add tip for how to force a secrets engine disable (#14363)
* add tip for how to force a secrets engine disable * add warning to force disable secrets instructions * clean up wording * add force secrets engine disable info to api doc * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/docs/commands/secrets/disable.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/docs/commands/secrets/disable.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * feedback updates * impl taoism feedback Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
This commit is contained in:
swayne275
GitHub
parent
c3dea33e92
commit
ec4d013047
|
|
@ -212,6 +212,23 @@ $ curl \
|
|||
http://127.0.0.1:8200/v1/sys/mounts/my-mount
|
||||
```
|
||||
|
||||
### Force Disable
|
||||
|
||||
Because disabling a secrets engine revokes secrets associated with this mount,
|
||||
possible errors can prevent the secrets engine from being disabled if the
|
||||
revocation fails.
|
||||
|
||||
The best way to resolve this is to figure out the underlying issue and then
|
||||
disable the secrets engine once the underlying issue is resolved. Often, this can be as
|
||||
simple as increasing the timeout (in the event of timeout errors).
|
||||
|
||||
For recovery situations where the secret was manually removed from the
|
||||
secrets backing service, one can force a secrets engine disable in Vault by
|
||||
performing a [force revoke](https://www.vaultproject.io/api/system/leases#revoke-force)
|
||||
on the mount prefix, followed by a secrets disable when that completes.
|
||||
If the underlying secrets were not manually cleaned up, this method might result
|
||||
in dangling credentials. This is meant for extreme circumstances.
|
||||
|
||||
## Get the configuration of a Secret Engine
|
||||
|
||||
This endpoint returns the configuration of a specific secret engine.
|
||||
|
|
|
|||
|
|
@ -30,3 +30,20 @@ $ vault secrets disable aws/
|
|||
|
||||
There are no flags beyond the [standard set of flags](/docs/commands)
|
||||
included on all commands.
|
||||
|
||||
## Force Disable
|
||||
|
||||
Because `secrets disable` revokes secrets associated with this mount, possible
|
||||
errors can prevent the secrets engine from being disabled if the revocation
|
||||
fails.
|
||||
|
||||
The best way to resolve this is to figure out the underlying issue and then
|
||||
disable the secrets engine once the underlying issue is resolved. Often, this
|
||||
can be as simple as increasing the timeout (in the event of timeout errors).
|
||||
|
||||
For recovery situations where the secret was manually removed from the
|
||||
secrets backing service, one can force a secrets engine disable in Vault by
|
||||
performing a [prefix force revoke](/docs/commands/lease/revoke) on the mount
|
||||
prefix, followed by a `secrets disable` when that completes.
|
||||
If the underlying secrets were not manually cleaned up, this method might result
|
||||
in dangling credentials. This is meant for extreme circumstances.
|
||||
|
|
|
|||
Loading…
Reference in New Issue