID](/api/system/mfa/pingid.html)
23 |
--------------------------------------------------------------------------------
/website/source/api/system/plugins-reload-backend.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/plugins/reload/backend - HTTP API"
4 | sidebar_title: "/sys/plugins/reload/backend"
5 | sidebar_current: "api-http-system-plugins-reload-backend"
6 | description: |-
7 | The `/sys/plugins/reload/backend` endpoint is used to reload plugin backends.
8 | ---
9 |
10 | # `/sys/plugins/reload/backend`
11 |
12 | The `/sys/plugins/reload/backend` endpoint is used to reload mounted plugin
13 | backends. Either the plugin name (`plugin`) or the desired plugin backend mounts
14 | (`mounts`) must be provided, but not both. In the case that the plugin name is
15 | provided, all mounted paths that use that plugin backend will be reloaded.
16 |
17 | ## Reload Plugins
18 |
19 | This endpoint reloads mounted plugin backends.
20 |
21 | | Method | Path - |
22 | | :---------------------------- | :--------------------- |
23 | | `PUT` | `/sys/plugins/reload/backend` |
24 |
25 | ### Parameters
26 |
27 | - `plugin` `(string: "")` – The name of the plugin to reload, as
28 | registered in the plugin catalog.
29 |
30 | - `mounts` `(array: [])` – Array or comma-separated string mount paths
31 | of the plugin backends to reload.
32 |
33 | ### Sample Payload
34 |
35 | ```json
36 | {
37 | "plugin": "mock-plugin"
38 | }
39 | ```
40 |
41 | ### Sample Request
42 |
43 | ```
44 | $ curl \
45 | --header "X-Vault-Token: ..." \
46 | --request PUT
47 | http://127.0.0.1:8200/v1/sys/plugins/reload/backend
48 | ```
49 |
--------------------------------------------------------------------------------
/website/source/api/system/remount.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/remount - HTTP API"
4 | sidebar_title: "/sys/remount"
5 | sidebar_current: "api-http-system-remount"
6 | description: |-
7 | The '/sys/remount' endpoint is used remount a mounted backend to a new endpoint.
8 | ---
9 |
10 | # `/sys/remount`
11 |
12 | The `/sys/remount` endpoint is used remount a mounted backend to a new endpoint.
13 |
14 | ## Move Backend
15 |
16 | This endpoint moves an already-mounted backend to a new mount point.
17 |
18 | | Method | Path |
19 | | :--------------------------- | :--------------------- |
20 | | `POST` | `/sys/remount` |
21 |
22 | ### Parameters
23 |
24 | - `from` `(string: /sys/rotate"
5 | sidebar_current: "api-http-system-rotate"
6 | description: |-
7 | The `/sys/rotate` endpoint is used to rotate the encryption key.
8 | ---
9 |
10 | # `/sys/rotate`
11 |
12 | The `/sys/rotate` endpoint is used to rotate the encryption key.
13 |
14 | ## Rotate Encryption Key
15 |
16 | This endpoint triggers a rotation of the backend encryption key. This is the key
17 | that is used to encrypt data written to the storage backend, and is not provided
18 | to operators. This operation is done online. Future values are encrypted with
19 | the new key, while old values are decrypted with previous encryption keys.
20 |
21 | This path requires `sudo` capability in addition to `update`.
22 |
23 | | Method | Path |
24 | | :--------------------------- | :--------------------- |
25 | | `PUT` | `/sys/rotate` |
26 |
27 | ### Sample Request
28 |
29 | ```
30 | $ curl \
31 | --header "X-Vault-Token: ..." \
32 | --request PUT \
33 | http://127.0.0.1:8200/v1/sys/rotate
34 | ```
35 |
--------------------------------------------------------------------------------
/website/source/api/system/seal-status.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/seal-status - HTTP API"
4 | sidebar_title: "/sys/seal-status"
5 | sidebar_current: "api-http-system-seal-status"
6 | description: |-
7 | The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
8 | ---
9 |
10 | # `/sys/seal-status`
11 |
12 | The `/sys/seal-status` endpoint is used to check the seal status of a Vault.
13 |
14 | ## Seal Status
15 |
16 | This endpoint returns the seal status of the Vault. This is an unauthenticated
17 | endpoint.
18 |
19 | | Method | Path |
20 | | :--------------------------- | :--------------------- |
21 | | `GET` | `/sys/seal-status` |
22 |
23 | ### Sample Request
24 |
25 | ```
26 | $ curl \
27 | http://127.0.0.1:8200/v1/sys/seal-status
28 | ```
29 |
30 | ### Sample Response
31 |
32 | The "t" parameter is the threshold, and "n" is the number of shares.
33 |
34 | ```json
35 | {
36 | "type": "shamir",
37 | "sealed": true,
38 | "t": 3,
39 | "n": 5,
40 | "progress": 2,
41 | "nonce": "",
42 | "version": "0.9.0"
43 | }
44 | ```
45 |
46 | Sample response when Vault is unsealed.
47 |
48 | ```json
49 | {
50 | "type": "shamir",
51 | "sealed": false,
52 | "t": 3,
53 | "n": 5,
54 | "progress": 0,
55 | "version": "0.9.0",
56 | "cluster_name": "vault-cluster-d6ec3c7f",
57 | "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8",
58 | "nonce": "ef05d55d-4d2c-c594-a5e8-55bc88604c24"
59 | }
60 | ```
61 |
--------------------------------------------------------------------------------
/website/source/api/system/seal.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/seal - HTTP API"
4 | sidebar_title: "/sys/seal"
5 | sidebar_current: "api-http-system-seal/"
6 | description: |-
7 | The `/sys/seal` endpoint seals the Vault.
8 | ---
9 |
10 | # `/sys/seal`
11 |
12 | The `/sys/seal` endpoint seals the Vault.
13 |
14 | ## Seal
15 |
16 | This endpoint seals the Vault. In HA mode, only an active node can be sealed.
17 | Standby nodes should be restarted to get the same effect. Requires a token with
18 | `root` policy or `sudo` capability on the path.
19 |
20 | | Method | Path |
21 | | :--------------------------- | :--------------------- |
22 | | `PUT` | `/sys/seal` |
23 |
24 | ### Sample Request
25 |
26 | ```
27 | $ curl \
28 | --header "X-Vault-Token: ..." \
29 | --request PUT \
30 | http://127.0.0.1:8200/v1/sys/seal
31 | ```
32 |
--------------------------------------------------------------------------------
/website/source/api/system/step-down.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/step-down - HTTP API"
4 | sidebar_title: "/sys/step-down"
5 | sidebar_current: "api-http-system-step-down"
6 | description: |-
7 | The `/sys/step-down` endpoint causes the node to give up active status.
8 | ---
9 |
10 | # `/sys/step-down`
11 |
12 | The `/sys/step-down` endpoint causes the node to give up active status.
13 |
14 | ## Step Down Leader
15 |
16 | This endpoint forces the node to give up active status. If the node does not
17 | have active status, this endpoint does nothing. Note that the node will sleep
18 | for ten seconds before attempting to grab the active lock again, but if no
19 | standby nodes grab the active lock in the interim, the same node may become the
20 | active node again. Requires a token with `root` policy or `sudo` capability on
21 | the path.
22 |
23 | | Method | Path |
24 | | :--------------------------- | :--------------------- |
25 | | `PUT` | `/sys/step-down` |
26 |
27 | ### Sample Request
28 |
29 | ```
30 | $ curl \
31 | --header "X-Vault-Token: ..." \
32 | --request PUT \
33 | http://127.0.0.1:8200/v1/sys/step-down
34 | ```
35 |
--------------------------------------------------------------------------------
/website/source/api/system/storage/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/storage - HTTP API"
4 | sidebar_title: "/sys/storage "
5 | sidebar_current: "api-http-system-storage"
6 | description: |-
7 |
8 | The '/sys/storage' endpoints are used to manage Vault's storage backends.
9 |
10 | ---
11 |
12 | This API sub-section is currently only used to manage [Raft](raft.html) storage backend.
13 |
--------------------------------------------------------------------------------
/website/source/api/system/wrapping-lookup.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "api"
3 | page_title: "/sys/wrapping/lookup - HTTP API"
4 | sidebar_title: "/sys/wrapping/lookup"
5 | sidebar_current: "api-http-system-wrapping-lookup"
6 | description: |-
7 | The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
8 | ---
9 |
10 | # `/sys/wrapping/lookup`
11 |
12 | The `/sys/wrapping/lookup` endpoint returns wrapping token properties.
13 |
14 | ## Wrapping Lookup
15 |
16 | This endpoint looks up wrapping properties for the given token.
17 |
18 | | Method | Path |
19 | | :--------------------------- | :--------------------- |
20 | | `POST` | `/sys/wrapping/lookup` |
21 |
22 | ### Parameters
23 |
24 | - `token` `(string: agent"
5 | sidebar_current: "docs-commands-agent"
6 | description: |-
7 | The "agent" command is used to start Vault Agent
8 | ---
9 |
10 | # agent
11 |
12 | Please see the [Vault Agent documentation page](/docs/agent/index.html).
13 |
--------------------------------------------------------------------------------
/website/source/docs/commands/audit/disable.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "audit disable - Command"
4 | sidebar_title: "disable"
5 | sidebar_current: "docs-commands-audit-disable"
6 | description: |-
7 | The "audit disable" command disables an audit device at a given path, if one
8 | exists. This command is idempotent, meaning it succeeds even if no audit
9 | device is enabled at the path.
