open-vault/website/source/api/system/mounts.html.md

259 lines
7.5 KiB
Markdown
Raw Normal View History

---
2017-03-17 18:06:03 +00:00
layout: "api"
page_title: "/sys/mounts - HTTP API"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "<tt>/sys/mounts</tt>"
sidebar_current: "api-http-system-mounts"
description: |-
The `/sys/mounts` endpoint is used manage secrets engines in Vault.
---
# `/sys/mounts`
The `/sys/mounts` endpoint is used manage secrets engines in Vault.
## List Mounted Secrets Engines
This endpoints lists all the mounted secrets engines.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/sys/mounts` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts
```
### Sample Response
```json
{
"aws": {
"type": "aws",
"description": "AWS keys",
"config": {
"default_lease_ttl": 0,
"max_lease_ttl": 0,
2017-11-14 11:13:11 +00:00
"force_no_cache": false,
"plugin_name": "",
"seal_wrap": false
}
},
"sys": {
"type": "system",
"description": "system endpoint",
"config": {
"default_lease_ttl": 0,
"max_lease_ttl": 0,
2017-11-14 11:13:11 +00:00
"force_no_cache": false,
"plugin_name": "",
"seal_wrap": false
}
}
}
```
`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
are used by this backend.
2017-09-21 21:14:40 +00:00
## Enable Secrets Engine
2017-09-21 21:14:40 +00:00
This endpoint enables a new secrets engine at the given path.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/sys/mounts/:path` | `204 (empty body)` |
### Parameters
- `path` `(string: <required>)`  Specifies the path where the secrets engine
will be mounted. This is specified as part of the URL.
- `type` `(string: <required>)` Specifies the type of the backend, such as
"aws".
- `description` `(string: "")`  Specifies the human-friendly description of the
mount.
- `config` `(map<string|string>: nil)`  Specifies configuration options for
this mount. This is an object with four possible values:
- `default_lease_ttl` `(string: "")` - The default lease duration, specified
as a string duration like "5s" or "30m".
2017-09-05 03:52:14 +00:00
- `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
string duration like "5s" or "30m".
2017-09-05 03:52:14 +00:00
- `force_no_cache` `(bool: false)` - Disable caching.
2017-09-05 03:52:14 +00:00
- `plugin_name` `(string: "")` - The name of the plugin in the plugin catalog
to use.
- `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
that will not be HMAC'd by audit devices in the request data object.
- `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
that will not be HMAC'd by audit devices in the response data object.
- `listing_visibility` `(string: "")` - Speficies whether to show this mount
in the UI-specific listing endpoint. Valid values are `"unauth"` or
`"hidden"`. If not set, behaves like `"hidden"`.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
to whitelist and pass from the request to the backend.
These control the default and maximum lease time-to-live, force
2017-09-21 21:14:40 +00:00
disabling backend caching, and option plugin name for plugin backends
respectively. The first three options override the global defaults if
set on a specific mount. The plugin_name can be provided in the config
map or as a top-level option, with the former taking precedence.
2017-11-14 11:13:11 +00:00
When used with supported seals (`pkcs11`, `awskms`, etc.), `seal_wrap`
causes key material for supporting mounts to be wrapped by the seal's
encryption capability. This is currently only supported for `transit` and
`pki` backends. This is only available in Vault Enterprise.
- `options` `(map<string|string>: nil)` - Specifies mount type specific options
that are passed to the backend.
*Key/Value (KV)*
- `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount
KV v2.
- `plugin_name` `(string: "")`  Specifies the name of the plugin to
use based from the name in the plugin catalog. Applies only to plugin
backends.
2017-09-05 03:52:14 +00:00
Additionally, the following options are allowed in Vault open-source, but
relevant functionality is only supported in Vault Enterprise:
- `local` `(bool: false)` Specifies if the secrets engine is a local mount
only. Local mounts are not replicated nor (if a secondary) removed by
replication.
- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount.
### Sample Payload
```json
{
"type": "aws",
"config": {
"force_no_cache": true
}
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts/my-mount
```
2017-09-21 21:14:40 +00:00
## Disable Secrets Engine
2017-09-21 21:14:40 +00:00
This endpoint disables the mount point specified in the URL.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/sys/mounts/:path` | `204 (empty body) ` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts/my-mount
```
## Read Mount Configuration
This endpoint reads the given mount's configuration. Unlike the `mounts`
endpoint, this will return the current time in seconds for each TTL, which may
be the system default or a mount-specific value.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `GET` | `/sys/mounts/:path/tune` | `200 application/json` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
```
### Sample Response
```json
{
"default_lease_ttl": 3600,
"max_lease_ttl": 7200,
"force_no_cache": false
}
```
## Tune Mount Configuration
This endpoint tunes configuration parameters for a given mount point.
| Method | Path | Produces |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/sys/mounts/:path/tune` | `204 (empty body)` |
### Parameters
- `default_lease_ttl` `(int: 0)`  Specifies the default time-to-live. This
overrides the global default. A value of `0` is equivalent to the system
default TTL.
- `max_lease_ttl` `(int: 0)` Specifies the maximum time-to-live. This
overrides the global default. A value of `0` are equivalent and set to the
system max TTL.
- `description` `(string: "")` Specifies the description of the mount. This
overrides the current stored value, if any.
- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
list of keys that will not be HMAC'd by audit devices in the request data
object.
- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
list of keys that will not be HMAC'd by audit devices in the response data
object.
- `listing_visibility` `(string: "")` - Speficies whether to show this mount in
the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
If not set, behaves like `"hidden"`.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
to whitelist and pass from the request to the backend.
### Sample Payload
```json
{
"default_lease_ttl": 1800,
"max_lease_ttl": 3600
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
```