2017-09-08 02:11:38 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: secrets disable - Command
|
2017-09-08 02:11:38 +00:00
|
|
|
description: |-
|
|
|
|
The "secrets disable" command disables an secrets engine at a given PATH. The
|
|
|
|
argument corresponds to the enabled PATH of the engine, not the TYPE! All
|
|
|
|
secrets created by this engine are revoked and its Vault data is removed.
|
|
|
|
---
|
|
|
|
|
|
|
|
# secrets disable
|
|
|
|
|
|
|
|
The `secrets disable` command disables an secrets engine at a given PATH. The
|
|
|
|
argument corresponds to the enabled PATH of the engine, not the TYPE! All
|
|
|
|
secrets created by this engine are revoked and its Vault data is removed.
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
When a secrets engine is disabled, **all secrets generated via the secrets
|
|
|
|
engine are immediately revoked.** Care should be taken when disabling a
|
|
|
|
secret mount with a large number of secrets, as it can cause a high load on
|
2020-12-02 17:55:47 +00:00
|
|
|
the system during revocation time.
|
2017-09-08 02:11:38 +00:00
|
|
|
|
|
|
|
## Examples
|
|
|
|
|
|
|
|
Disable the secrets engine enabled at aws/:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2017-09-08 02:11:38 +00:00
|
|
|
$ vault secrets disable aws/
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
There are no flags beyond the [standard set of flags](/docs/commands)
|
2017-09-08 02:11:38 +00:00
|
|
|
included on all commands.
|
2022-03-11 18:43:59 +00:00
|
|
|
|
|
|
|
## Force Disable
|
|
|
|
|
|
|
|
Because `secrets disable` revokes secrets associated with this mount, possible
|
|
|
|
errors can prevent the secrets engine from being disabled if the revocation
|
|
|
|
fails.
|
|
|
|
|
|
|
|
The best way to resolve this is to figure out the underlying issue and then
|
|
|
|
disable the secrets engine once the underlying issue is resolved. Often, this
|
|
|
|
can be as simple as increasing the timeout (in the event of timeout errors).
|
|
|
|
|
|
|
|
For recovery situations where the secret was manually removed from the
|
|
|
|
secrets backing service, one can force a secrets engine disable in Vault by
|
|
|
|
performing a [prefix force revoke](/docs/commands/lease/revoke) on the mount
|
|
|
|
prefix, followed by a `secrets disable` when that completes.
|
|
|
|
If the underlying secrets were not manually cleaned up, this method might result
|
|
|
|
in dangling credentials. This is meant for extreme circumstances.
|