10 | ---
11 |
12 | # audit disable
13 |
14 | The `audit disable` command disables an audit device at a given path, if one
15 | exists. This command is idempotent, meaning it succeeds even if no audit device
16 | is enabled at the path.
17 |
18 | Once an audit device is disabled, no future audit logs are dispatched to it. The
19 | data associated with the audit device is unaffected. For example, if you
20 | disabled an audit device that was logging to a file, the file would still exist
21 | and have stored contents.
22 |
23 | ## Examples
24 |
25 | Disable the audit device enabled at "file/":
26 |
27 | ```text
28 | $ vault audit disable file/
29 | Success! Disabled audit device (if it was enabled) at: file/
30 | ```
31 |
32 | ## Usage
33 |
34 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
35 | included on all commands.
36 |
--------------------------------------------------------------------------------
/website/source/docs/commands/audit/enable.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "audit enable - Command"
4 | sidebar_title: "enable"
5 | sidebar_current: "docs-commands-audit-enable"
6 | description: |-
7 | The "audit enable" command enables an audit device at a given path.
8 | ---
9 |
10 | # audit enable
11 |
12 | The `audit enable` command enables an audit device at a given path. If an audit
13 | device already exists at the given path, an error is returned. Additional
14 | options for configuring the audit device are provided as `KEY=VALUE`. Each audit
15 | device declares its own set of configuration options.
16 |
17 | Once an audit device is enabled, almost every request and response will be
18 | logged to the device.
19 |
20 | ## Examples
21 |
22 | Enable the audit device "file" enabled at "file/":
23 |
24 | ```text
25 | $ vault audit enable file file_path=/tmp/my-file.txt
26 | Success! Enabled the file audit device at: file/
27 | ```
28 |
29 | ## Usage
30 |
31 | The following flags are available in addition to the [standard set of
32 | flags](/docs/commands/index.html) included on all commands.
33 |
34 | - `-description` `(string: "")` - Human-friendly description for the purpose of
35 | this audit device.
36 |
37 | - `-local` `(bool: false)` - Mark the audit device as a local-only device.
38 | Local devices are not replicated or removed by replication.
39 |
40 | - `-path` `(string: "")` - Place where the audit device will be accessible. This
41 | must be unique across all audit devices. This defaults to the "type" of the
42 | audit device.
43 |
--------------------------------------------------------------------------------
/website/source/docs/commands/audit/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "audit - Command"
4 | sidebar_title: "audit"
5 | sidebar_current: "docs-commands-audit"
6 | description: |-
7 | The "audit" command groups subcommands for interacting with Vault's audit
8 | devices. Users can list, enable, and disable audit devices.
9 | ---
10 |
11 | # audit
12 |
13 | The `audit` command groups subcommands for interacting with Vault's audit
14 | devices. Users can list, enable, and disable audit devices.
15 |
16 | For more information, please see the [audit device
17 | documentation](/docs/audit/index.html)
18 |
19 | ## Examples
20 |
21 | Enable an audit device:
22 |
23 | ```text
24 | $ vault audit enable file file_path=/tmp/my-file.txt
25 | Success! Enabled the file audit device at: file/
26 | ```
27 |
28 | List all audit devices:
29 |
30 | ```text
31 | $ vault audit list
32 | Path Type Description
33 | ---- ---- -----------
34 | file/ file n/a
35 | ```
36 |
37 | Disable an audit device:
38 |
39 | ```text
40 | $ vault audit disable file/
41 | Success! Disabled audit device (if it was enabled) at: file/
42 | ```
43 |
44 | ## Usage
45 |
46 | ```text
47 | Usage: vault audit list"
5 | sidebar_current: "docs-commands-audit-list"
6 | description: |-
7 | The "audit list" command lists the audit devices enabled. The output lists the
8 | enabled audit devices and options for those devices.
9 | ---
10 |
11 | # audit list
12 |
13 | The `audit list` command lists the audit devices enabled. The output lists the
14 | enabled audit devices and options for those devices.
15 |
16 | ## Examples
17 |
18 | List all audit devices:
19 |
20 | ```text
21 | $ vault audit list
22 | Path Type Description
23 | ---- ---- -----------
24 | file/ file n/a
25 | ```
26 |
27 | List detailed audit device information:
28 |
29 | ```text
30 | $ vault audit list -detailed
31 | Path Type Description Replication Options
32 | ---- ---- ----------- ----------- -------
33 | file/ file n/a replicated file_path=/var/log/audit.log
34 | ```
35 |
36 | ## Usage
37 |
38 | The following flags are available in addition to the [standard set of
39 | flags](/docs/commands/index.html) included on all commands.
40 |
41 | ### Output Options
42 |
43 | - `-format` `(string: "table")` - Print the output in the given format. Valid
44 | formats are "table", "json", or "yaml". This can also be specified via the
45 | `VAULT_FORMAT` environment variable.
46 |
47 | ### Command Options
48 |
49 | - `-detailed` `(bool: false)` - Print detailed information such as options and
50 | replication status about each auth device.
51 |
--------------------------------------------------------------------------------
/website/source/docs/commands/auth/disable.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "auth disable - Command"
4 | sidebar_title: "disable"
5 | sidebar_current: "docs-commands-auth-disable"
6 | description: |-
7 | The "auth disable" command disables an auth method at a given path, if one
8 | exists. This command is idempotent, meaning it succeeds even if no auth method
9 | is enabled at the path.
10 | ---
11 |
12 | # auth disable
13 |
14 | The `auth disable` command disables an auth method at a given path, if one
15 | exists. This command is idempotent, meaning it succeeds even if no auth method
16 | is enabled at the path.
17 |
18 | Once an auth method is disabled, it can no longer be used for authentication.
19 | **All access tokens generated via the disabled auth method are immediately
20 | revoked.** This command will block until all tokens are revoked.
21 |
22 | ## Examples
23 |
24 | Disable the auth method enabled at "userpass/":
25 |
26 | ```text
27 | $ vault auth disable userpass/
28 | Success! Disabled the auth method (if it existed) at: userpass/
29 | ```
30 |
31 | ## Usage
32 |
33 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
34 | included on all commands.
35 |
--------------------------------------------------------------------------------
/website/source/docs/commands/auth/help.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "auth help - Command"
4 | sidebar_title: "help"
5 | sidebar_current: "docs-commands-auth-help"
6 | description: |-
7 | The "auth help" command prints usage and help for an auth method.
8 | ---
9 |
10 | # auth help
11 |
12 | The `auth help` command prints usage and help for an auth method.
13 |
14 | - If given a TYPE, this command prints the default help for the auth method of
15 | that type.
16 |
17 | - If given a PATH, this command prints the help output for the auth method
18 | enabled at that path. This path must already exist.
19 |
20 | Each auth method produces its own help output.
21 |
22 | ## Examples
23 |
24 | Get usage instructions for the userpass auth method:
25 |
26 | ```text
27 | $ vault auth help userpass
28 | Usage: vault login -method=userpass [CONFIG K=V...]
29 |
30 | The userpass auth method allows users to authenticate using Vault's
31 | internal user database.
32 |
33 | # ...
34 | ```
35 |
36 | Print usage for the auth method enabled at my-method/
37 |
38 | ```text
39 | $ vault auth help my-method/
40 | # ...
41 | ```
42 |
43 | ## Usage
44 |
45 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
46 | included on all commands.
47 |
--------------------------------------------------------------------------------
/website/source/docs/commands/auth/tune.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "auth tune - Command"
4 | sidebar_title: "tune"
5 | sidebar_current: "docs-commands-auth-tune"
6 | description: |-
7 | The "auth tune" command tunes the configuration options for the auth method at
8 | the given PATH.
9 | ---
10 |
11 | # auth tune
12 |
13 | The `auth tune` command tunes the configuration options for the auth method at
14 | the given PATH. **The argument corresponds to the PATH where the auth method is
15 | enabled, not the TYPE!**
16 |
17 | ## Examples
18 |
19 | Tune the default lease for the auth method enabled at "github/":
20 |
21 | ```text
22 | $ vault auth tune -default-lease-ttl=72h github/
23 | Success! Tuned the auth method at: github/
24 | ```
25 |
26 | ## Usage
27 |
28 | The following flags are available in addition to the [standard set of
29 | flags](/docs/commands/index.html) included on all commands.
30 |
31 | - `-default-lease-ttl` `(duration: "")` - The default lease TTL for this auth
32 | method. If unspecified, this defaults to the Vault server's globally
33 | configured default lease TTL, or a previously configured value for the auth
34 | method.
35 |
36 | - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth
37 | method. If unspecified, this defaults to the Vault server's globally
38 | configured maximum lease TTL, or a previously configured value for the auth
39 | method.
40 |
--------------------------------------------------------------------------------
/website/source/docs/commands/delete.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "delete - Command"
4 | sidebar_title: "delete"
5 | sidebar_current: "docs-commands-delete"
6 | description: |-
7 | The "delete" command deletes secrets and configuration from Vault at the given
8 | path. The behavior of "delete" is delegated to the backend corresponding to
9 | the given path.
