[website] Link Cleaning (#8205)
* update dependencies * remove hard-coded vaultproject.io on local links * remove 'index.html' from internal links * remove '.html' at end of internal links * manual review cleanup Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
This commit is contained in:
parent
a9aaba8adb
commit
4f87851926
File diff suppressed because it is too large
Load Diff
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault AliCloud auth method.
|
|||
|
||||
This is the API documentation for the Vault AliCloud auth method. For
|
||||
general information about the usage and operation of the AliCloud method, please
|
||||
see the [Vault AliCloud auth method documentation](/docs/auth/alicloud.html).
|
||||
see the [Vault AliCloud auth method documentation](/docs/auth/alicloud).
|
||||
|
||||
This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -12,7 +12,7 @@ Please use AppRole instead.
|
|||
|
||||
This is the API documentation for the Vault App ID auth method. For
|
||||
general information about the usage and operation of the App ID method, please
|
||||
see the [Vault App ID method documentation](/docs/auth/app-id.html).
|
||||
see the [Vault App ID method documentation](/docs/auth/app-id).
|
||||
|
||||
This documentation assumes the App ID method is mounted at the `/auth/app-id`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault AppRole auth method.
|
|||
|
||||
This is the API documentation for the Vault AppRole auth method. For
|
||||
general information about the usage and operation of the AppRole method, please
|
||||
see the [Vault AppRole method documentation](/docs/auth/approle.html).
|
||||
see the [Vault AppRole method documentation](/docs/auth/approle).
|
||||
|
||||
This documentation assumes the AppRole method is mounted at the `/auth/approle`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault AWS auth method.
|
|||
|
||||
This is the API documentation for the Vault AWS auth method. For
|
||||
general information about the usage and operation of the AWS method, please
|
||||
see the [Vault AWS method documentation](/docs/auth/aws.html).
|
||||
see the [Vault AWS method documentation](/docs/auth/aws).
|
||||
|
||||
This documentation assumes the AWS method is mounted at the `/auth/aws`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
@ -137,7 +137,7 @@ $ curl \
|
|||
## Configure Identity Integration
|
||||
|
||||
This configures the way that Vault interacts with the
|
||||
[Identity](/docs/secrets/identity/index.html) store. The default (as of Vault
|
||||
[Identity](/docs/secrets/identity) store. The default (as of Vault
|
||||
1.0.3) is `role_id` for both values.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -150,7 +150,7 @@ This configures the way that Vault interacts with the
|
|||
using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and
|
||||
`full_arn` When `role_id` is selected, the randomly generated ID of the role
|
||||
is used. When `unique_id` is selected, the [IAM Unique
|
||||
ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
|
||||
ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
|
||||
of the IAM principal (either the user or role) is used as the identity alias
|
||||
name. When `full_arn` is selected, the ARN returned by the
|
||||
`sts:GetCallerIdentity` call is used as the alias name. This is either
|
||||
|
@ -705,7 +705,7 @@ list in order to satisfy that constraint.
|
|||
role inferencing is activated. This only applies to the iam auth method.
|
||||
- `resolve_aws_unique_ids` `(bool: true)` - When set, resolves the
|
||||
`bound_iam_principal_arn` to the
|
||||
[AWS Unique ID](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
|
||||
[AWS Unique ID](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
|
||||
for the bound principal ARN. This field is ignored when
|
||||
`bound_iam_principal_arn` ends with a wildcard character.
|
||||
This requires Vault to be able to call `iam:GetUser` or `iam:GetRole` on the
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
|
||||
This is the API documentation for the Vault Azure auth method
|
||||
plugin. To learn more about the usage and operation, see the
|
||||
[Vault Azure method documentation](/docs/auth/azure.html).
|
||||
[Vault Azure method documentation](/docs/auth/azure).
|
||||
|
||||
This documentation assumes the plugin method is mounted at the
|
||||
`/auth/azure` path in Vault. Since it is possible to enable auth methods
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
|
||||
This is the API documentation for the Vault TLS Certificate authentication
|
||||
method. For general information about the usage and operation of the TLS
|
||||
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert.html).
|
||||
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).
|
||||
|
||||
This documentation assumes the TLS Certificate method is mounted at the
|
||||
`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
|
|||
|
||||
This is the API documentation for the Vault CF auth method. For
|
||||
general information about the usage and operation of the CF method, please
|
||||
see the [Vault CF method documentation](/docs/auth/cf.html).
|
||||
see the [Vault CF method documentation](/docs/auth/cf).
|
||||
|
||||
This documentation assumes the CF method is mounted at the `/auth/cf`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
@ -20,7 +20,7 @@ please update your API calls accordingly.
|
|||
Configure the root CA certificate to be used for verifying instance identity
|
||||
certificates, and configure access to the CF API. For detailed instructions
|
||||
on how to obtain these values, please see the [Vault CF method
|
||||
documentation](/docs/auth/cf.html).
|
||||
documentation](/docs/auth/cf).
|
||||
|
||||
| Method | Path |
|
||||
| :----- | ----------------- |
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
|
||||
This is the API documentation for the Vault Google Cloud auth method. To learn
|
||||
more about the usage and operation, see the
|
||||
[Vault Google Cloud method documentation](/docs/auth/gcp.html).
|
||||
[Vault Google Cloud method documentation](/docs/auth/gcp).
|
||||
|
||||
This documentation assumes the plugin method is mounted at the
|
||||
`/auth/gcp` path in Vault. Since it is possible to enable auth methods
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault GitHub auth method.
|
|||
|
||||
This is the API documentation for the Vault GitHub auth method. For
|
||||
general information about the usage and operation of the GitHub method, please
|
||||
see the [Vault GitHub method documentation](/docs/auth/github.html).
|
||||
see the [Vault GitHub method documentation](/docs/auth/github).
|
||||
|
||||
This documentation assumes the GitHub method is enabled at the `/auth/github`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
|
||||
This is the API documentation for the Vault JWT/OIDC auth method
|
||||
plugin. To learn more about the usage and operation, see the
|
||||
[Vault JWT/OIDC method documentation](/docs/auth/jwt.html).
|
||||
[Vault JWT/OIDC method documentation](/docs/auth/jwt).
|
||||
|
||||
This documentation assumes the plugin method is mounted at the
|
||||
`/auth/jwt` path in Vault. Since it is possible to enable auth methods
|
||||
|
@ -281,7 +281,7 @@ Obtain an authorization URL from Vault to start an OIDC login flow.
|
|||
- `redirect_uri` `(string: <required>)` - Path to the callback to complete the login. This will be
|
||||
of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault
|
||||
server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
|
||||
provider. See [Redirect URIs](/docs/auth/jwt.html#redirect-uris) for more information.
|
||||
provider. See [Redirect URIs](/docs/auth/jwt#redirect-uris) for more information.
|
||||
|
||||
### Sample Payload
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Kerberos auth method pl
|
|||
|
||||
This is the API documentation for the Vault Kerberos auth method plugin. To
|
||||
learn more about the usage and operation, see the
|
||||
[Vault Kerberos auth method](/docs/auth/kerberos.html).
|
||||
[Vault Kerberos auth method](/docs/auth/kerberos).
|
||||
|
||||
This documentation assumes the Kerberos auth method is mounted at the
|
||||
`auth/kerberos` path in Vault. Since it is possible to enable auth methods at
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Kubernetes auth method
|
|||
|
||||
This is the API documentation for the Vault Kubernetes auth method plugin. To
|
||||
learn more about the usage and operation, see the
|
||||
[Vault Kubernetes auth method](/docs/auth/kubernetes.html).
|
||||
[Vault Kubernetes auth method](/docs/auth/kubernetes).
|
||||
|
||||
This documentation assumes the Kubernetes method is mounted at the
|
||||
`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault LDAP auth method.
|
|||
|
||||
This is the API documentation for the Vault LDAP auth method. For
|
||||
general information about the usage and operation of the LDAP method, please
|
||||
see the [Vault LDAP method documentation](/docs/auth/ldap.html).
|
||||
see the [Vault LDAP method documentation](/docs/auth/ldap).
|
||||
|
||||
This documentation assumes the LDAP method is mounted at the `/auth/ldap`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault OCI auth method plugin.
|
|||
|
||||
This is the API documentation for the Vault OCI auth method plugin. To
|
||||
learn more about the usage and operation, see the
|
||||
[Vault OCI auth method](/docs/auth/oci.html).
|
||||
[Vault OCI auth method](/docs/auth/oci).
|
||||
|
||||
This documentation assumes the OCI method is mounted at the
|
||||
`/auth/oci` path in Vault. Since it is possible to enable auth methods at
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Okta auth method.
|
|||
|
||||
This is the API documentation for the Vault Okta auth method. For
|
||||
general information about the usage and operation of the Okta method, please
|
||||
see the [Vault Okta method documentation](/docs/auth/okta.html).
|
||||
see the [Vault Okta method documentation](/docs/auth/okta).
|
||||
|
||||
This documentation assumes the Okta method is mounted at the `/auth/okta`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault RADIUS auth method.
|
|||
|
||||
This is the API documentation for the Vault RADIUS auth method. For
|
||||
general information about the usage and operation of the RADIUS method, please
|
||||
see the [Vault RADIUS method documentation](/docs/auth/radius.html).
|
||||
see the [Vault RADIUS method documentation](/docs/auth/radius).
