2017-03-15 06:40:33 +00:00
|
|
|
|
---
|
2017-03-17 18:06:03 +00:00
|
|
|
|
layout: "api"
|
2017-03-15 06:40:33 +00:00
|
|
|
|
page_title: "/sys/auth - HTTP API"
|
2018-10-29 19:58:37 +00:00
|
|
|
|
sidebar_title: "<code>/sys/auth</code>"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
|
sidebar_current: "api-http-system-auth"
|
2017-03-15 06:40:33 +00:00
|
|
|
|
description: |-
|
2017-09-13 01:48:52 +00:00
|
|
|
|
The `/sys/auth` endpoint is used to manage auth methods in Vault.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# `/sys/auth`
|
|
|
|
|
|
|
|
|
|
The `/sys/auth` endpoint is used to list, create, update, and delete auth
|
2017-09-13 01:48:52 +00:00
|
|
|
|
methods. Auth methods convert user or machine-supplied information into a
|
2017-03-15 06:40:33 +00:00
|
|
|
|
token which can be used for all future requests.
|
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
|
## List Auth Methods
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
|
This endpoint lists all enabled auth methods.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/sys/auth` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/auth
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"github/": {
|
|
|
|
|
"type": "github",
|
|
|
|
|
"description": "GitHub auth"
|
|
|
|
|
},
|
|
|
|
|
"token/": {
|
|
|
|
|
"config": {
|
|
|
|
|
"default_lease_ttl": 0,
|
|
|
|
|
"max_lease_ttl": 0
|
|
|
|
|
},
|
|
|
|
|
"description": "token based credentials",
|
|
|
|
|
"type": "token"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
## Enable Auth Method
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
This endpoint enables a new auth method. After enabling, the auth method can
|
2017-03-15 06:40:33 +00:00
|
|
|
|
be accessed and configured via the auth path specified as part of the URL. This
|
|
|
|
|
auth path will be nested under the `auth` prefix.
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
For example, enable the "foo" auth method will make it accessible at
|
2017-03-15 06:40:33 +00:00
|
|
|
|
`/auth/foo`.
|
|
|
|
|
|
|
|
|
|
- **`sudo` required** – This endpoint requires `sudo` capability in addition to
|
|
|
|
|
any path-specific capabilities.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/sys/auth/:path` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
- `path` `(string: <required>)` – Specifies the path in which to enable the auth
|
2017-09-13 01:48:52 +00:00
|
|
|
|
method. This is part of the request URL.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
- `description` `(string: "")` – Specifies a human-friendly description of the
|
2017-09-13 01:48:52 +00:00
|
|
|
|
auth method.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` – Specifies the name of the authentication
|
2017-09-13 01:48:52 +00:00
|
|
|
|
method type, such as "github" or "token".
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2017-08-31 16:16:59 +00:00
|
|
|
|
- `config` `(map<string|string>: nil)` – Specifies configuration options for
|
2017-09-21 21:14:40 +00:00
|
|
|
|
this auth method. These are the possible values:
|
2017-08-31 16:16:59 +00:00
|
|
|
|
|
2018-03-09 19:32:28 +00:00
|
|
|
|
- `default_lease_ttl` `(string: "")` - The default lease duration, specified
|
|
|
|
|
as a string duration like "5s" or "30m".
|
|
|
|
|
|
|
|
|
|
- `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
|
|
|
|
|
string duration like "5s" or "30m".
|
|
|
|
|
|
|
|
|
|
- `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
|
|
|
|
|
that will not be HMAC'd by audit devices in the request data object.
|
|
|
|
|
|
|
|
|
|
- `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
|
|
|
|
|
that will not be HMAC'd by audit devices in the response data object.
|
2017-08-31 16:16:59 +00:00
|
|
|
|
|
2018-11-30 22:32:04 +00:00
|
|
|
|
- `listing_visibility` `(string: "")` - Specifies whether to show this mount
|
2018-03-21 23:56:47 +00:00
|
|
|
|
in the UI-specific listing endpoint.
|
|
|
|
|
|
|
|
|
|
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
|
|
|
|
|
to whitelist and pass from the request to the backend.
|
|
|
|
|
|
2017-08-16 16:36:46 +00:00
|
|
|
|
Additionally, the following options are allowed in Vault open-source, but
|
2017-04-28 18:33:27 +00:00
|
|
|
|
relevant functionality is only supported in Vault Enterprise:
|
|
|
|
|
|
2018-11-06 19:51:57 +00:00
|
|
|
|
- `local` `(bool: false)` – Specifies if the auth method is local only. Local
|
2017-09-21 21:14:40 +00:00
|
|
|
|
auth methods are not replicated nor (if a secondary) removed by replication.