10 | ---
11 |
12 | # delete
13 |
14 | The `delete` command deletes secrets and configuration from Vault at the given
15 | path. The behavior of "delete" is delegated to the backend corresponding to the
16 | given path.
17 |
18 | ## Examples
19 |
20 | Remove data in the static secrets engine:
21 |
22 | ```text
23 | $ vault delete secret/my-secret
24 | ```
25 |
26 | Uninstall an encryption key in the transit backend:
27 |
28 | ```text
29 | $ vault delete transit/keys/my-key
30 | ```
31 |
32 | Delete an IAM role:
33 |
34 | ```text
35 | $ vault delete aws/roles/ops
36 | ```
37 |
38 | ## Usage
39 |
40 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
41 | included on all commands.
42 |
--------------------------------------------------------------------------------
/website/source/docs/commands/kv/delete.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "kv delete - Command"
4 | sidebar_title: "delete"
5 | sidebar_current: "docs-commands-kv-delete"
6 | description: |-
7 | The "kv delete" command disables a secrets engine at a given PATH. The
8 | argument corresponds to the enabled PATH of the engine, not the TYPE! All
9 | secrets created by this engine are revoked and its Vault data is removed.
10 | ---
11 |
12 | # kv delete
13 |
14 | The `kv delete` command deletes the data for the provided path in
15 | the key/value secrets engine. If using K/V Version 2, its versioned data will
16 | not be fully removed, but marked as deleted and will no longer be returned in
17 | normal get requests.
18 |
19 | ## Examples
20 |
21 | Delete the latest version of the key "creds":
22 |
23 | ```text
24 | $ vault kv delete secret/creds
25 | Success! Data deleted (if it existed) at: secret/creds
26 | ```
27 |
28 | **[K/V Version 2]** Delete version 11 of key "creds":
29 |
30 | ```text
31 | $ vault kv delete -versions=11 secret/creds
32 | Success! Data deleted (if it existed) at: secret/creds
33 | ```
34 |
35 | ## Usage
36 |
37 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
38 | included on all commands.
39 |
40 |
41 | ### Command Options
42 |
43 | - `-versions` `([]int: destroy"
5 | sidebar_current: "docs-commands-kv-destroy"
6 | description: |-
7 | The "kv destroy" command permanently removes the specified version data for
8 | the provided key and version numbers from the key-value store.
9 | ---
10 |
11 | # kv destroy
12 |
13 | ~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
14 | engine command, and not available for Version 1.
15 |
16 | The `kv destroy` command permanently removes the specified versions' data
17 | from the key/value secrets engine. If no key exists at the path, no action is
18 | taken.
19 |
20 |
21 | ## Examples
22 |
23 | Destroy version 11 of the key "creds":
24 |
25 | ```text
26 | $ vault kv destroy -versions=11 secret/creds
27 | Success! Data written to: secret/destroy/creds
28 | ```
29 |
30 | ## Usage
31 |
32 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
33 | included on all commands.
34 |
35 | ### Output Options
36 |
37 | - `-format` `(string: "table")` - Print the output in the given format. Valid
38 | formats are "table", "json", or "yaml". This can also be specified via the
39 | `VAULT_FORMAT` environment variable.
40 |
41 | ### Command Options
42 |
43 | - `-versions` `([]int: enable-versioning"
5 | sidebar_current: "docs-commands-kv-enable-versioning"
6 | description: |-
7 | The "kv enable-versioning" command turns on versioning for the backend
8 | at the provided path.
9 | ---
10 |
11 | # kv enable-versioning
12 |
13 | The `kv enable-versioning` command turns on versioning for an existing
14 | non-versioned key/value secrets engine (K/V Version 1) at its path.
15 |
16 | ## Examples
17 |
18 | This command turns on versioning for the K/V Version 1 secrets engine enabled at
19 | "secret".
20 |
21 | ```text
22 | $ vault kv enable-versioning secret
23 | Success! Tuned the secrets engine at: secret/
24 | ```
25 |
26 | ## Usage
27 |
28 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
29 | included on all commands.
30 |
31 | ### Output Options
32 |
33 | - `-format` `(string: "table")` - Print the output in the given format. Valid
34 | formats are "table", "json", or "yaml". This can also be specified via the
35 | `VAULT_FORMAT` environment variable.
36 |
--------------------------------------------------------------------------------
/website/source/docs/commands/kv/list.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "kv list - Command"
4 | sidebar_title: "list"
5 | sidebar_current: "docs-commands-kv-list"
6 | description: |-
7 | The "kv list" command lists data from Vault's K/V secrets engine at the given
8 | path.
9 | ---
10 |
11 | # kv list
12 |
13 | The `kv list` command returns a list of key names at the specified location.
14 | Folders are suffixed with /. The input must be a folder; list on a file will not
15 | return a value. Note that no policy-based filtering is performed on keys; do not
16 | encode sensitive information in key names. The values themselves are not
17 | accessible via this command.
18 |
19 | Use this command to list all existing key names at a specific path.
20 |
21 | ## Examples
22 |
23 | List values under the key "my-app":
24 |
25 | ```text
26 | $ vault kv list secret/my-app/
27 | Keys
28 | ----
29 | admin_creds
30 | domain
31 | eng_creds
32 | qa_creds
33 | release
34 | ```
35 |
36 | ## Usage
37 |
38 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
39 | included on all commands.
40 |
41 | ### Output Options
42 |
43 | - `-format` `(string: "table")` - Print the output in the given format. Valid
44 | formats are "table", "json", or "yaml". This can also be specified via the
45 | `VAULT_FORMAT` environment variable.
46 |
--------------------------------------------------------------------------------
/website/source/docs/commands/kv/undelete.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "kv undelete - Command"
4 | sidebar_title: "undelete"
5 | sidebar_current: "docs-commands-kv-undelete"
6 | description: |-
7 | The "kv undelete" command undeletes the data for the provided version and path
8 | in the key-value store. This restores the data, allowing it to be returned on
9 | get requests.
10 | ---
11 |
12 | # kv undelete
13 |
14 | ~> **NOTE:** This is a [K/V Version 2](/docs/secrets/kv/kv-v2.html) secrets
15 | engine command, and not available for Version 1.
16 |
17 |
18 | The `kv undelete` command undoes the deletes of the data for the provided version
19 | and path in the key-value store. This restores the data, allowing it to be
20 | returned on get requests.
21 |
22 | ## Examples
23 |
24 | Undelete version 3 of the key "creds":
25 |
26 | ```text
27 | $ vault kv undelete -versions=3 secret/creds
28 | Success! Data written to: secret/undelete/creds
29 | ```
30 |
31 | ## Usage
32 |
33 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
34 | included on all commands.
35 |
36 | ### Output Options
37 |
38 | - `-format` `(string: "table")` - Print the output in the given format. Valid
39 | formats are "table", "json", or "yaml". This can also be specified via the
40 | `VAULT_FORMAT` environment variable.
41 |
42 | ### Command Options
43 |
44 | - `-versions` `([]int: lease"
5 | sidebar_current: "docs-commands-lease"
6 | description: |-
7 | The "lease" command groups subcommands for interacting with leases attached to
8 | secrets.
9 | ---
10 |
11 | # lease
12 |
13 | The `lease` command groups subcommands for interacting with leases attached to
14 | secrets. For leases attached to tokens, use the [`vault
15 | token`](/docs/commands/token.html) subcommand.
16 |
17 | ## Examples
18 |
19 | Renew a lease:
20 |
21 | ```text
22 | $ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
23 | Key Value
24 | --- -----
25 | lease_id database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
26 | lease_duration 5m
27 | lease_renewable true
28 | ```
29 |
30 | Revoke a lease:
31 |
32 | ```text
33 | $ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
34 | Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
35 | ```
36 |
37 | ## Usage
38 |
39 | ```text
40 | Usage: vault lease lease"
5 | sidebar_current: "docs-commands-lease"
6 | description: |-
7 | The "lease" command groups subcommands for interacting with leases attached to
8 | secrets.
9 | ---
10 |
11 | # lease
12 |
13 | The `lease` command groups subcommands for interacting with leases attached to
14 | secrets. For leases attached to tokens, use the [`vault token`](/docs/commands/token.html) subcommand.
15 |
16 | ## Examples
17 |
18 | Renew a lease:
19 |
20 | ```text
21 | $ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
22 | Key Value
23 | --- -----
24 | lease_id database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
25 | lease_duration 5m
26 | lease_renewable true
27 | ```
28 |
29 | Revoke a lease:
30 |
31 | ```text
32 | $ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
33 | Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
34 | ```
35 |
36 | ## Usage
37 |
38 | ```text
39 | Usage: vault lease renew"
5 | sidebar_current: "docs-commands-lease-renew"
6 | description: |-
7 | The "lease renew" command renews the lease on a secret, extending the time
8 | that it can be used before it is revoked by Vault.
9 | ---
10 |
11 | # lease renew
12 |
13 | The `lease renew` command renews the lease on a secret, extending the time that
14 | it can be used before it is revoked by Vault.
15 |
16 | Every secret in Vault has a lease associated with it. If the owner of the secret
17 | wants to use it longer than the lease, then it must be renewed. Renewing the
18 | lease does not change the contents of the secret.
19 |
20 | ## Examples
21 |
22 | Renew a lease:
23 |
24 | ```text
25 | $ vault lease renew database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
26 | Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
27 | ```
28 |
29 | ## Usage
30 |
31 | The following flags are available in addition to the [standard set of
32 | flags](/docs/commands/index.html) included on all commands.