|
||||
|
||||
This documentation assumes the RADIUS method is mounted at the `/auth/radius`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault token auth method.
|
|||
|
||||
This is the API documentation for the Vault token auth method. For
|
||||
general information about the usage and operation of the token method, please
|
||||
see the [Vault Token method documentation](/docs/auth/token.html).
|
||||
see the [Vault Token method documentation](/docs/auth/token).
|
||||
|
||||
## List Accessors
|
||||
|
||||
|
@ -84,7 +84,7 @@ during this call.
|
|||
- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
|
||||
- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
|
||||
hour is the largest suffix. If not provided, the token is valid for the
|
||||
[default lease TTL](/docs/configuration/index.html), or indefinitely if the
|
||||
[default lease TTL](/docs/configuration), or indefinitely if the
|
||||
root policy is used.
|
||||
- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
|
||||
to the type specified by the role configuration named by `role_name`.
|
||||
|
|
|
@ -11,7 +11,7 @@ description: |-
|
|||
|
||||
This is the API documentation for the Vault Username & Password auth method. For
|
||||
general information about the usage and operation of the Username and Password method, please
|
||||
see the [Vault Userpass method documentation](/docs/auth/userpass.html).
|
||||
see the [Vault Userpass method documentation](/docs/auth/userpass).
|
||||
|
||||
This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
|
||||
path in Vault. Since it is possible to enable auth methods at any location,
|
||||
|
|
|
@ -37,7 +37,7 @@ either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
|
|||
the `Bearer <token>` scheme.
|
||||
|
||||
Otherwise, a client token can be retrieved via [authentication
|
||||
backends](/docs/auth/index.html).
|
||||
backends](/docs/auth).
|
||||
|
||||
Each auth method has one or more unauthenticated login endpoints. These
|
||||
endpoints can be reached without any authentication, and are used for
|
||||
|
@ -50,7 +50,7 @@ client or passed via the `X-Vault-Token` or `Authorization` header for future re
|
|||
|
||||
## Namespaces
|
||||
|
||||
If using the [Namespaces](/docs/enterprise/namespaces/index.html) feature, API
|
||||
If using the [Namespaces](/docs/enterprise/namespaces) feature, API
|
||||
operations are relative to the namespace value passed in via the
|
||||
`X-Vault-Namespace` header. For instance, if the request path is to
|
||||
`secret/foo`, and the header is set to `ns1/ns2/`, the final request path Vault
|
||||
|
@ -186,7 +186,7 @@ To retrieve the help for any API within Vault, including mounted backends, auth
|
|||
methods, etc. then append `?help=1` to any URL. If you have valid permission to
|
||||
access the path, then the help text will be return a markdown-formatted block in the `help` attribute of the response.
|
||||
|
||||
Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi.html) in Vault, you will get back a small
|
||||
Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi) in Vault, you will get back a small
|
||||
OpenAPI document in the `openapi` attribute. This document is relevant for the path you're looking up and any paths under it - also note paths in the OpenAPI document are relative to the initial path queried.
|
||||
|
||||
Example request:
|
||||
|
@ -289,4 +289,4 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
|
|||
with arbitrarily large requests; this can be tuned per `listener` block in
|
||||
Vault's server configuration file.
|
||||
|
||||
[agent]: /docs/agent/index.html#listener-stanza
|
||||
[agent]: /docs/agent#listener-stanza
|
||||
|
|
|
@ -34,4 +34,4 @@ The following list of tools is maintained by the community of Vault users; Hashi
|
|||
- [Vault-CRD](https://vault.koudingspawn.de/) - Synchronize secrets stored in HashiCorp Vault to Kubernetes Secrets for better GitOps without secrets stored in git manifest files.
|
||||
- [nc-vault-env](https://github.com/namecheap/nc-vault-env) - JS CLI tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them. Supports auth token renewal, multiple auth backends, verbose logging and dummy mode.
|
||||
|
||||
Want to add your own project, or one that you use? Additions are welcome via [pull requests](https://github.com/hashicorp/vault/blob/master/website/source/api/relatedtools.html.md).
|
||||
Want to add your own project, or one that you use? Additions are welcome via [pull requests](https://github.com/hashicorp/vault/blob/master/website/pages/api-docs/relatedtools.mdx).
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Active Directory secret
|
|||
|
||||
This is the API documentation for the Vault AD secrets engine. For general
|
||||
information about the usage and operation of the AD secrets engine, please see
|
||||
the [Vault Active Directory documentation](/docs/secrets/ad/index.html).
|
||||
the [Vault Active Directory documentation](/docs/secrets/ad).
|
||||
|
||||
This documentation assumes the AD secrets engine is enabled at the `/ad` path
|
||||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault AliCloud secrets engine
|
|||
|
||||
This is the API documentation for the Vault AliCloud secrets engine. For general
|
||||
information about the usage and operation of the AliCloud secrets engine, please see
|
||||
the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html).
|
||||
the [Vault AliCloud documentation](/docs/secrets/alicloud).
|
||||
|
||||
This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
|
||||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||||
|
@ -29,7 +29,7 @@ To use instance metadata, leave the static credential configuration unset.
|
|||
At present, this endpoint does not confirm that the provided AliCloud credentials are
|
||||
valid AliCloud credentials with proper permissions.
|
||||
|
||||
Please see the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) for
|
||||
Please see the [Vault AliCloud documentation](/docs/secrets/alicloud) for
|
||||
the policies that should be attached to the access key you provide.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -78,7 +78,7 @@ The `role` endpoint configures how Vault will generate credentials for users of
|
|||
- `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
|
||||
- `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
|
||||
- `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
|
||||
- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) regarding trusted actors.
|
||||
- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud) regarding trusted actors.
|
||||
- `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
|
||||
- `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault AWS secrets engine.
|
|||
|
||||
This is the API documentation for the Vault AWS secrets engine. For general
|
||||
information about the usage and operation of the AWS secrets engine, please see
|
||||
the [Vault AWS documentation](/docs/secrets/aws/index.html).
|
||||
the [Vault AWS documentation](/docs/secrets/aws).
|
||||
|
||||
This documentation assumes the AWS secrets engine is enabled at the `/aws` path
|
||||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||||
|
|
|
@ -223,8 +223,8 @@ $ curl \
|
|||
|
||||
## Revoking/Renewing Secrets
|
||||
|
||||
See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
|
||||
See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases.
|
||||
|
||||
[docs]: /docs/secrets/azure/index.html
|
||||
[roles]: /docs/secrets/azure/index.html#roles
|
||||
[groups]: /docs/secrets/azure/index.html#azure-groups
|
||||
[docs]: /docs/secrets/azure
|
||||
[roles]: /docs/secrets/azure#roles
|
||||
[groups]: /docs/secrets/azure#azure-groups
|
||||
|
|
|
@ -10,12 +10,12 @@ description: This is the API documentation for the Vault Cassandra secrets engin
|
|||
~> **Deprecation Note:** This backend is deprecated in favor of the
|
||||
combined databases backend added in v0.7.1. See the API documentation for
|
||||
the new implementation of this backend at
|
||||
[Cassandra database plugin HTTP API](/api/secret/databases/cassandra.html).
|
||||
[Cassandra database plugin HTTP API](/api/secret/databases/cassandra).
|
||||
|
||||
This is the API documentation for the Vault Cassandra secrets engine. For
|
||||
general information about the usage and operation of the Cassandra backend,
|
||||
please see the
|
||||
[Vault Cassandra backend documentation](/docs/secrets/cassandra/index.html).
|
||||
[Vault Cassandra backend documentation](/docs/secrets/cassandra).
|
||||
|
||||
This documentation assumes the Cassandra backend is mounted at the `/cassandra`
|
||||
path in Vault. Since it is possible to enable secrets engines at any location,
|
||||
|
@ -55,7 +55,7 @@ Cassandra.
|
|||
private key; a certificate, private key, and issuing CA certificate; or just a
|
||||
CA certificate. For convenience format is the same as the output of the
|
||||
`issue` command from the `pki` backend; see
|
||||
[the pki documentation](/docs/secrets/pki/index.html).
|
||||
[the pki documentation](/docs/secrets/pki).
|
||||
|
||||
- `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Consul secrets engine.
|
|||
|
||||
This is the API documentation for the Vault Consul secrets engine. For general
|
||||
information about the usage and operation of the Consul secrets engine, please
|
||||
see the [Vault Consul documentation](/docs/secrets/consul/index.html).
|
||||
see the [Vault Consul documentation](/docs/secrets/consul).
|
||||
|
||||
This documentation assumes the Consul secrets engine is enabled at the `/consul`
|
||||
path in Vault. Since it is possible to enable secrets engines at any location,
|
||||
|
@ -75,7 +75,7 @@ updated attributes.
|
|||
|
||||
- `policy` `(string: <policy or policies>)` – Specifies the base64 encoded ACL policy. The
|
||||
ACL format can be found in the [Consul ACL
|
||||
documentation](https://www.consul.io/docs/internals/acl.html). This is
|
||||
documentation](https://www.consul.io/docs/internals/acl). This is
|
||||
required unless the `token_type` is `management`.