|
2017-04-28 18:33:27 +00:00
|
|
|
|
|
2018-11-06 19:51:57 +00:00
|
|
|
|
~> ** Warning:** Remember, policies when using replication secondaries are
|
|
|
|
|
validated by the local cluster. An administrator that can set up a local auth
|
|
|
|
|
method mount can assign policies to tokens that are valid on the replication
|
|
|
|
|
primary if a request is forwarded. Never give untrusted administrators the
|
|
|
|
|
ability to assign policies or configure authentication methods.
|
|
|
|
|
|
2017-03-15 06:40:33 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "github",
|
|
|
|
|
"description": "Login with GitHub"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/auth/my-auth
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
## Disable Auth Method
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
This endpoint disables the auth method at the given auth path.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
- **`sudo` required** – This endpoint requires `sudo` capability in addition to
|
|
|
|
|
any path-specific capabilities.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/sys/auth/:path` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
- `path` `(string: <required>)` – Specifies the path to disable. This is part of
|
2017-03-15 06:40:33 +00:00
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/auth/my-auth
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
|
## Read Auth Method Tuning
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
This endpoint reads the given auth path's configuration. _This endpoint requires
|
|
|
|
|
`sudo` capability on the final path, but the same functionality can be achieved
|
|
|
|
|
without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
|
|
|
|
|
|
|
|
|
|
- **`sudo` required** – This endpoint requires `sudo` capability in addition to
|
|
|
|
|
any path-specific capabilities.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/sys/auth/:path/tune` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `path` `(string: <required>)` – Specifies the path in which to tune.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"default_lease_ttl": 3600,
|
|
|
|
|
"max_lease_ttl": 7200
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
|
## Tune Auth Method
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
Tune configuration parameters for a given auth path. _This endpoint
|
|
|
|
|
requires `sudo` capability on the final path, but the same functionality
|
|
|
|
|
can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
|
|
|
|
|
|
|
|
|
|
- **`sudo` required** – This endpoint requires `sudo` capability in addition to
|
|
|
|
|
any path-specific capabilities.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/sys/auth/:path/tune` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. If set on
|
|
|
|
|
a specific auth path, this overrides the global default.
|
|
|
|
|
|
|
|
|
|
- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. If set on a
|
|
|
|
|
specific auth path, this overrides the global default.
|
|
|
|
|
|
2018-02-21 22:18:05 +00:00
|
|
|
|
- `description` `(string: "")` – Specifies the description of the mount. This
|
|
|
|
|
overrides the current stored value, if any.
|
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
|
- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
|
|
|
|
|
list of keys that will not be HMAC'd by audit devices in the request data
|
|
|
|
|
object.
|
|
|
|
|
|
|
|
|
|
- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
|
|
|
|
|
list of keys that will not be HMAC'd by audit devices in the response data
|
|
|
|
|
object.
|
|
|
|
|
|
2018-11-30 22:32:04 +00:00
|
|
|
|
- `listing_visibility` `(string: "")` - Specifies whether to show this mount
|
2018-04-16 16:13:58 +00:00
|
|
|
|
in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`.
|
2018-03-21 23:56:47 +00:00
|
|
|
|
|
|
|
|
|
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
|
|
|
|
|
to whitelist and pass from the request to the backend.
|
|
|
|
|
|
2018-11-01 18:51:06 +00:00
|
|
|
|
- `token_type` `(string: "")` – Specifies the type of tokens that should be
|
|
|
|
|
returned by the mount. The following values are available:
|
|
|
|
|
|
|
|
|
|
- `default-service`: Unless the auth method requests a different type, issue
|
|
|
|
|
service tokens
|
|
|
|
|
- `default-batch`: Unless the auth method requests a different type, issue
|
|
|
|
|
batch tokens
|
|
|
|
|
- `service`: Override any auth method preference and always issue service
|
|
|
|
|
tokens from this mount
|
|
|
|
|
- `batch`: Override any auth method preference and always issue batch tokens
|
|
|
|
|
from this mount
|
|
|
|
|
|
2017-03-15 06:40:33 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"default_lease_ttl": 1800,
|
|
|
|
|
"max_lease_ttl": 86400
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/auth/my-auth/tune
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|