33 |
34 | - `-increment` `(duration: "")` - Request a specific increment in seconds. Vault
35 | is not required to honor this request.
36 |
--------------------------------------------------------------------------------
/website/source/docs/commands/lease/revoke.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "lease revoke - Command"
4 | sidebar_title: "revoke"
5 | sidebar_current: "docs-commands-lease-revoke"
6 | description: |-
7 | The "lease revoke" command revokes the lease on a secret, invalidating the
8 | underlying secret.
9 | ---
10 |
11 | # lease revoke
12 |
13 | The `lease revoke` command revokes the lease on a secret, invalidating the
14 | underlying secret.
15 |
16 | ## Examples
17 |
18 | Revoke a lease:
19 |
20 | ```text
21 | $ vault lease revoke database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
22 | Success! Revoked lease: database/creds/readonly/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83
23 | ```
24 |
25 | Revoke a lease which starts with a prefix:
26 |
27 | ```text
28 | $ vault lease revoke -prefix database/creds
29 | Success! Revoked any leases with prefix: database/creds
30 | ```
31 |
32 | ## Usage
33 |
34 | The following flags are available in addition to the [standard set of
35 | flags](/docs/commands/index.html) included on all commands.
36 |
37 | - `-force` `(bool: false)` - Delete the lease from Vault even if the secret
38 | engine revocation fails. This is meant for recovery situations where the
39 | secret in the target secrets engine was manually removed. If this flag is
40 | specified, -prefix is also required. This is aliased as "-f". The default is
41 | false.
42 |
43 | - `-prefix` `(bool: false)` - Treat the ID as a prefix instead of an exact lease
44 | ID. This can revoke multiple leases simultaneously. The default is false.
45 |
--------------------------------------------------------------------------------
/website/source/docs/commands/list.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "list - Command"
4 | sidebar_title: "list"
5 | sidebar_current: "docs-commands-list"
6 | description: |-
7 | The "list" command lists data from Vault at the given path. This can be used
8 | to list keys in a, given secrets engine.
9 | ---
10 |
11 | # list
12 |
13 | The `list` command lists data from Vault at the given path. This can be used to
14 | list keys in a, given secrets engine.
15 |
16 | ## Examples
17 |
18 | List values under the "my-app" folder of the KV secrets engine:
19 |
20 | ```text
21 | $ vault list secret/my-app/
22 | ```
23 |
24 | ## Usage
25 |
26 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
27 | included on all commands.
28 |
--------------------------------------------------------------------------------
/website/source/docs/commands/namespace.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "namespace - Command"
4 | sidebar_title: "namespace"
5 | sidebar_current: "docs-commands-namespace"
6 | description: |-
7 | The "namespace" command groups subcommands for interacting with namespaces.
8 | ---
9 |
10 | # namespace
11 |
12 | The `namespace` command groups subcommands for interacting with namespaces.
13 |
14 | ## Examples
15 |
16 | List all namespaces:
17 |
18 | ```text
19 | $ vault namespace list
20 | ```
21 |
22 | Create a namespace at the path `ns1/`:
23 |
24 | ```text
25 | $ vault namespace create ns1/
26 | ```
27 |
28 | Delete the namespace at path `ns1/`:
29 |
30 | ```text
31 | $ vault namespace delete ns1/
32 | ```
33 |
34 | Lookup the namespace information at path `ns1/`:
35 |
36 | ```text
37 | $ vault namespace lookup ns1/
38 | ```
39 |
40 | ## Usage
41 |
42 | ```text
43 | Usage: vault namespace key-status"
5 | sidebar_current: "docs-commands-operator-key-status"
6 | description: |-
7 | The "operator key-status" provides information about the active encryption
8 | key.
9 | ---
10 |
11 | # operator key-status
12 |
13 | The `operator key-status` provides information about the active encryption key.
14 | Specifically, the current key term and the key installation time.
15 |
16 | ## Examples
17 |
18 | Get the key status:
19 |
20 | ```text
21 | $ vault operator key-status
22 | Key Term 2
23 | Install Time 01 Jan 17 12:30 UTC
24 | ```
25 |
26 | ## Usage
27 |
28 | The following flags are available in addition to the [standard set of
29 | flags](/docs/commands/index.html) included on all commands.
30 |
31 | ### Output Options
32 |
33 | - `-format` `(string: "table")` - Print the output in the given format. Valid
34 | formats are "table", "json", or "yaml". This can also be specified via the
35 | `VAULT_FORMAT` environment variable.
36 |
--------------------------------------------------------------------------------
/website/source/docs/commands/operator/rotate.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "operator rotate - Command"
4 | sidebar_title: "rotate"
5 | sidebar_current: "docs-commands-operator-rotate"
6 | description: |-
7 | The "operator rotate" rotates the underlying encryption key which is used to
8 | secure data written to the storage backend. This installs a new key in the key
9 | ring. This new key is used to encrypt new data, while older keys in the ring
10 | are used to decrypt older data.
11 | ---
12 |
13 | # operator rotate
14 |
15 | The `operator rotate` rotates the underlying encryption key which is used to
16 | secure data written to the storage backend. This installs a new key in the key
17 | ring. This new key is used to encrypted new data, while older keys in the ring
18 | are used to decrypt older data.
19 |
20 | This is an online operation and does not cause downtime. This command is run
21 | per-cluster (not per-server), since Vault servers in HA mode share the same
22 | storage backend.
23 |
24 | ## Examples
25 |
26 | Rotate Vault's encryption key:
27 |
28 | ```text
29 | $ vault operator rotate
30 | Key Term 3
31 | Install Time 01 May 17 10:30 UTC
32 | ```
33 |
34 | ## Usage
35 |
36 | The following flags are available in addition to the [standard set of
37 | flags](/docs/commands/index.html) included on all commands.
38 |
39 | ### Output Options
40 |
41 | - `-format` `(string: "table")` - Print the output in the given format. Valid
42 | formats are "table", "json", or "yaml". This can also be specified via the
43 | `VAULT_FORMAT` environment variable.
44 |
--------------------------------------------------------------------------------
/website/source/docs/commands/operator/seal.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "operator seal - Command"
4 | sidebar_title: "seal"
5 | sidebar_current: "docs-commands-operator-seal"
6 | description: |-
7 | The "operator seal" command seals the Vault server. Sealing tells the Vault server to
8 | stop responding to any operations until it is unsealed. When sealed, the Vault
9 | server discards its in-memory master key to unlock the data, so it is
10 | physically blocked from responding to operations unsealed.
11 | ---
12 |
13 | # operator seal
14 |
15 | The `operator seal` seals the Vault server. Sealing tells the Vault server to
16 | stop responding to any operations until it is unsealed. When sealed, the Vault
17 | server discards its in-memory master key to unlock the data, so it is physically
18 | blocked from responding to operations unsealed.
19 |
20 | If an unseal is in progress, sealing the Vault will reset the unsealing process.
21 | Users will have to re-enter their portions of the master key again.
22 |
23 | This command does nothing if the Vault server is already sealed.
24 |
25 | For more information on sealing and unsealing, please the [seal concepts
26 | page](/docs/concepts/seal.html).
27 |
28 | ## Examples
29 |
30 | Seal a Vault server:
31 |
32 | ```text
33 | $ vault operator seal
34 | Success! Vault is sealed.
35 | ```
36 |
37 | ## Usage
38 |
39 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
40 | included on all commands.
41 |
--------------------------------------------------------------------------------
/website/source/docs/commands/operator/step-down.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "operator step-down - Command"
4 | sidebar_title: "step-down"
5 | sidebar_current: "docs-commands-operator-step-down"
6 | description: |-
7 | The "operator step-down" forces the Vault server at the given address to step
8 | down from active duty.
9 | ---
10 |
11 | # operator step-down
12 |
13 | The `operator step-down` forces the Vault server at the given address to step
14 | down from active duty. While the affected node will have a delay before
15 | attempting to acquire the leader lock again, if no other Vault nodes acquire the
16 | lock beforehand, it is possible for the same node to re-acquire the lock and
17 | become active again.
18 |
19 | ## Examples
20 |
21 | Force a Vault server to step down as the leader:
22 |
23 | ```text
24 | $ vault operator step-down
25 | Success! Stepped down: http://127.0.0.1:8200
26 | ```
27 |
28 | ## Usage
29 |
30 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
31 | included on all commands.
32 |
--------------------------------------------------------------------------------
/website/source/docs/commands/plugin/deregister.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "plugin deregister - Command"
4 | sidebar_title: "deregister"
5 | sidebar_current: "docs-commands-plugin-deregister"
6 | description: |-
7 | The "plugin deregister" command deregisters a new plugin in Vault's plugin
8 | catalog.
9 | ---
10 |
11 | # plugin deregister
12 |
13 | The `plugin deregister` command deregisters an existing plugin from Vault's
14 | plugin catalog. If the plugin does not exist, no error is returned. The plugin's
15 | type of "auth", "database", or "secret" must be included.
16 |
17 | ## Examples
18 |
19 | Deregister a plugin:
20 |
21 | ```text
22 | $ vault plugin deregister auth my-custom-plugin
23 | Success! Deregistered plugin (if it was registered): my-custom-plugin
24 | ```
25 |
26 | ## Usage
27 |
28 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
29 | included on all commands.