|
||||
|
||||
- `policies` `(list: <policy or policies>)` – The list of policies to assign to the generated
|
||||
|
|
|
@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Cubbyhole secrets engin
|
|||
This is the API documentation for the Vault Cubbyhole secrets engine. For
|
||||
general information about the usage and operation of the Cubbyhole secrets
|
||||
engine, please see the
|
||||
[Vault Cubbyhole documentation](/docs/secrets/cubbyhole/index.html).
|
||||
[Vault Cubbyhole documentation](/docs/secrets/cubbyhole).
|
||||
|
||||
This documentation assumes the Cubbyhole secrets engine is enabled at the
|
||||
`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the Cassandra database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Secrets Engine](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -51,7 +51,7 @@ has a number of parameters to further configure a connection.
|
|||
private key; a certificate, private key, and issuing CA certificate; or just a
|
||||
CA certificate. For convenience format is the same as the output of the
|
||||
`issue` command from the `pki` secrets engine; see
|
||||
[the pki documentation](/docs/secrets/pki/index.html).
|
||||
[the pki documentation](/docs/secrets/pki).
|
||||
|
||||
- `skip_verification` `(bool: false)` - Skip permissions checks when a connection to Cassandra
|
||||
is first created. These checks ensure that Vault is able to create roles, but can be resource
|
||||
|
@ -121,7 +121,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for Elasticsearch.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -65,7 +65,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the HANA database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [database
|
||||
secrets engine](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
secrets engine](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path | Produces |
|
||||
|
@ -74,7 +74,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ description: Top page for database secrets engine information
|
|||
This is the API documentation for the Vault Database secrets engine. For
|
||||
general information about the usage and operation of the database secrets engine,
|
||||
please see the
|
||||
[Vault database secrets engine documentation](/docs/secrets/databases/index.html).
|
||||
[Vault database secrets engine documentation](/docs/secrets/databases).
|
||||
|
||||
This documentation assumes the database secrets engine is enabled at the
|
||||
`/database` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
@ -228,7 +228,7 @@ This endpoint creates or updates a role definition.
|
|||
|
||||
- `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
|
||||
associated with this role. Accepts time suffixed strings ("1h") or an integer
|
||||
number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](https://www.vaultproject.io/docs/concepts/tokens.html#the-general-case).
|
||||
number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case).
|
||||
|
||||
- `creation_statements` `(list: <required>)` – Specifies the database
|
||||
statements executed to create and configure a user. See the plugin's API page
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the Influxdb database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Secrets Engine](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -51,7 +51,7 @@ has a number of parameters to further configure a connection.
|
|||
private key; a certificate, private key, and issuing CA certificate; or just a
|
||||
CA certificate. For convenience format is the same as the output of the
|
||||
`issue` command from the `pki` secrets engine; see
|
||||
[the pki documentation](/docs/secrets/pki/index.html).
|
||||
[the pki documentation](/docs/secrets/pki).
|
||||
|
||||
- `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
|
||||
|
||||
|
@ -103,7 +103,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the MongoDB database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -65,7 +65,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the MSSQL database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -74,7 +74,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the MySQL database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -74,7 +74,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the Oracle database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -71,7 +71,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ configured roles for the PostgreSQL database.
|
|||
## Configure Connection
|
||||
|
||||
In addition to the parameters defined by the [Database
|
||||
Backend](/api/secret/databases/index.html#configure-connection), this plugin
|
||||
Backend](/api/secret/databases#configure-connection), this plugin
|
||||
has a number of parameters to further configure a connection.
|
||||
|
||||
| Method | Path |
|
||||
|
@ -74,7 +74,7 @@ $ curl \
|
|||
Statements are configured during role creation and are used by the plugin to
|
||||
determine what is sent to the database on user creation, renewing, and
|
||||
revocation. For more information on configuring roles see the [Role
|
||||
API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
|
||||
API](/api/secret/databases#create-role) in the database secrets engine docs.
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Google Cloud secrets en
|
|||
|
||||
This is the API documentation for the Vault Google Cloud Platform (GCP)
|
||||
secrets engine. For general information about the usage and operation of
|
||||
the GCP secrets engine, please see [these docs](/docs/secrets/gcp/index.html).
|
||||
the GCP secrets engine, please see [these docs](/docs/secrets/gcp).
|
||||
|
||||
This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
|
||||
in Vault. Since it is possible to mount secrets engines at any path, please
|
||||
|
@ -26,9 +26,9 @@ This endpoint configures shared information for the secrets engine.
|
|||
### Parameters
|
||||
|
||||
- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
|
||||
See docs for [alternative ways](/docs/secrets/gcp/index.html#passing-credentials-to-vault)
|
||||
See docs for [alternative ways](/docs/secrets/gcp#passing-credentials-to-vault)
|
||||
to pass in to this parameter, as well as the
|
||||
[required permissions](/docs/secrets/gcp/index.html#required-permissions).
|
||||
[required permissions](/docs/secrets/gcp#required-permissions).
|
||||
|
||||
- `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
|
||||
(i.e. service account keys). Accepts integer number of seconds or Go duration format string.
|
||||
|
@ -90,7 +90,7 @@ $ curl \
|
|||
| :----- | :------------------- |
|
||||
| `POST` | `/gcp/roleset/:name` |
|
||||
|
||||
This method allows you to create a roleset or update an existing roleset. See [roleset docs](/docs/secrets/gcp/index.html#rolesets) for the GCP secrets backend
|
||||
This method allows you to create a roleset or update an existing roleset. See [roleset docs](/docs/secrets/gcp#rolesets) for the GCP secrets backend
|
||||
to learn more about what happens when you create or update a roleset.
|
||||
|
||||
**If you update a roleset's bindings, this will effectively revoke any secrets
|
||||
|
@ -120,7 +120,7 @@ generated under this roleset.**
|
|||
|
||||
#### Sample Bindings:
|
||||
|
||||
See [bindings format docs](/docs/secrets/gcp/index.html#roleset-bindings) for more information.
|
||||
See [bindings format docs](/docs/secrets/gcp#roleset-bindings) for more information.
|
||||
|
||||
```hcl
|
||||
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
|
||||
|
@ -380,5 +380,5 @@ $ curl \
|
|||
|
||||
## Revoking/Renewing Secrets
|
||||
|
||||
See docs on how to [renew](/api/system/leases.html#renew-lease) and [revoke](/api/system/leases.html#revoke-lease) leases.
|
||||
See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases.
|
||||
Note this only applies to service account keys.
|
||||
|
|
|
@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Google Cloud KMS secret
|
|||
This is the API documentation for the Vault Google Cloud KMS secrets engine. For
|
||||
general information about the usage and operation of the Google Cloud KMS
|
||||
secrets engine, please see the
|
||||
[Google Cloud KMS documentation](/docs/secrets/gcpkms/index.html).
|
||||
[Google Cloud KMS documentation](/docs/secrets/gcpkms).
|
||||
|
||||
This documentation assumes the Google Cloud KMS secrets engine is enabled at the
|
||||
`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
|
|
@ -9,13 +9,13 @@ description: This is the API documentation for the Vault Identity secrets engine
|
|||
|
||||
This is the API documentation for the Vault Identity secrets engine. For general
|
||||
information about the usage and operation of the Identity secrets engine, please
|
||||
see the [Vault Identity documentation](/docs/secrets/identity/index.html).
|
||||
see the [Vault Identity documentation](/docs/secrets/identity).
|
||||
|
||||
## API Sections
|
||||
|
||||
- [Entity](entity.html)
|
||||
- [Entity Alias](entity-alias.html)
|
||||
- [Group](group.html)
|
||||
- [Group Alias](group-alias.html)
|
||||
- [Identity Tokens](tokens.html)
|
||||
- [Lookup](lookup.html)
|
||||
- [Entity](entity)
|
||||
- [Entity Alias](entity-alias)
|
||||
- [Group](group)
|
||||
- [Group Alias](group-alias)
|
||||
- [Identity Tokens](tokens)
|
||||
- [Lookup](lookup)
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault KMIP secrets engine.
|
|||
|
||||
This is the API documentation for the Vault KMIP secrets engine. For general
|
||||
information about the usage and operation of
|
||||
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip/index.html).
|
||||
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).
|
||||
|
||||
This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path
|
||||
in Vault. Since it is possible to mount secrets engines at any path, please
|
||||
|
|
|
@ -9,8 +9,8 @@ description: This is the API documentation for the Vault KV secrets engine.
|
|||
|
||||
This backend can be run in one of two versions. Each of which have a distinct API.
|
||||
Choose the version below you are running. For more information on the KV secrets
|
||||
engine see the [Vault kv documentation](/docs/secrets/kv/index.html).
|
||||
engine see the [Vault kv documentation](/docs/secrets/kv).
|
||||
|
||||
- [KV Version 1 API](/api/secret/kv/kv-v1.html)
|
||||
- [KV Version 1 API](/api/secret/kv/kv-v1)
|
||||
|
||||
- [KV Version 2 API](/api/secret/kv/kv-v2.html)
|
||||
- [KV Version 2 API](/api/secret/kv/kv-v2)
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault KV secrets engine.
|
|||
|
||||
This is the API documentation for the Vault KV secrets engine. For general
|
||||
information about the usage and operation of the kv secrets engine, please
|
||||
see the [Vault kv documentation](/docs/secrets/kv/index.html).
|
||||
see the [Vault kv documentation](/docs/secrets/kv).