30 |
--------------------------------------------------------------------------------
/website/source/docs/commands/plugin/info.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "plugin info - Command"
4 | sidebar_title: "info"
5 | sidebar_current: "docs-commands-plugin-info"
6 | description: |-
7 | The "plugin info" command displays information about a plugin in the catalog.
8 | ---
9 |
10 | # plugin info
11 |
12 | The `plugin info` displays information about a plugin in the catalog.
13 | The plugin's type of "auth", "database", or "secret" must be included.
14 |
15 | ## Examples
16 |
17 | Display information about a plugin
18 |
19 | ```text
20 | $ vault plugin info auth my-custom-plugin
21 |
22 | Key Value
23 | --- -----
24 | args []
25 | builtin false
26 | command my-custom-plugin
27 | name my-custom-plugin
28 | sha256 d3f0a8be02f6c074cf38c9c99d4d04c9c6466249
29 | ```
30 |
31 | ## Usage
32 |
33 | The following flags are available in addition to the [standard set of
34 | flags](/docs/commands/index.html) included on all commands.
35 |
36 | ### Output Options
37 |
38 | - `-field` `(string: "")` - Print only the field with the given name. Specifying
39 | this option will take precedence over other formatting directives. The result
40 | will not have a trailing newline making it ideal for piping to other
41 | processes.
42 |
43 | - `-format` `(string: "table")` - Print the output in the given format. Valid
44 | formats are "table", "json", or "yaml". This can also be specified via the
45 | `VAULT_FORMAT` environment variable.
46 |
--------------------------------------------------------------------------------
/website/source/docs/commands/plugin/list.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "plugin list - Command"
4 | sidebar_title: "list"
5 | sidebar_current: "docs-commands-plugin-list"
6 | description: |-
7 | The "plugin list" command lists all available plugins in the plugin catalog.
8 | ---
9 |
10 | # plugin list
11 |
12 | The `plugin list` command lists all available plugins in the plugin catalog.
13 | It can be used alone or with a type such as "auth", "database", or "secret".
14 |
15 | ## Examples
16 |
17 | List all available plugins in the catalog.
18 |
19 | ```text
20 | $ vault plugin list
21 |
22 | Plugins
23 | -------
24 | my-custom-plugin
25 | # ...
26 |
27 | $ vault plugin list database
28 | Plugins
29 | -------
30 | cassandra-database-plugin
31 | # ...
32 | ```
33 |
34 | ## Usage
35 |
36 | The following flags are available in addition to the [standard set of
37 | flags](/docs/commands/index.html) included on all commands.
38 |
39 | ### Output Options
40 |
41 | - `-format` `(string: "table")` - Print the output in the given format. Valid
42 | formats are "table", "json", or "yaml". This can also be specified via the
43 | `VAULT_FORMAT` environment variable.
44 |
--------------------------------------------------------------------------------
/website/source/docs/commands/policy/delete.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "policy delete - Command"
4 | sidebar_title: "delete"
5 | sidebar_current: "docs-commands-policy-delete"
6 | description: |-
7 | The "policy delete" command deletes the policy named NAME in the Vault server.
8 | Once the policy is deleted, all tokens associated with the policy are affected
9 | immediately.
10 | ---
11 |
12 | # policy delete
13 |
14 | The `policy delete` command deletes the policy named NAME in the Vault server.
15 | Once the policy is deleted, all tokens associated with the policy are affected
16 | immediately.
17 |
18 | Note that it is not possible to delete the "default" or "root" policies. These
19 | are built-in policies.
20 |
21 | ## Examples
22 |
23 | Delete the policy named "my-policy":
24 |
25 | ```text
26 | $ vault policy delete my-policy
27 | ```
28 |
29 | ## Usage
30 |
31 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
32 | included on all commands.
33 |
--------------------------------------------------------------------------------
/website/source/docs/commands/policy/fmt.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "policy fmt - Command"
4 | sidebar_title: "fmt"
5 | sidebar_current: "docs-commands-policy-fmt"
6 | description: |-
7 | The "policy fmt" formats a local policy file to the policy specification. This
8 | command will overwrite the file at the given PATH with the properly-formatted
9 | policy file contents.
10 | ---
11 |
12 | # policy fmt
13 |
14 | The `policy fmt` formats a local policy file to the policy specification. This
15 | command will overwrite the file at the given PATH with the properly-formatted
16 | policy file contents.
17 |
18 | ## Examples
19 |
20 | Format the local file "my-policy.hcl":
21 |
22 | ```text
23 | $ vault policy fmt my-policy.hcl
24 | ```
25 |
26 | ## Usage
27 |
28 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
29 | included on all commands.
30 |
--------------------------------------------------------------------------------
/website/source/docs/commands/policy/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "policy - Command"
4 | sidebar_title: "policy"
5 | sidebar_current: "docs-commands-policy"
6 | description: |-
7 | The "policy" command groups subcommands for interacting with policies. Users
8 | can write, read, and list policies in Vault.
9 | ---
10 |
11 | # policy
12 |
13 | The `policy` command groups subcommands for interacting with policies. Users can
14 | write, read, and list policies in Vault.
15 |
16 | For more information, please see the [policy
17 | documentation](/docs/concepts/policies.html).
18 |
19 | ## Examples
20 |
21 | List all enabled policies:
22 |
23 | ```text
24 | $ vault policy list
25 | ```
26 |
27 | Create a policy named "my-policy" from contents on local disk:
28 |
29 | ```text
30 | $ vault policy write my-policy ./my-policy.hcl
31 | ```
32 |
33 | Delete the policy named my-policy:
34 |
35 | ```text
36 | $ vault policy delete my-policy
37 | ```
38 |
39 | ## Usage
40 |
41 | ```text
42 | Usage: vault policy list"
5 | sidebar_current: "docs-commands-policy-list"
6 | description: |-
7 | The "policy list" command Lists the names of the policies that are installed
8 | on the Vault server.
9 | ---
10 |
11 | # policy list
12 |
13 | The `policy list` command Lists the names of the policies that are installed on
14 | the Vault server.
15 |
16 | ## Examples
17 |
18 | List the available policies:
19 |
20 | ```text
21 | $ vault policy list
22 | default
23 | root
24 | ```
25 |
26 | ## Usage
27 |
28 | The following flags are available in addition to the [standard set of
29 | flags](/docs/commands/index.html) included on all commands.
30 |
31 | ### Output Options
32 |
33 | - `-format` `(string: "table")` - Print the output in the given format. Valid
34 | formats are "table", "json", or "yaml". This can also be specified via the
35 | `VAULT_FORMAT` environment variable.
36 |
37 |
--------------------------------------------------------------------------------
/website/source/docs/commands/policy/read.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "policy read - Command"
4 | sidebar_title: "read"
5 | sidebar_current: "docs-commands-policy-read"
6 | description: |-
7 | The "policy read" command prints the contents and metadata of the Vault policy
8 | named NAME. If the policy does not exist, an error is returned.
9 | ---
10 |
11 | # policy read
12 |
13 | The `policy read` command prints the contents and metadata of the Vault policy
14 | named NAME. If the policy does not exist, an error is returned.
15 |
16 | ## Examples
17 |
18 | Read the policy named "my-policy":
19 |
20 | ```text
21 | $ vault policy read my-policy
22 | ```
23 |
24 | ## Usage
25 |
26 | The following flags are available in addition to the [standard set of
27 | flags](/docs/commands/index.html) included on all commands.
28 |
29 | ### Output Options
30 |
31 | - `-format` `(string: "table")` - Print the output in the given format. Valid
32 | formats are "table", "json", or "yaml". This can also be specified via the
33 | `VAULT_FORMAT` environment variable.
34 |
--------------------------------------------------------------------------------
/website/source/docs/commands/policy/write.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "policy write - Command"
4 | sidebar_title: "write"
5 | sidebar_current: "docs-commands-policy-write"
6 | description: |-
7 | The "policy write" command uploads a policy with name NAME from the contents
8 | of a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
9 | Otherwise, it is loaded from the file at the given path on the local disk.
10 | ---
11 |
12 | # policy write
13 |
14 | The `policy write` command uploads a policy with name NAME from the contents of
15 | a local file PATH or stdin. If PATH is "-", the policy is read from stdin.
16 | Otherwise, it is loaded from the file at the given path on the local disk.
17 |
18 | For details on the policy syntax, please see the [policy
19 | documentation](/docs/concepts/policies.html).
20 |
21 | ## Examples
22 |
23 | Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:
24 |
25 | ```text
26 | $ vault policy write my-policy /tmp/policy.hcl
27 | ```
28 |
29 | Upload a policy from stdin:
30 |
31 | ```text
32 | $ cat my-policy.hcl | vault policy write my-policy -
33 | ```
34 |
35 | ## Usage
36 |
37 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
38 | included on all commands.
39 |
--------------------------------------------------------------------------------
/website/source/docs/commands/secrets/disable.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "secrets disable - Command"
4 | sidebar_title: "disable"
5 | sidebar_current: "docs-commands-secrets-disable"
6 | description: |-
7 | The "secrets disable" command disables an secrets engine at a given PATH. The
8 | argument corresponds to the enabled PATH of the engine, not the TYPE! All
9 | secrets created by this engine are revoked and its Vault data is removed.