|
||||
|
||||
This documentation assumes the kv secrets engine is enabled at the
|
||||
`/secret` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
@ -54,7 +54,7 @@ $ curl \
|
|||
_Note_: the `lease_duration` field, which will be populated if a "ttl" field
|
||||
was included in the data, is advisory. No lease is created. This is a way for
|
||||
writers to indicate how often a given value should be re-read by the client.
|
||||
See the [Vault KV secrets engine documentation](/docs/secrets/kv/index.html)
|
||||
See the [Vault KV secrets engine documentation](/docs/secrets/kv)
|
||||
for more details.
|
||||
|
||||
## List Secrets
|
||||
|
@ -122,7 +122,7 @@ policy granting the `update` capability.
|
|||
be held at the given location. Multiple key/value pairs can be specified, and
|
||||
all will be returned on a read operation. A key called `ttl` will trigger
|
||||
some special behavior. See the [Vault KV secrets engine
|
||||
documentation](/docs/secrets/kv/index.html) for details.
|
||||
documentation](/docs/secrets/kv) for details.
|
||||
|
||||
### Sample Payload
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ description: This is the API documentation for the Vault KV secrets engine.
|
|||
This is the API documentation for the Vault KV secrets engine while running in
|
||||
versioned mode. For general information about the usage and operation of the kv
|
||||
secrets engine, please see the [Vault kv
|
||||
documentation](/docs/secrets/kv/index.html).
|
||||
documentation](/docs/secrets/kv).
|
||||
|
||||
This documentation assumes the kv secrets engine is enabled at the
|
||||
`/secret` path in Vault and that versioning has been enabled. Since it is
|
||||
|
|
|
@ -10,12 +10,12 @@ description: This is the API documentation for the Vault MongoDB secrets engine.
|
|||
~> **Deprecation Note:** This secrets engine is deprecated in favor of the
|
||||
combined databases secrets engine added in v0.7.1. See the API documentation for
|
||||
the new implementation of this secrets engine at
|
||||
[MongoDB database plugin HTTP API](/api/secret/databases/mongodb.html).
|
||||
[MongoDB database plugin HTTP API](/api/secret/databases/mongodb).
|
||||
|
||||
This is the API documentation for the Vault MongoDB secrets engine. For general
|
||||
information about the usage and operation of the MongoDB secrets engine, please
|
||||
see the
|
||||
[Vault MongoDB secrets engine documentation](/docs/secrets/mongodb/index.html).
|
||||
[Vault MongoDB secrets engine documentation](/docs/secrets/mongodb).
|
||||
|
||||
This documentation assumes the MongoDB secrets engine is enabled at the
|
||||
`/mongodb` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
|
|
@ -10,11 +10,11 @@ description: This is the API documentation for the Vault MSSQL secrets engine.
|
|||
~> **Deprecation Note:** This secrets engine is deprecated in favor of the
|
||||
combined databases secrets engine added in v0.7.1. See the API documentation for
|
||||
the new implementation of this secrets engine at
|
||||
[MSSQL database plugin HTTP API](/api/secret/databases/mssql.html).
|
||||
[MSSQL database plugin HTTP API](/api/secret/databases/mssql).
|
||||
|
||||
This is the API documentation for the Vault MSSQL secrets engine. For general
|
||||
information about the usage and operation of the MSSQL secrets engine, please
|
||||
see the [Vault MSSQL documentation](/docs/secrets/mssql/index.html).
|
||||
see the [Vault MSSQL documentation](/docs/secrets/mssql).
|
||||
|
||||
This documentation assumes the MSSQL secrets engine is enabled at the `/mssql`
|
||||
path in Vault. Since it is possible to enable secrets engines at any location,
|
||||
|
|
|
@ -10,11 +10,11 @@ description: This is the API documentation for the Vault MySQL secrets engine.
|
|||
~> **Deprecation Note:** This secrets engine is deprecated in favor of the
|
||||
combined databases secrets engine added in v0.7.1. See the API documentation for
|
||||
the new implementation of this secrets engine at
|
||||
[MySQL/MariaDB database plugin HTTP API](/api/secret/databases/mysql-maria.html).
|
||||
[MySQL/MariaDB database plugin HTTP API](/api/secret/databases/mysql-maria).
|
||||
|
||||
This is the API documentation for the Vault MySQL secrets engine. For general
|
||||
information about the usage and operation of the MySQL secrets engine, please
|
||||
see the [Vault MySQL documentation](/docs/secrets/mysql/index.html).
|
||||
see the [Vault MySQL documentation](/docs/secrets/mysql).
|
||||
|
||||
This documentation assumes the MySQL secrets engine is enabled at the `/mysql`
|
||||
path in Vault. Since it is possible to enable secrets engines at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Nomad secret backend.
|
|||
|
||||
This is the API documentation for the Vault Nomad secret backend. For general
|
||||
information about the usage and operation of the Nomad backend, please see the
|
||||
[Vault Nomad backend documentation](/docs/secrets/nomad/index.html).
|
||||
[Vault Nomad backend documentation](/docs/secrets/nomad).
|
||||
|
||||
This documentation assumes the Nomad backend is mounted at the `/nomad` path
|
||||
in Vault. Since it is possible to mount secret backends at any location, please
|
||||
|
@ -182,7 +182,7 @@ updated attributes.
|
|||
|
||||
- `policies` `(string: "")` – Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
|
||||
|
||||
- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://www.nomadproject.io/guides/acl.html#acl-tokens).
|
||||
- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://www.nomadproject.io/guides/acl#acl-tokens).
|
||||
|
||||
- `type` `(string: "client")` - Specifies the type of token to create when
|
||||
using this role. Valid values are `"client"` or `"management"`.
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault PKI secrets engine.
|
|||
|
||||
This is the API documentation for the Vault PKI secrets engine. For general
|
||||
information about the usage and operation of the PKI secrets engine, please see
|
||||
the [PKI documentation](/docs/secrets/pki/index.html).
|
||||
the [PKI documentation](/docs/secrets/pki).
|
||||
|
||||
This documentation assumes the PKI secrets engine is enabled at the `/pki` path
|
||||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||||
|
@ -545,7 +545,7 @@ $ curl \
|
|||
This endpoint allows submitting the signed CA certificate corresponding to a
|
||||
private key generated via `/pki/intermediate/generate`. The certificate should
|
||||
be submitted in PEM format; see the documentation for
|
||||
[/pki/config/ca](/api/secret/pki/index.html#submit-ca-information) for some
|
||||
[/pki/config/ca](/api/secret/pki#submit-ca-information) for some
|
||||
hints on submitting.
|
||||
|
||||
| Method | Path |
|
||||
|
|
|
@ -10,12 +10,12 @@ description: This is the API documentation for the Vault PostgreSQL secrets engi
|
|||
~> **Deprecation Note:** This secrets engine is deprecated in favor of the
|
||||
combined databases secrets engine added in v0.7.1. See the API documentation for
|
||||
the new implementation of this secrets engine at
|
||||
[PostgreSQL database plugin HTTP API](/api/secret/databases/postgresql.html).
|
||||
[PostgreSQL database plugin HTTP API](/api/secret/databases/postgresql).
|
||||
|
||||
This is the API documentation for the Vault PostgreSQL secrets engine. For
|
||||
general information about the usage and operation of the PostgreSQL secrets
|
||||
engine, please see the [PostgreSQL
|
||||
documentation](/docs/secrets/postgresql/index.html).
|
||||
documentation](/docs/secrets/postgresql).
|
||||
|
||||
This documentation assumes the PostgreSQL secrets engine is enabled at the
|
||||
`/postgresql` path in Vault. Since it is possible to enable secrets engines at
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault RabbitMQ secrets engine
|
|||
|
||||
This is the API documentation for the Vault RabbitMQ secrets engine. For general
|
||||
information about the usage and operation of the RabbitMQ secrets engine, please
|
||||
see the [RabbitMQ documentation](/docs/secrets/rabbitmq/index.html).
|
||||
see the [RabbitMQ documentation](/docs/secrets/rabbitmq).
|
||||
|
||||
This documentation assumes the RabbitMQ secrets engine is enabled at the
|
||||
`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault SSH secrets engine.
|
|||
|
||||
This is the API documentation for the Vault SSH secrets engine. For general
|
||||
information about the usage and operation of the SSH secrets engine, please see
|
||||
the [SSH documentation](/docs/secrets/ssh/index.html).
|
||||
the [SSH documentation](/docs/secrets/ssh).
|
||||
|
||||
This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
|
||||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault TOTP secrets engine.
|
|||
|
||||
This is the API documentation for the Vault TOTP secrets engine. For general
|
||||
information about the usage and operation of the TOTP secrets engine, please see
|
||||
the [TOTP documentation](/docs/secrets/totp/index.html).
|
||||
the [TOTP documentation](/docs/secrets/totp).
|
||||
|
||||
This documentation assumes the TOTP secrets engine is enabled at the `/totp`
|
||||
path in Vault. Since it is possible to enable secrets engines at any location,
|
||||
|
|
|
@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Transit secrets engine.
|
|||
|
||||
This is the API documentation for the Vault Transit secrets engine. For general
|
||||
information about the usage and operation of the Transit secrets engine, please
|
||||
see the [transit documentation](/docs/secrets/transit/index.html).
|
||||
see the [transit documentation](/docs/secrets/transit).
|
||||
|
||||
This documentation assumes the transit secrets engine is enabled at the
|
||||
`/transit` path in Vault. Since it is possible to enable secrets engines at any
|
||||
|
@ -401,10 +401,7 @@ Use the base64-encoded plaintext in the payload:
|
|||
}
|
||||
```
|
||||
|
||||
!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
|
||||
of service attack. This can be tuned per [`listener`
|
||||
block](/docs/configuration/listener/tcp.html) in the Vault server
|
||||
configuration.
|
||||
!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/docs/configuration/listener/tcp) in the Vault server configuration.
|
||||
|
||||
### Sample Request
|
||||
|
||||
|
@ -1328,4 +1325,4 @@ $ curl \
|
|||
},
|
||||
```
|
||||
|
||||
[sys-plugin-reload-backend]: /api/system/plugins-reload-backend.html#reload-plugins
|
||||
[sys-plugin-reload-backend]: /api/system/plugins-reload-backend#reload-plugins
|
||||
|
|
|
@ -16,7 +16,7 @@ The set of included paths is based on the permissions of the request token.
|
|||
|
||||
The response may include Vault-specific [extensions](https://github.com/oai/openapi-specification/blob/master/versions/3.0.2.md#specification-extensions). Three are currently defined:
|
||||
|
||||
- `x-vault-sudo` - Endpoint requires [sudo](https://www.vaultproject.io/docs/concepts/policies.html#sudo) privileges.
|
||||
- `x-vault-sudo` - Endpoint requires [sudo](/docs/concepts/policies#sudo) privileges.
|
||||
- `x-vault-unauthenticated` - Endpoint is unauthenticated.
|
||||
- `x-vault-create-supported` - Endpoint allows creation of new items, in addition to updating existing items.
|
||||
|
||||
|
|
|
@ -13,10 +13,10 @@ description: >-
|
|||
|
||||
## Supported MFA types.
|
||||
|
||||
- [TOTP](/api/system/mfa/totp.html)
|
||||
- [TOTP](/api/system/mfa/totp)
|
||||
|
||||
- [Okta](/api/system/mfa/okta.html)
|
||||
- [Okta](/api/system/mfa/okta)
|
||||
|
||||
- [Duo](/api/system/mfa/duo.html)
|
||||
- [Duo](/api/system/mfa/duo)
|
||||
|
||||
- [PingID](/api/system/mfa/pingid.html)
|
||||
- [PingID](/api/system/mfa/pingid)
|
||||
|
|
|
@ -10,7 +10,7 @@ description: The `/sys/raw` endpoint is used to access the raw underlying store
|
|||
The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
|
||||
|
||||
This endpoint is off by default. See the
|
||||
[Vault configuration documentation](/docs/configuration/index.html) to
|
||||
[Vault configuration documentation](/docs/configuration) to
|
||||
enable.
|
||||
|
||||
## Read Raw
|
||||
|
|
|
@ -7,4 +7,4 @@ description: |-
|
|||
The '/sys/storage' endpoints are used to manage Vault's storage backends.
|
||||
---
|
||||
|
||||
This API sub-section is currently only used to manage [Raft](raft.html) storage backend.
|
||||
This API sub-section is currently only used to manage [Raft](raft) storage backend.
|
||||
|
|
|
@ -33,7 +33,7 @@ configured Sinks, subject to their configuration.
|
|||
|
||||
Sinks support some advanced features, including the ability for the written
|
||||
values to be encrypted or
|
||||
[response-wrapped](/docs/concepts/response-wrapping.html).
|
||||
[response-wrapped](/docs/concepts/response-wrapping).
|
||||
|
||||
Both mechanisms can be used concurrently; in this case, the value will be
|
||||
response-wrapped, then encrypted.
|
||||
|
|
|
@ -8,7 +8,7 @@ description: AliCloud Method for Vault Agent Auto-Auth
|
|||
# Vault Agent Auto-Auth AliCloud Method
|
||||
|
||||
The `alicloud` method performs authentication against the [AliCloud Auth
|
||||
method](https://www.vaultproject.io/docs/auth/alicloud.html).
|
||||
method](/docs/auth/alicloud).
|
||||
|
||||
## Credentials
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: AppRole Method for Vault Agent Auto-Auth
|
|||
|
||||
The `approle` method reads in a role ID and a secret ID from files and sends
|
||||
the values to the [AppRole Auth
|
||||
method](https://www.vaultproject.io/docs/auth/approle.html).
|
||||
method](/docs/auth/approle).
|
||||
|
||||
The method caches values and it is safe to delete the role ID/secret ID files
|
||||
after they have been read. In fact, by default, after reading the secret ID,
|
||||
|
@ -32,7 +32,7 @@ cached.
|
|||
|
||||
- `secret_id_response_wrapping_path` `(string: optional)` - If set, the value
|
||||
at `secret_id_file_path` will be expected to be a [Response-Wrapping
|
||||
Token](https://www.vaultproject.io/docs/concepts/response-wrapping.html)
|
||||
Token](/docs/concepts/response-wrapping)
|
||||
containing the output of the secret ID retrieval endpoint for the role (e.g.
|
||||
`auth/approle/role/webservers/secret-id`) and the creation path for the
|
||||
response-wrapping token must match the value set here.
|
||||
|
|
|
@ -8,7 +8,7 @@ description: AWS Method for Vault Agent Auto-Auth
|
|||
# Vault Agent Auto-Auth AWS Method
|
||||
|
||||
The `aws` method performs authentication against the [AWS Auth
|
||||
method](https://www.vaultproject.io/docs/auth/aws.html). Both `ec2` and `iam`
|
||||
method](/docs/auth/aws). Both `ec2` and `iam`
|
||||
authentication types are supported. If `ec2` is used, the agent will store the
|
||||
reauthentication value in memory and use it for reauthenticating, but will not
|
||||
persist it to disk.
|
||||
|
@ -49,13 +49,13 @@ parameters unset in your configuration.
|
|||
|
||||
- `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
|
||||
region Agent uses should match that corresponding to
|
||||
[`sts_endpoint`](https://www.vaultproject.io/api/auth/aws/index.html#sts_endpoint),
|
||||
[`sts_endpoint`](/api/auth/aws#sts_endpoint),
|
||||
if a custom endpoint has been configured on the Vault server.
|
||||
|
||||
- `session_token` `(string: optional)` - The session token to use for authentication, if needed.
|
||||
|
||||
- `header_value` `(string: optional)` - If configured in Vault, the value to use for
|
||||
[`iam_server_id_header_value`](https://www.vaultproject.io/api/auth/aws/index.html#iam_server_id_header_value).
|
||||
[`iam_server_id_header_value`](/api/auth/aws#iam_server_id_header_value).
|
||||
|
||||
## Learn
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: Azure Method for Vault Agent Auto-Auth
|
|||
|
||||
The `azure` method reads in Azure instance credentials and uses them to
|
||||
authenticate with the [Azure Auth
|
||||
method](https://www.vaultproject.io/docs/auth/azure.html). It reads most
|
||||
method](/docs/auth/azure). It reads most
|
||||
parameters needed for authentication directly from instance information based
|
||||
on the value of the `resource` parameter.
|
||||
|
||||
|
|
|
@ -11,10 +11,10 @@ The `cert` method uses the configured TLS certificates from the `vault` stanza o
|
|||
the agent configuration and takes an optional `name` parameter. There is no option
|
||||
to use certificates which differ from those used in the `vault` stanza.
|
||||
|
||||
See TLS settings in the [`vault` Stanza](https://vaultproject.io/docs/agent/index.html#vault-stanza)
|
||||
See TLS settings in the [`vault` Stanza](/docs/agent#vault-stanza)
|
||||
|
||||
## Configuration
|
||||
|
||||
- `name` `(string: optional)` - The trusted certificate role which should be used
|
||||
when authenticating with TLS. If a `name` is not specified, the auth method will
|
||||
try to authenticate against [all trusted certificates](https://www.vaultproject.io/docs/auth/cert.html#authentication).
|
||||
try to authenticate against [all trusted certificates](/docs/auth/cert#authentication).
|
||||
|
|
|
@ -8,7 +8,7 @@ description: CF Method for Vault Agent Auto-Auth
|
|||
# Vault Agent Auto-Auth CF Method
|
||||
|
||||
The `cf` method performs authentication against the [CF Auth
|
||||
method](https://www.vaultproject.io/docs/auth/cf.html).
|
||||
method](/docs/auth/cf).
|
||||
|
||||
## Credentials
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ description: GCP Method for Vault Agent Auto-Auth
|
|||
# Vault Agent Auto-Auth GCP Method
|
||||
|
||||
The `gcp` method performs authentication against the [GCP Auth
|
||||
method](https://www.vaultproject.io/docs/auth/gcp.html). Both `gce` and `iam`
|
||||
method](/docs/auth/gcp). Both `gce` and `iam`
|
||||
authentication types are supported.
|
||||
|
||||
## Credentials
|
||||
|
|
|
@ -8,7 +8,7 @@ description: JWT Method for Vault Agent Auto-Auth
|
|||
# Vault Agent Auto-Auth JWT Method
|
||||
|
||||
The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
|
||||
method](https://www.vaultproject.io/docs/auth/jwt.html). Since JWTs often have
|
||||
method](/docs/auth/jwt). Since JWTs often have
|
||||
limited lifetime, it constantly watches for a new JWT to be written, and when
|
||||
found it will immediately ingress this value, delete the file, and use the new
|
||||
JWT to perform a reauthentication.