10 | ---
11 |
12 | # secrets disable
13 |
14 | The `secrets disable` command disables an secrets engine at a given PATH. The
15 | argument corresponds to the enabled PATH of the engine, not the TYPE! All
16 | secrets created by this engine are revoked and its Vault data is removed.
17 |
18 | Once an secrets engine is disabled, **all secrets generated via the secrets
19 | engine are immediately revoked.**
20 |
21 | ## Examples
22 |
23 | Disable the secrets engine enabled at aws/:
24 |
25 | ```text
26 | $ vault secrets disable aws/
27 | ```
28 |
29 | ## Usage
30 |
31 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
32 | included on all commands.
33 |
--------------------------------------------------------------------------------
/website/source/docs/commands/secrets/move.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "secrets move - Command"
4 | sidebar_title: "move"
5 | sidebar_current: "docs-commands-secrets-move"
6 | description: |-
7 | The "secrets move" command moves an existing secrets engine to a new path. Any
8 | leases from the old secrets engine are revoked, but all configuration
9 | associated with the engine is preserved.
10 | ---
11 |
12 | # secrets move
13 |
14 | The `secrets move` command moves an existing secrets engine to a new path. Any
15 | leases from the old secrets engine are revoked, but all configuration associated
16 | with the engine is preserved.
17 |
18 | **Moving an existing secrets engine will revoke any leases from the old
19 | engine.**
20 |
21 | ## Examples
22 |
23 | Move the existing secrets engine at secret/ to kv/:
24 |
25 | ```text
26 | $ vault secrets move secret/ kv/
27 | ```
28 |
29 | ## Usage
30 |
31 | There are no flags beyond the [standard set of flags](/docs/commands/index.html)
32 | included on all commands.
33 |
--------------------------------------------------------------------------------
/website/source/docs/commands/secrets/tune.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "secrets tune - Command"
4 | sidebar_title: "tune"
5 | sidebar_current: "docs-commands-secrets-tune"
6 | description: |-
7 | The "secrets tune" command tunes the configuration options for the secrets
8 | engine at the given PATH. The argument corresponds to the PATH where the
9 | secrets engine is enabled, not the TYPE!
10 | ---
11 |
12 | # secrets tune
13 |
14 | The `secrets tune` command tunes the configuration options for the secrets
15 | engine at the given PATH. The argument corresponds to the PATH where the secrets
16 | engine is enabled, not the TYPE!
17 |
18 | ## Examples
19 |
20 | Tune the default lease for the PKI secrets engine:
21 |
22 | ```text
23 | $ vault secrets tune -default-lease-ttl=72h pki/
24 | ```
25 |
26 | ## Usage
27 |
28 | The following flags are available in addition to the [standard set of
29 | flags](/docs/commands/index.html) included on all commands.
30 |
31 | - `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
32 | engine. If unspecified, this defaults to the Vault server's globally
33 | configured default lease TTL, or a previously configured value for the secrets
34 | engine.
35 |
36 | - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
37 | engine. If unspecified, this defaults to the Vault server's globally
38 | configured maximum lease TTL, or a previously configured value for the secrets
39 | engine.
40 |
--------------------------------------------------------------------------------
/website/source/docs/commands/status.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "status - Command"
4 | sidebar_title: "status"
5 | sidebar_current: "docs-commands-status"
6 | description: |-
7 | The "status" command prints the current state of Vault including whether it is
8 | sealed and if HA mode is enabled. This command prints regardless of whether
9 | the Vault is sealed.
10 | ---
11 |
12 | # status
13 |
14 | The `status` command prints the current state of Vault including whether it is
15 | sealed and if HA mode is enabled. This command prints regardless of whether the
16 | Vault is sealed.
17 |
18 | The exit code reflects the seal status:
19 |
20 | - 0 - unsealed
21 | - 1 - error
22 | - 2 - sealed
23 |
24 | ## Examples
25 |
26 | Check the status:
27 |
28 | ```text
29 | $ vault status
30 | Sealed: false
31 | Key Shares: 5
32 | Key Threshold: 3
33 | Unseal Progress: 0
34 | Unseal Nonce:
35 | Version: x.y.z
36 | Cluster Name: vault-cluster-49ffd45f
37 | Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
38 |
39 | High-Availability Enabled: false
40 | ```
41 |
42 | ## Usage
43 |
44 | The following flags are available in addition to the [standard set of
45 | flags](/docs/commands/index.html) included on all commands.
46 |
47 | ### Output Options
48 |
49 | - `-format` `(string: "table")` - Print the output in the given format. Valid
50 | formats are "table", "json", or "yaml". This can also be specified via the
51 | `VAULT_FORMAT` environment variable.
--------------------------------------------------------------------------------
/website/source/docs/commands/token/capabilities.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "token capabilities - Command"
4 | sidebar_title: "capabilities"
5 | sidebar_current: "docs-commands-token-capabilities"
6 | description: |-
7 | The "token capabilities" command fetches the capabilities of a token for a
8 | given path.
9 | ---
10 |
11 | # token capabilities
12 |
13 | The `token capabilities` command fetches the capabilities of a token for a given
14 | path.
15 |
16 | If a TOKEN is provided as an argument, this command uses the "/sys/capabilities"
17 | endpoint and permission. If no TOKEN is provided, this command uses the
18 | "/sys/capabilities-self" endpoint and permission with the locally authenticated
19 | token.
20 |
21 | ## Examples
22 |
23 | List capabilities for the local token on the "secret/foo" path:
24 |
25 | ```text
26 | $ vault token capabilities secret/foo
27 | read
28 | ```
29 |
30 | List capabilities for a token on the "cubbyhole/foo" path:
31 |
32 | ```text
33 | $ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly
34 | deny
35 | ```
36 |
37 | ## Usage
38 |
39 | The following flags are available in addition to the [standard set of
40 | flags](/docs/commands/index.html) included on all commands.
41 |
42 | ### Output Options
43 |
44 | - `-format` `(string: "table")` - Print the output in the given format. Valid
45 | formats are "table", "json", or "yaml". This can also be specified via the
46 | `VAULT_FORMAT` environment variable.
--------------------------------------------------------------------------------
/website/source/docs/commands/token/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "token - Command"
4 | sidebar_title: "token"
5 | sidebar_current: "docs-commands-token"
6 | description: |-
7 | The "token" command groups subcommands for interacting with tokens. Users can
8 | create, lookup, renew, and revoke tokens.
9 | ---
10 |
11 | # token
12 |
13 | The `token` command groups subcommands for interacting with tokens. Users can
14 | create, lookup, renew, and revoke tokens.
15 |
16 | For more information on tokens, please see the [token concepts
17 | page](/docs/concepts/tokens.html).
18 |
19 | ## Examples
20 |
21 | Create a new token:
22 |
23 | ```text
24 | $ vault token create
25 | ```
26 |
27 | Revoke a token:
28 |
29 | ```text
30 | $ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017
31 | ```
32 |
33 | Renew a token:
34 |
35 | ```text
36 | $ vault token renew 96ddf4bc-d217-f3ba-f9bd-017055595017
37 | ```
38 |
39 | ## Usage
40 |
41 | ```text
42 | Usage: vault token listener"
5 | sidebar_current: "docs-configuration-listener"
6 | description: |-
7 | The listener stanza configures the addresses and ports on which Vault will
8 | respond to requests.
9 | ---
10 |
11 | # `listener` Stanza
12 |
13 | The `listener` stanza configures the addresses and ports on which Vault will
14 | respond to requests. At this time, there is only one listener - [TCP][tcp].
15 |
16 | [tcp]: /docs/configuration/listener/tcp.html
17 |
--------------------------------------------------------------------------------
/website/source/docs/configuration/seal/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Seals - Configuration"
4 | sidebar_title: "seal"
5 | sidebar_current: "docs-configuration-seal"
6 | description: |-
7 | The seal stanza configures the seal type to use for additional data protection.
8 | ---
9 |
10 | # `seal` Stanza
11 |
12 | The `seal` stanza configures the seal type to use for additional data
13 | protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
14 | master key. This stanza is optional, and in the case of the master key, Vault
15 | will use the Shamir algorithm to cryptographically split the master key if this
16 | is not configured.
17 |
18 | As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
19 | add an extra layer of protection and satisfy compliance and regulatory requirements.
20 | This feature is only available in Vault Enterprise.
21 |
22 | For more examples, please choose a specific auto unsealing technology from the
23 | sidebar.
24 |
25 | ## Configuration
26 |
27 | Seal configuration can be done through the Vault configuration file using the
28 | `seal` stanza:
29 |
30 | ```hcl
31 | seal [NAME] {
32 | # ...
33 | }
34 | ```
35 |
36 | For example:
37 |
38 | ```hcl
39 | seal "pkcs11" {
40 | # ...
41 | }
42 | ```
43 |
44 | For configuration options which also read an environment variable, the
45 | environment variable will take precedence over values in the configuration file.
46 |
47 | [sealwrap]: /docs/enterprise/sealwrap/index.html
48 |
--------------------------------------------------------------------------------
/website/source/docs/configuration/storage/in-memory.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "In-Memory - Storage Backends - Configuration"
4 | sidebar_title: "In-Memory"
5 | sidebar_current: "docs-configuration-storage-in-memory"
6 | description: |-
7 | The In-Memory storage backend is used to persist Vault's data entirely
8 | in-memory on the same machine in which Vault is running. This is useful for
9 | development and experimentation, but use of this backend is highly discouraged
10 | in production except in very specific use-cases.
11 | ---
12 |
13 | # In-Memory Storage Backend
14 |
15 | The In-Memory storage backend is used to persist Vault's data entirely in-memory
16 | on the same machine in which Vault is running. This is useful for development
17 | and experimentation, but use of this backend is **highly discouraged in
18 | production**. All data is lost when Vault or the machine on which it is running
19 | is restarted.
20 |
21 | - **No High Availability** – the In-Memory backend does not support high
22 | availability.
23 |
24 | - **Not Production Recommended** – the In-Memory backend is not recommended for
25 | production installations as data does not persist beyond restarts.
26 |
27 | - **HashiCorp Supported** – the In-Memory backend is officially supported by
28 | HashiCorp.
29 |
30 | ```hcl
31 | storage "inmem" {}
32 | ```
33 |
34 | ## `inmem` Parameters
35 |
36 | The In-Memory storage backend has no configuration parameters.
37 |
38 | ## `inmem` Examples
39 |
40 | This example shows activating the In-Memory storage backend.
41 |
42 | ```hcl
43 | storage "inmem" {}
44 | ```
45 |
--------------------------------------------------------------------------------
/website/source/docs/configuration/storage/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Storage Backends - Configuration"
4 | sidebar_title: "storage"
5 | sidebar_current: "docs-configuration-storage"
6 | description: |-
7 | The storage stanza configures the storage backend, which represents the
8 | location for the durable storage of Vault's information. Each backend has
9 | pros, cons, advantages, and trade-offs. For example, some backends support
10 | high availability while others provide a more robust backup and restoration
11 | process.
12 | ---
13 |
14 | # `storage` Stanza
15 |
16 | The `storage` stanza configures the storage backend, which represents the
17 | location for the durable storage of Vault's information. Each backend has pros,
18 | cons, advantages, and trade-offs. For example, some backends support high
19 | availability while others provide a more robust backup and restoration process.
20 | For information about a specific backend, choose one from the navigation on the
21 | left.
22 |
23 | ## Configuration
24 |
25 | Storage backend configuration is done through the Vault configuration file using
26 | the `storage` stanza:
27 |
28 | ```hcl
29 | storage [NAME] {
30 | [PARAMETERS...]
31 | }
32 | ```
33 |
34 | For example:
35 |
36 | ```hcl
37 | storage "file" {
38 | path = "/mnt/vault/data"
39 | }
40 | ```
41 |
42 | For configuration options which also read an environment variable, the
43 | environment variable will take precedence over values in the configuration
44 | file.
45 |
--------------------------------------------------------------------------------
/website/source/docs/enterprise/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Vault Enterprise"
4 | sidebar_title: "Vault Enterprise"
5 | sidebar_current: "docs-vault-enterprise"
6 | description: |-
7 | Vault Enterprise features a number of capabilities beyond the open
8 | source offering that may be beneficial in certain workflows.
9 | ---
10 |
11 | # Vault Enterprise
12 |
13 | Vault Enterprise includes a number of features that may be useful in specific
14 | workflows. Please use the sidebar navigation on the left to choose a specific
15 | topic.
16 |
17 | These features are part of [Vault Enterprise](https://www.hashicorp.com/vault.html?utm_source=oss&utm_medium=docs&utm_campaign=vault&_ga=1.201793489.1956619674.1489356624).
18 |
--------------------------------------------------------------------------------
/website/source/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/remilapeyre/vault-acme/c3991e46fd12a129a012dc9d1c0cae46a8431480/website/source/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf
--------------------------------------------------------------------------------
/website/source/docs/internals/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Internals"
4 | sidebar_title: "Internals"
5 | sidebar_current: "docs-internals"
6 | description: |-
7 | This section covers the internals of Vault and explains technical details of Vaults operation.
8 | ---
9 |
10 | # Vault Internals
11 |
12 | This section covers the internals of Vault and explains the technical
13 | details of how Vault functions, its architecture and security properties.
14 |
15 | -> **Note:** Knowledge of Vault internals is not
16 | required to use Vault. If you aren't interested in the internals
17 | of Vault, you may safely skip this section. If you're operating Vault,
18 | we recommend understanding the internals.
19 |
--------------------------------------------------------------------------------
/website/source/docs/platform/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Platforms"
4 | sidebar_title: "Platforms"
5 | sidebar_current: "docs-platform"
6 | description: |-
7 | This section covers running Vault on various platforms (such as Kubernetes).
8 | ---
9 |
10 | # Platforms
11 |
12 | This section covers running Vault on various platforms (such as Kubernetes) and
13 | explains architecture, configuration, installation and security considerations.
14 |
--------------------------------------------------------------------------------
/website/source/docs/secrets/acme/sidecar.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "ACME - Secrets Engines"
4 | sidebar_title: "ACME Sidecar"
5 | sidebar_current: "docs-secrets-acme-sidecar"
6 | description: |-
7 | The ACME sidecar reponds to the HTTP-01 and TLS-ALPN-01 challenges.
8 | ---
9 |
10 | # ACME Sidecar
11 |
12 | While the Vaul ACME secrets backend can natively solve the DNS-01 challenge when
13 | requesting certificates, a sidecar is needed to solve both the HTTP-01 and the
14 | TLS-ALPN-01 challenges.
15 |
16 | ## Operation
17 |
18 | 
19 |
--------------------------------------------------------------------------------
/website/source/docs/secrets/ssh/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "SSH - Secrets Engines"
4 | sidebar_title: "SSH"
5 | sidebar_current: "docs-secrets-ssh"
6 | description: |-
7 | The Vault SSH secrets engine provides secure authentication and authorization
8 | for access to machines via the SSH protocol. There are multiple modes to the
9 | Vault SSH secrets engine including signed SSH certificates, dynamic SSH keys,
10 | and one-time passwords.
11 | ---
12 |
13 | # SSH Secrets Engine
14 |
15 | Name: `ssh`
16 |
17 | The Vault SSH secrets engine provides secure authentication and authorization
18 | for access to machines via the SSH protocol. The Vault SSH secrets engine helps
19 | manage access to machine infrastructure, providing several ways to issue SSH
20 | credentials.
21 |
22 | The Vault SSH secrets engine supports the following modes. Each mode is
23 | individually documented on its own page.
24 |
25 | - [Signed SSH Certificates](/docs/secrets/ssh/signed-ssh-certificates.html)
26 | - [One-time SSH Passwords](/docs/secrets/ssh/one-time-ssh-passwords.html)
27 | - [Dynamic SSH Keys](/docs/secrets/ssh/dynamic-ssh-keys.html) DEPRECATED
28 |
29 | All guides assume a basic familiarity with the SSH protocol.
30 |
31 | ## API
32 |
33 | The SSH secrets engine has a full HTTP API. Please see the
34 | [SSH secrets engine API](/api/secret/ssh/index.html) for more
35 | details.
36 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.10.2.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.10.2 - Guides"
4 | sidebar_title: "Upgrade to 0.10.2"
5 | sidebar_current: "docs-upgrading-to-0.10.2"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.10.2. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 0.10.2 compared to 0.10.1. Please read it carefully.
15 |
16 | ### Convergent Encryption version 3
17 |
18 | If you are using `transit`'s convergent encryption feature, which prior to this
19 | release was at version 2, we recommend
20 | [rotating](https://www.vaultproject.io/api/secret/transit/index.html#rotate-key)
21 | your encryption key (the new key will use version 3) and
22 | [rewrapping](https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data)
23 | your data to mitigate the chance of offline plaintext-confirmation attacks.
24 |
25 | ### PKI duration return types
26 |
27 | The PKI backend now returns durations (e.g. when reading a role) as an integer
28 | number of seconds instead of a Go-style string.
29 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.10.4.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.10.4 - Guides"
4 | sidebar_title: "Upgrade to 0.10.4"
5 | sidebar_current: "docs-upgrading-to-0.10.4"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.10.4. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 0.10.4 compared to 0.10.3. Please read it carefully.
15 |
16 | ### Revocations of dynamic secrets leases now asynchronous
17 |
18 | Dynamic secret lease revocation are now queued/asynchronous rather
19 | than synchronous. This allows Vault to take responsibility for revocation
20 | even if the initial attempt fails. The previous synchronous behavior can be
21 | attained via the `-sync` CLI flag or `sync` API parameter. When in
22 | synchronous mode, if the operation results in failure it is up to the user
23 | to retry.
24 |
25 | ### CLI Retries
26 |
27 | The CLI will no longer retry commands on 5xx errors. This was a
28 | source of confusion to users as to why Vault would "hang" before returning a
29 | 5xx error. The Go API client still defaults to two retries.
30 |
31 | ### Identity Entity Alias metadata
32 |
33 | You can no longer manually set metadata on
34 | entity aliases. All alias data (except the canonical entity ID it refers to)
35 | is intended to be managed by the plugin providing the alias information, so
36 | allowing it to be set manually didn't make sense.
37 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.11.2.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.11.2 - Guides"
4 | sidebar_title: "Upgrade to 0.11.2"
5 | sidebar_current: "docs-upgrading-to-0.11.2"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.11.2. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 0.11.2 compared to 0.11.1. Please read it carefully.
15 |
16 | ### `sys/seal-status` Behavior Change
17 |
18 | The `sys/seal-status` endpoint now includes an initialized boolean in the
19 | output. If Vault is not initialized, it will return a 200 with this value
20 | set false instead of a 400
21 |
22 | ### Mount Config Passthrough Headers
23 |
24 | The mount config option for `passthrough_request_headers` will now deny
25 | certain headers from being provided to backends based on a global denylist.
26 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.11.6.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.11.6 - Guides"
4 | sidebar_title: "Upgrade to 0.11.6"
5 | sidebar_current: "docs-upgrading-to-0.11.6"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.11.6. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 0.11.6 compared to 0.11.5. Please read it carefully.
15 |
16 | ### Database Secret Engine Role Reads
17 |
18 | On role read, empty statements will be returned as empty
19 | slices instead of potentially being returned as JSON null values. This makes it
20 | more in line with other parts of Vault and makes it easier for statically typed
21 | languages to interpret the values.
22 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.9.3.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.9.3 - Guides"
4 | sidebar_title: "Upgrade to 0.9.3"
5 | sidebar_current: "docs-upgrading-to-0.9.3"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.9.3. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | Due to a rapid release following 0.9.2, there are no version-specific upgrade
14 | instructions although any upgrade notices for 0.9.2 apply if you are coming
15 | from a previous version.
16 |
17 | Please see the [0.9.2 upgrade guide](/guides/upgrading/upgrade-to-0.9.2.html) for notes on upgrading to 0.9.3.
18 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-0.9.6.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 0.9.6 - Guides"
4 | sidebar_title: "Upgrade to 0.9.6"
5 | sidebar_current: "docs-upgrading-to-0.9.6"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 0.9.6. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 0.9.6 compared to 0.9.5. Please read it carefully.
15 |
16 | ### Change to AWS Role Output
17 |
18 | The AWS authentication backend now allows binds for inputs as either a
19 | comma-delimited string or a string array. However, to keep consistency with
20 | input and output, when reading a role the binds will now be returned as string
21 | arrays rather than strings.
22 |
23 | ### Change to AWS IAM Auth ARN Prefix Matching
24 |
25 | In order to prefix-match IAM role and instance profile ARNs in AWS auth
26 | backend, you now must explicitly opt-in by adding a `*` to the end of the ARN.
27 | Existing configurations will be upgraded automatically, but when writing a new
28 | role configuration the updated behavior will be used.
29 |
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-1.1.0.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 1.1.0 - Guides"
4 | sidebar_title: "Upgrade to 1.1.0"
5 | sidebar_current: "docs-upgrading-to-1.1.0"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 1.1.0. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 1.0.3 compared to 1.1.0. Please read it carefully.
15 |
16 | ## JWT Backend Changes
17 |
18 | Specifying the group claims parameter has changed to use a standards based lookup. The groups_claim_delimiter_pattern
19 | has been removed and if the groups claim is not at the top level, it can now be specified as a JSONPointer.
20 |
21 | Additionally, roles now have a "role type" parameter with a default type of "oidc". To configure new JWT roles, a role
22 | type of "jwt" must be explicitly specified.
23 |
24 | ## Deprecated CLI Commands Removed
25 |
26 | CLI commands deprecated in 0.9.2 are now removed. Please see the CLI help output for updated commands.
27 |
28 | ## Additional Changes
29 |
30 | * Vault no longer automatically mounts a k/v backend at the "secret/" path when initalizing Vault.
31 | * Vault's cluster port will now be opened on HA standby nodes.
32 | * Vault no longer supports running netRPC plugins. These were deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 defaults to gRPC. Older plugins may need to be recompiled against the latest Vault dependencies.
--------------------------------------------------------------------------------
/website/source/docs/upgrading/upgrade-to-1.2.1.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Upgrading to Vault 1.2.1 - Guides"
4 | sidebar_title: "Upgrade to 1.2.1"
5 | sidebar_current: "docs-upgrading-to-1.2.1"
6 | description: |-
7 | This page contains the list of deprecations and important or breaking changes
8 | for Vault 1.2.1. Please read it carefully.
9 | ---
10 |
11 | # Overview
12 |
13 | This page contains the list of deprecations and important or breaking changes
14 | for Vault 1.2.1 compared to 1.2.0. Please read it carefully.
15 |
16 | ## Known Issues
17 |
18 | ### AppRole Upgrade Issue
19 |
20 | Vault 1.2.1 contains a known issue where an existing AppRole role
21 | may not be read or updated under a specific scenario. The role in
22 | question needs to have been created before Vault 1.0.0, and then updated
23 | between 1.0.0 and 1.1.5. If using AppRole, do not upgrade to until
24 | his issue is fixed in 1.2.2.
--------------------------------------------------------------------------------
/website/source/docs/vs/custom.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Vault vs. Custom Solutions"
4 | sidebar_title: "Custom Solutions"
5 | sidebar_current: "vs-other-custom"
6 | description: |-
7 | Comparison between Vault and writing a custom solution.
8 | ---
9 |
10 | # Vault vs. Custom Solutions
11 |
12 | Many organizations resort to custom solutions for storing secrets,
13 | whether that be Dropbox, encrypted disk images, encrypted SQL columns,
14 | etc.
15 |
16 | These systems require time and resources to build and maintain.
17 | Storing secrets is also an incredibly important piece of infrastructure
18 | that must be done correctly. This increases the pressure to maintain
19 | the internal systems.
20 |
21 | Vault is designed for secret storage. It provides a simple interface
22 | on top of a strong security model to meet your secret storage needs.
23 |
24 | Furthermore, Vault is an open source tool. This means that the tool is
25 | as good as the entire community working together to improve it. This
26 | isn't just features and bug fixes, but finding potential security holes.
27 | Additionally, since it is open source, your own security teams can
28 | review and contribute to Vault and verify it meets your standards
29 | for security.
30 |
--------------------------------------------------------------------------------
/website/source/docs/vs/dropbox.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Vault vs. Dropbox"
4 | sidebar_title: "Dropbox"
5 | sidebar_current: "vs-other-dropbox"
6 | description: |-
7 | Comparison between Vault and attempting to store secrets with Dropbox.
8 | ---
9 |
10 | # Vault vs. Dropbox
11 |
12 | It is an unfortunate truth that many organizations, big and small, often use Dropbox as a mechanism for storing secrets. It is so common that we've decided to make a special section for it instead of throwing it under the "custom solutions" header.
13 |
14 | Dropbox is not made for storing secrets. Even if you're using something such as an encrypted disk image within Dropbox, it is subpar versus a real secret storage server.
15 |
16 | A real secret management tool such as Vault has a stronger security model, integrates with many different authentication services, stores audit logs, can generate dynamic secrets, and more.
17 |
18 | And, due to `vault` CLI, using `vault` on a developer machine is simple!
19 |
--------------------------------------------------------------------------------
/website/source/docs/vs/index.html.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "docs"
3 | page_title: "Vault vs. Other Software"
4 | sidebar_title: "Vault vs. Other Software"
5 | sidebar_current: "vs-other"
6 | description: |-
7 | Comparisons between Vault and other software that claim to store secrets in some capacity.
8 | ---
9 |
10 | # Vault vs. Other Software
11 |
12 | There are a number of other options in the market currently that claim
13 | to store secrets in some capacity. This section compares Vault to these
14 | other software choices.
15 |
16 | Due to the bias of the comparisons being on the Vault website, we attempt
17 | to only use facts. If you find something that is invalid or out of date
18 | in the comparisons, please
19 | [open an issue](https://github.com/hashicorp/vault/issues) and we'll
20 | address it as soon as possible.
21 |
22 | Use the navigation on the left to read comparisons of Vault versus other
23 | systems.
24 |
--------------------------------------------------------------------------------
/website/source/downloads.html.erb:
--------------------------------------------------------------------------------
1 | ---
2 | layout: "inner"
3 | page_title: "Download Vault"
4 | description: |-
5 | Download Vault
6 | ---
7 |
8 | 11 | We understand that many users place a high level of trust in HashiCorp and 12 | the tools we build. We apply best practices and focus on security to make 13 | sure we can maintain the trust of the community. 14 |
15 |16 | We deeply appreciate any effort to disclose vulnerabilities responsibly. 17 |
18 |19 | If you would like to report a vulnerability, please see the 20 | HashiCorp security page, 21 | which has the proper email to communicate with as well as our PGP key. 22 |
23 |24 | If you aren't reporting a security sensitive vulnerability, please 25 | open an issue on the standard GitHub 26 | repository. 27 |
28 | -------------------------------------------------------------------------------- /website/source/sitemap.xml.builder: -------------------------------------------------------------------------------- 1 | --- 2 | layout: false 3 | --- 4 | 5 | xml.instruct! 6 | xml.urlset 'xmlns' => "http://www.sitemaps.org/schemas/sitemap/0.9" do 7 | sitemap 8 | .resources 9 | .select { |page| page.path =~ /\.html/ } 10 | .select { |page| !page.data.noindex } 11 | .each do |page| 12 | xml.url do 13 | xml.loc File.join(config[:base_url], page.url) 14 | xml.lastmod Date.today.to_time.iso8601 15 | xml.changefreq page.data.changefreq || "monthly" 16 | xml.priority page.data.priority || "0.5" 17 | end 18 | end 19 | end 20 | --------------------------------------------------------------------------------