|
||||
|
|
|
@ -10,7 +10,7 @@ description: Kubernetes Method for Vault Agent Auto-Auth
|
|||
The `kubernetes` method reads in a Kubernetes service account token from the
|
||||
running pod (via `/var/run/secrets/kubernetes.io/serviceaccount/token`) and
|
||||
sends it to the [Kubernetes Auth
|
||||
method](https://www.vaultproject.io/docs/auth/kubernetes.html).
|
||||
method](/docs/auth/kubernetes).
|
||||
|
||||
## Configuration
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ specific scenarios.
|
|||
## Using Auto-Auth Token
|
||||
|
||||
Vault Agent allows for easy authentication to Vault in a wide variety of
|
||||
environments using [Auto-Auth](/docs/agent/autoauth/index.html). By setting the
|
||||
environments using [Auto-Auth](/docs/agent/autoauth). By setting the
|
||||
`use_auto_auth_token` (see below) configuration, clients will not be required
|
||||
to provide a Vault token to the requests made to the agent. When this
|
||||
configuration is set, if the request doesn't already bear a token, then the
|
||||
|
|
|
@ -172,9 +172,9 @@ template {
|
|||
}
|
||||
```
|
||||
|
||||
[vault]: /docs/agent/index.html#vault-stanza
|
||||
[autoauth]: /docs/agent/autoauth/index.html
|
||||
[caching]: /docs/agent/caching/index.html
|
||||
[template]: /docs/agent/template/index.html
|
||||
[listener]: /docs/agent/index.html#listener-stanza
|
||||
[listener_main]: /docs/configuration/listener/tcp.html
|
||||
[vault]: /docs/agent#vault-stanza
|
||||
[autoauth]: /docs/agent/autoauth
|
||||
[caching]: /docs/agent/caching
|
||||
[template]: /docs/agent/template
|
||||
[listener]: /docs/agent#listener-stanza
|
||||
[listener_main]: /docs/configuration/listener/tcp
|
||||
|
|
|
@ -80,4 +80,4 @@ block.
|
|||
## API
|
||||
|
||||
Audit devices also have a full HTTP API. Please see the [Audit device API
|
||||
docs](/api/system/audit.html) for more details.
|
||||
docs](/api/system/audit) for more details.
|
||||
|
|
|
@ -109,5 +109,5 @@ can be found found in the
|
|||
## API
|
||||
|
||||
The AliCloud auth method has a full HTTP API. Please see the
|
||||
[AliCloud Auth API](/api/auth/alicloud/index.html) for more
|
||||
[AliCloud Auth API](/api/auth/alicloud) for more
|
||||
details.
|
||||
|
|
|
@ -8,7 +8,7 @@ description: The AppID auth method is a mechanism for machines to authenticate w
|
|||
# AppID Auth Method
|
||||
|
||||
~> **DEPRECATED!** As of Vault 0.6.1, AppID is deprecated in favor of
|
||||
[AppRole](/docs/auth/approle.html). AppRole can accommodate the same workflow as
|
||||
[AppRole](/docs/auth/approle). AppRole can accommodate the same workflow as
|
||||
AppID while enabling much more secure and flexible management and other types
|
||||
of authentication workflows. No new features or enhancements are planned for App
|
||||
ID, and new users should use AppRole instead of AppID.
|
||||
|
@ -121,5 +121,5 @@ management tool.
|
|||
## API
|
||||
|
||||
The AppID auth method has a full HTTP API. Please see the
|
||||
[AppID auth method API](/api/auth/app-id/index.html) for more
|
||||
[AppID auth method API](/api/auth/app-id) for more
|
||||
details.
|
||||
|
|
|
@ -207,8 +207,7 @@ full set of client credentials (RoleID and SecretID) in order to create the
|
|||
entry, even if these are then distributed via different paths. However, in Pull
|
||||
mode, even though the RoleID must be known in order to distribute it to the
|
||||
client, the SecretID can be kept confidential from all parties except for the
|
||||
final authenticating client by using [Response
|
||||
Wrapping](/docs/concepts/response-wrapping.html).
|
||||
final authenticating client by using [Response Wrapping](/docs/concepts/response-wrapping).
|
||||
|
||||
Push mode is available for App-ID workflow compatibility, which in some
|
||||
specific cases is preferable, but in most cases Pull mode is more secure and
|
||||
|
@ -234,5 +233,5 @@ guide for a step-by-step tutorial.
|
|||
## API
|
||||
|
||||
The AppRole auth method has a full HTTP API. Please see the
|
||||
[AppRole API](/api/auth/approle/index.html) for more
|
||||
[AppRole API](/api/auth/approle) for more
|
||||
details.
|
||||
|
|
|
@ -429,7 +429,7 @@ not specify the policy component, the client will inherit the allowed policies s
|
|||
on the role. If the role tag creation specifies the policy component but it contains
|
||||
no policies, the token will contain only the `default` policy; by default, this policy
|
||||
allows only manipulation (revocation, renewal, lookup) of the existing token, plus
|
||||
access to its [cubbyhole](/docs/secrets/cubbyhole/index.html).
|
||||
access to its [cubbyhole](/docs/secrets/cubbyhole).
|
||||
This can be useful to allow instances access to a secure "scratch space" for
|
||||
storing data (via the token's cubbyhole) but without granting any access to
|
||||
other resources provided by or resident in Vault.
|
||||
|
@ -728,5 +728,5 @@ The response will be in JSON. For example:
|
|||
## API
|
||||
|
||||
The AWS auth method has a full HTTP API. Please see the
|
||||
[AWS Auth API](/api/auth/aws/index.html) for more
|
||||
[AWS Auth API](/api/auth/aws) for more
|
||||
details.
|
||||
|
|
|
@ -21,7 +21,7 @@ Currently supports authentication for:
|
|||
## Prerequisites:
|
||||
|
||||
The following documentation assumes that the method has been
|
||||
[mounted](/docs/plugin/index.html) at `auth/azure`.
|
||||
[mounted](/docs/plugin) at `auth/azure`.
|
||||
|
||||
- A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens.
|
||||
- Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
|
||||
|
@ -37,7 +37,7 @@ The next sections review how the authN/Z workflows work. If you
|
|||
have already reviewed these sections, here are some quick links to:
|
||||
|
||||
- [Usage](#usage)
|
||||
- [API documentation](/api/auth/azure/index.html) docs.
|
||||
- [API documentation](/api/auth/azure) docs.
|
||||
|
||||
## Authentication
|
||||
|
||||
|
@ -134,7 +134,7 @@ tool.
|
|||
authentication type, as well as overall constraints and configuration for
|
||||
the generated auth tokens.
|
||||
|
||||
For the complete list of role options, please see the [API documentation](/api/auth/azure/index.html).
|
||||
For the complete list of role options, please see the [API documentation](/api/auth/azure).
|
||||
|
||||
### Via the API
|
||||
|
||||
|
@ -175,7 +175,7 @@ method as an external plugin. The azure plugin method is integrated into Vault a
|
|||
a builtin method by default.
|
||||
|
||||
Assuming you have saved the binary `vault-plugin-auth-azure` to some folder and
|
||||
configured the [plugin directory](/docs/internals/plugins.html#plugin-directory)
|
||||
configured the [plugin directory](/docs/internals/plugins#plugin-directory)
|
||||
for your server at `path/to/plugins`:
|
||||
|
||||
1. Enable the plugin in the catalog:
|
||||
|
@ -194,4 +194,4 @@ for your server at `path/to/plugins`:
|
|||
|
||||
## API
|
||||
|
||||
The Azure Auth Plugin has a full HTTP API. Please see the [API documentation](/api/auth/azure/index.html) for more details.
|
||||
The Azure Auth Plugin has a full HTTP API. Please see the [API documentation](/api/auth/azure) for more details.
|
||||
|
|
|
@ -127,4 +127,4 @@ management tool.
|
|||
## API
|
||||
|
||||
The TLS Certificate auth method has a full HTTP API. Please see the
|
||||
[TLS Certificate API](/api/auth/cert/index.html) for more details.
|
||||
[TLS Certificate API](/api/auth/cert) for more details.
|
||||
|
|
|
@ -296,5 +296,5 @@ match the certificates you're checking.
|
|||
|
||||
## API
|
||||
|
||||
The CF auth method has a full HTTP API. Please see the [CF Auth API](/api/auth/cf/index.html)
|
||||
The CF auth method has a full HTTP API. Please see the [CF Auth API](/api/auth/cf)
|
||||
for more details.
|
||||
|
|
|
@ -342,7 +342,7 @@ The GCP Auth Plugin has a full HTTP API. Please see the
|
|||
[signjwt-method]: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt
|
||||
[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
|
||||
[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
|
||||
[api-docs]: /api/auth/gcp/index.html
|
||||
[identity-group-aliases]: /api/secret/identity/group-alias.html
|
||||
[api-docs]: /api/auth/gcp
|
||||
[identity-group-aliases]: /api/secret/identity/group-alias
|
||||
[instance-identity]: https://cloud.google.com/compute/docs/instances/verifying-instance-identity
|
||||
[repo]: https://github.com/hashicorp/vault-plugin-auth-gcp
|
||||
|
|
|
@ -109,5 +109,5 @@ management tool.
|
|||
## API
|
||||
|
||||
The GitHub auth method has a full HTTP API. Please see the
|
||||
[GitHub Auth API](/api/auth/github/index.html) for more
|
||||
[GitHub Auth API](/api/auth/github) for more
|
||||
details.
|
||||
|
|
|
@ -13,12 +13,12 @@ responsible for assigning identity and a set of policies to a user.
|
|||
Having multiple auth methods enables you to use an auth method that makes the
|
||||
most sense for your use case of Vault and your organization.
|
||||
|
||||
For example, on developer machines, the [GitHub auth method](/docs/auth/github.html)
|
||||
is easiest to use. But for servers the [AppRole](/docs/auth/approle.html)
|
||||
For example, on developer machines, the [GitHub auth method](/docs/auth/github)
|
||||
is easiest to use. But for servers the [AppRole](/docs/auth/approle)
|
||||
method is the recommended choice.
|
||||
|
||||
To learn more about authentication, see the
|
||||
[authentication concepts page](/docs/concepts/auth.html).
|
||||
[authentication concepts page](/docs/concepts/auth).
|
||||
|
||||
## Enabling/Disabling Auth Methods
|
||||
|
||||
|
@ -28,7 +28,7 @@ Auth methods can be enabled/disabled using the CLI or the API.
|
|||
$ vault auth enable userpass
|
||||
```
|
||||
|
||||
When enabled, auth methods are similar to [secrets engines](/docs/secrets/index.html):
|
||||
When enabled, auth methods are similar to [secrets engines](/docs/secrets):
|
||||
they are mounted within the Vault mount table and can be accessed
|
||||
and configured using the standard read/write API. All auth methods are mounted underneath the `auth/` prefix.
|
||||
|
||||
|
|
|
@ -114,7 +114,7 @@ JSON Pointer can be used as a selector. Refer to the
|
|||
## OIDC Authentication
|
||||
|
||||
This section covers the setup and use of OIDC roles. If a JWT is to be provided directly,
|
||||
refer to the [JWT Authentication](/docs/auth/jwt.html#jwt-authentication) section below. Basic
|
||||
refer to the [JWT Authentication](/docs/auth/jwt#jwt-authentication) section below. Basic
|
||||
familiarity with [OIDC concepts](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1)
|
||||
is assumed.
|
||||
|
||||
|
@ -143,7 +143,7 @@ Logging in via the Vault UI requires a redirect URI of the form:
|
|||
|
||||
The "host:port" must be correct for the Vault server, and "path" must match the path the JWT
|
||||
backend is mounted at (e.g. "oidc" or "jwt").
|
||||
If [namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html) are being used,
|
||||
If [namespaces](/docs/enterprise/namespaces) are being used,
|
||||
they must be added as query parameters, for example:
|
||||
|
||||
`https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback?namespace=my_ns`
|
||||
|
@ -180,7 +180,7 @@ The callback listener may be customized with the following optional parameters:
|
|||
The OIDC authentication flow has been successfully tested with a number of providers. A full
|
||||
guide to configuring OAuth/OIDC applications is beyond the scope of Vault documentation, but a
|
||||
collection of provider configuration steps has been collected to help get started:
|
||||
[OIDC Provider Setup](/docs/auth/jwt_oidc_providers.html)
|
||||
[OIDC Provider Setup](/docs/auth/jwt_oidc_providers)
|
||||
|
||||
### OIDC Configuration Troubleshooting
|
||||
|
||||
|
@ -204,7 +204,7 @@ why things aren't working. Some tips for setting up OIDC:
|
|||
|
||||
`cat jwt.json | jq -r .access_token | cut -d. -f2 | base64 -D`
|
||||
|
||||
- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt/index.html#verbose_oidc_logging) role
|
||||
- As of Vault 1.2, the [`verbose_oidc_logging`](/api/auth/jwt#verbose_oidc_logging) role
|
||||
option is available which will log the received OIDC token if debug-level logging is enabled. This can
|
||||
be helpful when debugging provider setup and verifying that the received claims are what you expect.
|
||||
Since claims data is logged verbatim and may contain sensitive information, this option should not be
|
||||
|
@ -270,7 +270,7 @@ management tool.
|
|||
|
||||
1. Use the `/config` endpoint to configure Vault. To support JWT roles, either local keys or an OIDC
|
||||
Discovery URL must be present. For OIDC roles, OIDC Discovery URL, OIDC Client ID and OIDC Client Secret are required. For the
|
||||
list of available configuration options, please see the [API documentation](/api/auth/jwt/index.html).
|
||||
list of available configuration options, please see the [API documentation](/api/auth/jwt).
|
||||
|
||||
```text
|
||||
$ vault write auth/jwt/config \
|
||||
|
@ -302,4 +302,4 @@ management tool.
|
|||
## API
|
||||
|
||||
The JWT Auth Plugin has a full HTTP API. Please see the
|
||||
[API docs](/api/auth/jwt/index.html) for more details.
|
||||
[API docs](/api/auth/jwt) for more details.
|
||||
|
|
|
@ -8,7 +8,7 @@ description: OIDC provider configuration quick starts
|
|||
|
||||
This page collects high-level setup steps on how to configure an OIDC
|
||||
application for various providers. For more general usage and operation
|
||||
information, see the [Vault JWT/OIDC method documentation](https://www.vaultproject.io/docs/auth/jwt.html).
|
||||
information, see the [Vault JWT/OIDC method documentation](/docs/auth/jwt).
|
||||
|
||||
OIDC providers are often highly configurable and you should become familiar with
|
||||
their recommended settings and best practices. The instructions below are
|
||||
|
@ -33,17 +33,17 @@ Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https:/
|
|||
it will not be accessible after you leave the page.
|
||||
|
||||
Please note [Azure AD v2.0 endpoints](https://docs.microsoft.com/en-gb/azure/active-directory/develop/azure-ad-endpoint-comparison)
|
||||
are required for [external groups](https://www.vaultproject.io/docs/secrets/identity/index.html#external-vs-internal-groups) to work.
|
||||
are required for [external groups](/docs/secrets/identity#external-vs-internal-groups) to work.
|
||||
|
||||
- `groupMembershipClaims` should be changed from `none` in the
|
||||
[App registration manifest](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest).
|
||||
Options are "All" or "Security"
|
||||
|
||||
- In the [OIDC Role config](https://www.vaultproject.io/api/auth/jwt/index.html#create-role)
|
||||
- In the [OIDC Role config](/api/auth/jwt#create-role)
|
||||
the scope `"https://graph.microsoft.com/.default"` should be added to add groups
|
||||
to the jwt token and `groups_claim` should be set to `groups`.
|
||||
|
||||
- Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](https://www.vaultproject.io/api/secret/identity/group-alias.html) for the external group.
|
||||
- Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](/api/secret/identity/group-alias) for the external group.
|
||||
|
||||
### CLI setup instructions:
|
||||
|
||||
|
|
|
@ -26,8 +26,8 @@ it into HashiCorp's maintenance.
|
|||
## Prerequisites
|
||||
|
||||
Kerberos is a very hands-on auth method. Other auth methods like
|
||||
[LDAP](https://www.vaultproject.io/docs/auth/ldap.html) and
|
||||
[Azure](https://www.vaultproject.io/docs/auth/azure.html) only require
|
||||
[LDAP](/docs/auth/ldap) and
|
||||
[Azure](/docs/auth/azure) only require
|
||||
a cursory amount of knowledge for configuration and use.
|
||||
Kerberos, on the other hand, is best used by people already familiar
|
||||
with it. We recommend that you use simpler authentication methods if
|
||||
|
@ -113,14 +113,14 @@ $ vault write auth/kerberos/config/ldap \
|
|||
```
|
||||
|
||||
The LDAP above relies upon the same code as the LDAP auth method.
|
||||
See [its documentation](https://www.vaultproject.io/docs/auth/ldap.html)
|
||||
See [its documentation](/docs/auth/ldap)
|
||||
for further discussion of available parameters.
|
||||
|
||||
- Configure the Vault policies that should be granted to those
|
||||
who successfully authenticate based on their LDAP group membership.
|
||||
Since this is identical to the LDAP auth method, see
|
||||
[Group Membership Resolution](https://www.vaultproject.io/docs/auth/ldap.html#group-membership-resolution)
|
||||
and [LDAP Group -> Policy Mapping](https://www.vaultproject.io/docs/auth/ldap.html#ldap-group-gt-policy-mapping)
|
||||
[Group Membership Resolution](/docs/auth/ldap#group-membership-resolution)
|
||||
and [LDAP Group -> Policy Mapping](/docs/auth/ldap#ldap-group-gt-policy-mapping)
|
||||
for further discussion.
|
||||
|
||||
```text
|
||||
|
@ -194,7 +194,7 @@ in the `keytab` file.
|
|||
After you've stripped the issue down to its simplest form, if you still
|
||||
encounter difficulty resolving it, it will be much easier to gain assistance
|
||||
by posting your reproduction to the [Vault Forum](https://discuss.hashicorp.com/c/vault)
|
||||
or by providing it to [HashiCorp Support](https://www.hashicorp.com/support.html)
|
||||
or by providing it to [HashiCorp Support](https://www.hashicorp.com/support)
|
||||
(if applicable.)
|
||||
|
||||
### Additional Troubleshooting Resources
|
||||
|
@ -219,5 +219,5 @@ client.
|
|||
## API
|
||||
|
||||
The Kerberos auth method has a full HTTP API. Please see the
|
||||
[Kerberos auth method API](/api/auth/kerberos/index.html) for more
|
||||
[Kerberos auth method API](/api/auth/kerberos) for more
|
||||
details.
|
||||
|
|
|
@ -81,7 +81,7 @@ management tool.
|
|||
|
||||
!> **NOTE:** The pattern Vault uses to authenticate Pods depends on sharing
|
||||
the JWT token over the network. Given the [security model of
|
||||
Vault](/docs/internals/security.html), this is allowable because Vault is
|
||||
Vault](/docs/internals/security), this is allowable because Vault is
|
||||
part of the trusted compute base. In general, Kubernetes applications should
|
||||
**not** share this JWT with other applications, as it allows API calls to be
|
||||
made on behalf of the Pod and can result in unintended access being granted
|
||||
|
@ -136,6 +136,6 @@ subjects:
|
|||
## API
|
||||
|
||||
The Kubernetes Auth Plugin has a full HTTP API. Please see the
|
||||
[API docs](/api/auth/kubernetes/index.html) for more details.
|
||||
[API docs](/api/auth/kubernetes) for more details.
|
||||
|
||||
[k8s-tokenreview]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#tokenreview-v1-authentication-k8s-io
|
||||
|
|
|
@ -254,5 +254,5 @@ It should be noted that user -> policy mapping happens at token creation time. A
|
|||
## API
|
||||
|
||||
The LDAP auth method has a full HTTP API. Please see the
|
||||
[LDAP auth method API](/api/auth/ldap/index.html) for more
|
||||
[LDAP auth method API](/api/auth/ldap) for more
|
||||
details.
|
||||
|
|
|
@ -13,7 +13,7 @@ description: |-
|
|||
edition of Vault. This system is not supported by HashiCorp. Vault Enterprise
|
||||
contains a fully-supported MFA system that is significantly more complete and
|
||||
flexible and which can be used throughout Vault's API. See the [Vault
|
||||
Enterprise MFA](/docs/enterprise/mfa/index.html) page for more information.
|
||||
Enterprise MFA](/docs/enterprise/mfa) page for more information.
|
||||
|
||||
Several auth methods support multi-factor authentication (MFA). Once
|
||||
enabled for a method, users are required to provide additional verification,
|
||||
|
|
|
@ -102,7 +102,7 @@ Create the Vault admin role:
|
|||
|
||||
You will see a response that includes a token with the previously added policy.
|
||||
|
||||
1. Use the received token to read secrets, writer secrets, and add roles per the instructions in [https://www.vaultproject.io/docs/secrets/kv/kv-v1.html](https://www.Vaultproject.io/docs/secrets/kv/kv-v1.html).
|
||||
1. Use the received token to read secrets, writer secrets, and add roles per the instructions in [/docs/secrets/kv/kv-v1](/docs/secrets/kv/kv-v1).
|
||||
1. Log into Vault using the user API key.
|
||||
|
||||
- [Add an API Key](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm) for a user in the console. This user should be part of a group that has previously been added to the Vault admin role.
|
||||
|
@ -112,7 +112,7 @@ You will see a response that includes a token with the previously added policy.
|
|||
|
||||
`vault login -method=oci auth_type=apikey role=vaultadminrole`
|
||||
|
||||
1. Stop Vault and re-start it in the production environment. See [https://www.vaultproject.io/docs/configuration](https://www.Vaultproject.io/docs/configuration/) for more information.
|
||||
1. Stop Vault and re-start it in the production environment. See [the configuration docs](/docs/configuration/) for more information.
|
||||
1. Repeat all steps in this [Configure the OCI Auth Method](#OnboardingtoOCIAuthMethod-ConfiguretheOCIAuthMethod) section while in the production environment.
|
||||
|
||||
### Manage Roles in the OCI Auth method
|
||||
|
@ -200,4 +200,4 @@ POST http://127.0.0.1/v1/auth/oci/login/devrole
|
|||
|
||||
## API
|
||||
|
||||
The OCI Auth method has a full HTTP API. Please see the [API docs](/api/auth/oci/index.html) for more details.
|
||||
The OCI Auth method has a full HTTP API. Please see the [API docs](/api/auth/oci) for more details.
|
||||
|
|
|
@ -113,4 +113,4 @@ management tool.
|
|||
## API
|
||||
|
||||
The Okta auth method has a full HTTP API. Please see the
|
||||
[Okta Auth API](/api/auth/okta/index.html) for more details.
|
||||
[Okta Auth API](/api/auth/okta) for more details.
|
||||
|
|
|
@ -79,5 +79,5 @@ The response will contain a token at `auth.client_token`:
|
|||
## API
|
||||
|
||||
The RADIUS auth method has a full HTTP API. Please see the
|
||||
[RADIUS Auth API](/api/auth/radius/index.html) for more
|
||||
[RADIUS Auth API](/api/auth/radius) for more
|
||||
details.
|
||||
|
|
|
@ -18,7 +18,7 @@ The token store can also be used to bypass any other auth method:
|
|||
you can create tokens directly, as well as perform a variety of other
|
||||
operations on tokens such as renewal and revocation.
|
||||
|
||||
Please see the [token concepts](/docs/concepts/tokens.html) page dedicated
|
||||
Please see the [token concepts](/docs/concepts/tokens) page dedicated
|
||||
to tokens.
|
||||
|
||||
## Authentication
|
||||
|
@ -37,5 +37,5 @@ either `X-Vault-Token: <token>` or `Authorization: Bearer <token>`.
|
|||
## API
|
||||
|
||||
The Token auth method has a full HTTP API. Please see the
|
||||
[Token auth method API](/api/auth/token/index.html) for more
|
||||
[Token auth method API](/api/auth/token) for more
|
||||
details.
|
||||
|
|
|
@ -85,4 +85,4 @@ management tool.
|
|||
## API
|
||||
|
||||
The Userpass auth method has a full HTTP API. Please see the [Userpass auth
|
||||
method API](/api/auth/userpass/index.html) for more details.
|
||||
method API](/api/auth/userpass) for more details.
|
||||
|
|
|
@ -7,4 +7,4 @@ description: The "agent" command is used to start Vault Agent
|
|||
|
||||
# agent
|
||||
|
||||
Please see the [Vault Agent documentation page](/docs/agent/index.html).
|
||||
Please see the [Vault Agent documentation page](/docs/agent).
|
||||
|
|
|
@ -30,5 +30,5 @@ Success! Disabled audit device (if it was enabled) at: file/
|
|||
|
||||
## Usage
|
||||
|
||||
There are no flags beyond the [standard set of flags](/docs/commands/index.html)
|
||||
There are no flags beyond the [standard set of flags](/docs/commands)
|
||||
included on all commands.
|
||||
|
|
|
@ -27,7 +27,7 @@ Success! Enabled the file audit device at: file/
|
|||
## Usage
|
||||
|
||||
The following flags are available in addition to the [standard set of
|
||||
flags](/docs/commands/index.html) included on all commands.
|
||||
flags](/docs/commands) included on all commands.
|
||||
|
||||
- `-description` `(string: "")` - Human-friendly description for the purpose of
|
||||
this audit device.
|
||||
|
|
|
@ -13,7 +13,7 @@ The `audit` command groups subcommands for interacting with Vault's audit
|
|||
devices. Users can list, enable, and disable audit devices.
|
||||
|
||||
For more information, please see the [audit device
|
||||
documentation](/docs/audit/index.html)
|
||||
documentation](/docs/audit)
|
||||
|
||||
## Examples
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ file/ file n/a replicated file_path=/var/log/audit.log
|
|||
## Usage
|
||||
|
||||
The following flags are available in addition to the [standard set of
|
||||
flags](/docs/commands/index.html) included on all commands.
|
||||
flags](/docs/commands) included on all commands.
|
||||
|
||||
### Output Options
|
||||
|
||||
|
|
|
@ -29,5 +29,5 @@ Success! Disabled the auth method (if it existed) at: userpass/
|
|||
|
||||
## Usage
|
||||
|
||||
There are no flags beyond the [standard set of flags](/docs/commands/index.html)
|
||||
There are no flags beyond the [standard set of flags](/docs/commands)
|
||||
included on all commands.
|
||||
|
|
|
@ -18,7 +18,7 @@ auth method.
|
|||
An auth method is responsible for authenticating users or machines and assigning
|
||||
them policies and a token with which they can access Vault. Authentication is
|
||||
usually mapped to policy. Please see the [policies
|
||||
concepts](/docs/concepts/policies.html) page for more information.
|
||||
concepts](/docs/concepts/policies) page for more information.
|
||||
|
||||
## Examples
|
||||
|
||||
|
@ -37,12 +37,12 @@ Success! Data written to: auth/userpass/users/sethvargo
|
|||
```
|
||||
|
||||
For more information on the specific configuration options and paths, please see
|
||||
the [auth method](/docs/auth/index.html) documentation.
|
||||
the [auth method](/docs/auth) documentation.
|
||||
|
||||
## Usage
|
||||
|
||||
The following flags are available in addition to the [standard set of
|
||||
flags](/docs/commands/index.html) included on all commands.
|
||||
flags](/docs/commands) included on all commands.
|
||||
|
||||
- `-description` `(string: "")` - Human-friendly description for the purpose of
|
||||
this auth method.
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue