luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

docs: Migrate link formats (#18696) 

* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
This commit is contained in:
Ashlee M Boyer 2023-01-25 18:12:15 -06:00 committed by GitHub
parent dde8d19014
commit f3df55ad58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
437 changed files with 1896 additions and 1863 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/check-legacy-links-format.yml vendored Normal file
View File

@ -0,0 +1,17 @@
name: Legacy Link Format Checker
on:
push:
paths:
- "website/content/**/*.mdx"
- "website/data/*-nav-data.json"
jobs:
check-links:
uses: hashicorp/dev-portal/.github/workflows/docs-content-check-legacy-links-format.yml@475289345d312552b745224b46895f51cc5fc490
with:
repo-owner: "hashicorp"
repo-name: "vault"
commit-sha: ${{ github.sha }}
mdx-directory: "website/content"
nav-data-directory: "website/data"

16
.github/workflows/test-link-rewrites.yml vendored Normal file
View File

@ -0,0 +1,16 @@
name: Test Link Rewrites
on: [deployment_status]
jobs:
test-link-rewrites:
if: github.event.deployment_status.state == 'success'
uses: hashicorp/dev-portal/.github/workflows/docs-content-link-rewrites-e2e.yml@2aceb60125f6c15f4c8dbe2e4d79148047bfa437
with:
repo-owner: "hashicorp"
repo-name: "vault"
commit-sha: ${{ github.sha }}
main-branch-preview-url: "https://vault-git-main-hashicorp.vercel.app/"
# Workflow is only intended to run for one single migration PR
# This variable does not need to be updated
pr-branch-preview-url: "https://vault-git-docs-ambmigrate-link-formats-hashicorp.vercel.app/"

2
website/content/api-docs/auth/alicloud.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AliCloud auth method.
This is the API documentation for the Vault AliCloud auth method. For
general information about the usage and operation of the AliCloud method, please
see the [Vault AliCloud auth method documentation](/docs/auth/alicloud).
see the [Vault AliCloud auth method documentation](/vault/docs/auth/alicloud).
This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
path in Vault. Since it is possible to enable auth methods at any location,

2
website/content/api-docs/auth/app-id.mdx
View File

@ -11,7 +11,7 @@ Please use AppRole instead.
This is the API documentation for the Vault App ID auth method. For
general information about the usage and operation of the App ID method, please
see the [Vault App ID method documentation](/docs/auth/app-id).
see the [Vault App ID method documentation](/vault/docs/auth/app-id).
This documentation assumes the App ID method is mounted at the `/auth/app-id`
path in Vault. Since it is possible to enable auth methods at any location,

2
website/content/api-docs/auth/approle.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AppRole auth method.
This is the API documentation for the Vault AppRole auth method. For
general information about the usage and operation of the AppRole method, please
see the [Vault AppRole method documentation](/docs/auth/approle).
see the [Vault AppRole method documentation](/vault/docs/auth/approle).
This documentation assumes the AppRole method is mounted at the `/auth/approle`
path in Vault. Since it is possible to enable auth methods at any location,

4
website/content/api-docs/auth/aws.mdx
View File

@ -12,7 +12,7 @@ description: This is the API documentation for the Vault AWS auth method.
This is the API documentation for the Vault AWS auth method. For
general information about the usage and operation of the AWS method, please
see the [Vault AWS method documentation](/docs/auth/aws).
see the [Vault AWS method documentation](/vault/docs/auth/aws).
This documentation assumes the AWS method is mounted at the `/auth/aws`
path in Vault. Since it is possible to enable auth methods at any location,
@ -188,7 +188,7 @@ The new access key Vault uses is returned by this operation.
## Configure Identity Integration
This configures the way that Vault interacts with the
[Identity](/docs/secrets/identity) store. The default (as of Vault
[Identity](/vault/docs/secrets/identity) store. The default (as of Vault
1.0.3) is `role_id` for both values.
| Method | Path |

4
website/content/api-docs/auth/azure.mdx
View File

@ -10,7 +10,7 @@ description: |-
This is the API documentation for the Vault Azure auth method
plugin. To learn more about the usage and operation, see the
[Vault Azure method documentation](/docs/auth/azure).
[Vault Azure method documentation](/vault/docs/auth/azure).
This documentation assumes the plugin method is mounted at the
`/auth/azure` path in Vault. Since it is possible to enable auth methods
@ -31,7 +31,7 @@ virtual machine.
- `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
This value can also be provided with the `AZURE_TENANT_ID` environment variable.
- `resource` `(string: <required>)` - The resource URL for the application registered in Azure Active Directory.
The value is expected to match the audience (`aud` claim) of the [JWT](/api-docs/auth/azure#jwt)
The value is expected to match the audience (`aud` claim) of the [JWT](/vault/api-docs/auth/azure#jwt)
provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.

2
website/content/api-docs/auth/cert.mdx
View File

@ -12,7 +12,7 @@ description: |-
This is the API documentation for the Vault TLS Certificate authentication
method. For general information about the usage and operation of the TLS
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).
Certificate method, please see the [Vault TLS Certificate method documentation](/vault/docs/auth/cert).
This documentation assumes the TLS Certificate method is mounted at the
`/auth/cert` path in Vault. Since it is possible to enable auth methods at any

4
website/content/api-docs/auth/cf.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
This is the API documentation for the Vault CF auth method. For
general information about the usage and operation of the CF method, please
see the [Vault CF method documentation](/docs/auth/cf).
see the [Vault CF method documentation](/vault/docs/auth/cf).
This documentation assumes the CF method is mounted at the `/auth/cf`
path in Vault. Since it is possible to enable auth methods at any location,
@ -21,7 +21,7 @@ please update your API calls accordingly.
Configure the root CA certificate to be used for verifying instance identity
certificates, and configure access to the CF API. For detailed instructions
on how to obtain these values, please see the [Vault CF method
documentation](/docs/auth/cf).
documentation](/vault/docs/auth/cf).
| Method | Path |
| :----- | ----------------- |

4
website/content/api-docs/auth/gcp.mdx
View File

@ -10,7 +10,7 @@ description: |-
This is the API documentation for the Vault Google Cloud auth method. To learn
more about the usage and operation, see the
[Vault Google Cloud method documentation](/docs/auth/gcp).
[Vault Google Cloud method documentation](/vault/docs/auth/gcp).
This documentation assumes the plugin method is mounted at the
`/auth/gcp` path in Vault. Since it is possible to enable auth methods
@ -31,7 +31,7 @@ to confirm signed JWTs passed in during login.
- `credentials` `(string: "")` - A JSON string containing the contents of a GCP
service account credentials file. The service account associated with the credentials
file must have the following [permissions](/docs/auth/gcp#required-gcp-permissions).
file must have the following [permissions](/vault/docs/auth/gcp#required-gcp-permissions).
If this value is empty, Vault will try to use [Application Default Credentials][gcp-adc]
from the machine on which the Vault server is running.

2
website/content/api-docs/auth/github.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault GitHub auth method.
This is the API documentation for the Vault GitHub auth method. For
general information about the usage and operation of the GitHub method, please
see the [Vault GitHub method documentation](/docs/auth/github).
see the [Vault GitHub method documentation](/vault/docs/auth/github).
This documentation assumes the GitHub method is enabled at the `/auth/github`
path in Vault. Since it is possible to enable auth methods at any location,

18
website/content/api-docs/auth/jwt.mdx
View File

@ -12,7 +12,7 @@ description: |-
This is the API documentation for the Vault JWT/OIDC auth method
plugin. To learn more about the usage and operation, see the
[Vault JWT/OIDC method documentation](/docs/auth/jwt).
[Vault JWT/OIDC method documentation](/vault/docs/auth/jwt).
This documentation assumes the plugin method is mounted at the
`/auth/jwt` path in Vault. Since it is possible to enable auth methods
@ -43,7 +43,7 @@ set.
- `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
- `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles.
- `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/docs/auth/jwt/oidc-providers).
- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
- `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
### Sample Payload
@ -117,7 +117,7 @@ entities attempting to login. At least one of the bound values must be set.
the user; this will be used as the name for the Identity entity alias created
due to a successful login. The claim value must be a string.
- `user_claim_json_pointer` `(bool: false)` - Specifies if the `user_claim` value uses
[JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for
[JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for
referencing claims. By default, the `user_claim` value will not use JSON pointer.
- `clock_skew_leeway` `(int or string: <optional>)` - The amount of leeway to add to all claims to
account for clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled
@ -135,7 +135,7 @@ entities attempting to login. At least one of the bound values must be set.
claim matches this value.
- `bound_claims` `(map: <optional>)` - If set, a map of claims (keys) to match against respective claim values (values).
The expected value may be a single string or a list of strings. The interpretation of the bound
claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
syntax for referencing claims.
- `bound_claims_type` `(string: "string")` - Configures the interpretation of the bound_claims values.
If `"string"` (the default), the values will treated as string literals and must match exactly.
@ -144,10 +144,10 @@ entities attempting to login. At least one of the bound values must be set.
- `groups_claim` `(string: <optional>)` - The claim to use to uniquely identify
the set of groups to which the user belongs; this will be used as the names
for the Identity group aliases created due to a successful login. The claim
value must be a list of strings. Supports [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
value must be a list of strings. Supports [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
syntax for referencing claims.
- `claim_mappings` `(map: <optional>)` - If set, a map of claims (keys) to be copied to
specified metadata fields (values). Keys support [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
specified metadata fields (values). Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
syntax for referencing claims.
- `oidc_scopes` `(list: <optional>)` - If set, a list of OIDC scopes to be used with an OIDC role.
The standard scope "openid" is automatically included and need not be specified.
@ -306,10 +306,10 @@ Obtain an authorization URL from Vault to start an OIDC login flow.
- `redirect_uri` `(string: <required>)` - Path to the callback to complete the login. This will be
of the form, "https&#x3A;//.../oidc/callback" where the leading portion is dependent on your Vault
server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
provider. See [Redirect URIs](/docs/auth/jwt#redirect-uris) for more information.
provider. See [Redirect URIs](/vault/docs/auth/jwt#redirect-uris) for more information.
- `client_nonce` `(string: <optional>)` - Optional client-provided nonce that
must match the `client_nonce` value provided during a subsequent request to the
[callback](/api-docs/auth/jwt#oidc-callback) API.
[callback](/vault/api-docs/auth/jwt#oidc-callback) API.
### Sample Payload
@ -360,7 +360,7 @@ against any bound claims, and if valid a Vault token will be returned.
an ID token.
- `client_nonce` `(string: <optional>)` - Optional client-provided nonce that must
match the `client_nonce` value provided during the prior request to the
[auth_url](/api-docs/auth/jwt#oidc-authorization-url-request) API.
[auth_url](/vault/api-docs/auth/jwt#oidc-authorization-url-request) API.
### Sample Request

2
website/content/api-docs/auth/kerberos.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kerberos auth method pl
This is the API documentation for the Vault Kerberos auth method plugin. To
learn more about the usage and operation, see the
[Vault Kerberos auth method](/docs/auth/kerberos).
[Vault Kerberos auth method](/vault/docs/auth/kerberos).
This documentation assumes the Kerberos auth method is mounted at the
`auth/kerberos` path in Vault. Since it is possible to enable auth methods at

6
website/content/api-docs/auth/kubernetes.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kubernetes auth method
This is the API documentation for the Vault Kubernetes auth method plugin. To
learn more about the usage and operation, see the
[Vault Kubernetes auth method](/docs/auth/kubernetes).
[Vault Kubernetes auth method](/vault/docs/auth/kubernetes).
This documentation assumes the Kubernetes method is mounted at the
`/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
@ -50,7 +50,7 @@ access the Kubernetes API.
- `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation.
- `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer.
See [these instructions](/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
See [these instructions](/vault/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
### Caveats
@ -138,7 +138,7 @@ entities attempting to login.
While it is strongly advised that you use `serviceaccount_uid`, you may also use `serviceaccount_name` in cases where
you want to set the alias ahead of time, and the risks are mitigated or otherwise acceptable given your use case.
It is very important to limit who is able to delete/create service accounts within a given cluster.
See the [Create an Entity Alias](/api-docs/secret/identity/entity-alias#create-an-entity-alias) document
See the [Create an Entity Alias](/vault/api-docs/secret/identity/entity-alias#create-an-entity-alias) document
which further expands on the potential security implications mentioned above.
@include 'tokenfields.mdx'

2
website/content/api-docs/auth/ldap.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault LDAP auth method.
This is the API documentation for the Vault LDAP auth method. For
general information about the usage and operation of the LDAP method, please
see the [Vault LDAP method documentation](/docs/auth/ldap).
see the [Vault LDAP method documentation](/vault/docs/auth/ldap).
This documentation assumes the LDAP method is mounted at the `/auth/ldap`
path in Vault. Since it is possible to enable auth methods at any location,

2
website/content/api-docs/auth/oci.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault OCI auth method plugin.
This is the API documentation for the Vault OCI auth method plugin. To
learn more about the usage and operation, see the
[Vault OCI auth method](/docs/auth/oci).
[Vault OCI auth method](/vault/docs/auth/oci).
This documentation assumes the OCI method is mounted at the
`/auth/oci` path in Vault. Since it is possible to enable auth methods at

2
website/content/api-docs/auth/okta.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Okta auth method.
This is the API documentation for the Vault Okta auth method. For
general information about the usage and operation of the Okta method, please
see the [Vault Okta method documentation](/docs/auth/okta).
see the [Vault Okta method documentation](/vault/docs/auth/okta).
This documentation assumes the Okta method is mounted at the `/auth/okta`
path in Vault. Since it is possible to enable auth methods at any location,

2
website/content/api-docs/auth/radius.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault RADIUS auth method.
This is the API documentation for the Vault RADIUS auth method. For
general information about the usage and operation of the RADIUS method, please
see the [Vault RADIUS method documentation](/docs/auth/radius).
see the [Vault RADIUS method documentation](/vault/docs/auth/radius).
This documentation assumes the RADIUS method is mounted at the `/auth/radius`
path in Vault. Since it is possible to enable auth methods at any location,

6
website/content/api-docs/auth/token.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault token auth method.
This is the API documentation for the Vault token auth method. For
general information about the usage and operation of the token method, please
see the [Vault Token method documentation](/docs/auth/token).
see the [Vault Token method documentation](/vault/docs/auth/token).
## List Accessors
@ -88,7 +88,7 @@ during this call.
- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
hour is the largest suffix. If not provided, the token is valid for the
[default lease TTL](/docs/configuration), or indefinitely if the
[default lease TTL](/vault/docs/configuration), or indefinitely if the
root policy is used.
- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
to the type specified by the role configuration named by `role_name`.
@ -800,7 +800,7 @@ be cached. Listing the `/auth/token/accessors` endpoint is a good way to get
some sense of the potential impact: tidy does this and more, so if this call creates problems
for your cluster, it would be wise to give Vault more resources before attempting
tidy. Note that the request may time out depending on
[max duration](https://www.vaultproject.io/docs/configuration#default_max_request_duration)
[max duration](/vault/docs/configuration#default_max_request_duration)
and your client's timeout configuration, make sure to allow it run to completion
to properly judge the impact.

2
website/content/api-docs/auth/userpass.mdx
View File

@ -10,7 +10,7 @@ description: |-
This is the API documentation for the Vault Username & Password auth method. For
general information about the usage and operation of the Username and Password method, please
see the [Vault Userpass method documentation](/docs/auth/userpass).
see the [Vault Userpass method documentation](/vault/docs/auth/userpass).
This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
path in Vault. Since it is possible to enable auth methods at any location,

16
website/content/api-docs/index.mdx
View File

@ -36,7 +36,7 @@ either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
the `Bearer <token>` scheme.
Otherwise, a client token can be retrieved using an [authentication
engine](/docs/auth).
engine](/vault/docs/auth).
Each auth method has one or more unauthenticated login endpoints. These
endpoints can be reached without any authentication, and are used for
@ -54,7 +54,7 @@ in periods. Otherwise, Vault will return a 404 unsupported path error.
## Namespaces
When using [Namespaces](/docs/enterprise/namespaces) the final path of the API
When using [Namespaces](/vault/docs/enterprise/namespaces) the final path of the API
request is relative to the `X-Vault-Namespace` header. For instance, if a
request URI is `secret/foo` with the `X-Vault-Namespace` header set as `ns1/ns2/`,
then the resulting request path to Vault will be `ns1/ns2/secret/foo`.
@ -89,8 +89,8 @@ Typically the request data, body and response data to and from Vault is in JSON.
Vault sets the `Content-Type` header appropriately with its response and does
not require it from the clients request.
The demonstration below uses the [`KVv1` secrets engine](/api/secret/kv/kv-v1), which is a
simple Key/Value store. Please read [the API documentation of KV secret engines](/api/secret/kv)
The demonstration below uses the [`KVv1` secrets engine](/vault/api-docs/secret/kv/kv-v1), which is a
simple Key/Value store. Please read [the API documentation of KV secret engines](/vault/api-docs/secret/kv)
for details of `KVv1` compared to `KVv2` and how they differ in their URI paths
as well as the features available in version 2 of the KV secrets engine.
@ -163,7 +163,7 @@ discover whether an operation is actually a create or update operation based on
the data already stored within Vault. This makes permission management via ACLs
more flexible.
A [KVv2 example](api/secret/kv/kv-v2#sample-request-3) for the engine path of `secret` requires that URI is
A [KVv2 example](/vault/api-docs/secret/kv/kv-v2#sample-request-3) for the engine path of `secret` requires that URI is
appended with ***`data/`*** prior to the secret name (`baz`) such as:
```shell-session
@ -204,7 +204,7 @@ methods, etc. then append `?help=1` to any URL. If you have valid permission to
access the path, then the help text will be returned as a markdown-formatted block
in the `help` attribute of the response.
Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi) in Vault, you will get back a small
Additionally, with the [OpenAPI generation](/vault/api-docs/system/internal-specs-openapi) in Vault, you will get back a small
OpenAPI document in the `openapi` attribute. This document is relevant for the
path you're looking up and any paths under it - also note paths in the OpenAPI
document are relative to the initial path queried.
@ -297,7 +297,7 @@ warnings are generated during the operation.
- `412` - Precondition failed. Returned on Enterprise when a request can't be
processed yet due to some missing eventually consistent data. Should be retried,
perhaps with a little backoff.
See [Vault Eventual Consistency](/docs/enterprise/consistency).
See [Vault Eventual Consistency](/vault/docs/enterprise/consistency).
- `429` - Default return code for health status of standby nodes. This will
likely change in the future.
- `473` - Default return code for health status of performance standby nodes.
@ -314,4 +314,4 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
with arbitrarily large requests; this can be tuned per `listener` block in
Vault's server configuration file.
[agent]: /docs/agent#listener-stanza
[agent]: /vault/docs/agent#listener-stanza

2
website/content/api-docs/libraries.mdx
View File

@ -11,7 +11,7 @@ description: >-
The programming libraries listed on this page can be used to consume the API more conveniently.
Some are officially maintained while others are provided by the community.
For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](https://www.vaultproject.io/docs/get-started/developer-qs).
For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](/vault/docs/get-started/developer-qs).
For copy-pastable code examples, see the [vault-examples](https://github.com/hashicorp/vault-examples) repo.
## Official

10
website/content/api-docs/secret/ad.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Active Directory secret
This is the API documentation for the Vault AD secrets engine. For general
information about the usage and operation of the AD secrets engine, please see
the [Vault Active Directory documentation](/docs/secrets/ad).
the [Vault Active Directory documentation](/vault/docs/secrets/ad).
This documentation assumes the AD secrets engine is enabled at the `/ad` path
in Vault. Since it is possible to enable secrets engines at any location, please
@ -26,7 +26,7 @@ The `config` endpoint configures the LDAP connection and binding parameters, as
be rotated the next time it's requested.
- `max_ttl` `(int: "")` - The maximum password time-to-live in seconds. No role will be allowed to set a
custom ttl greater than the `max_ttl`.
- `password_policy` `(string: "")` - Name of the [password policy](/docs/concepts/password-policies) to use to
- `password_policy` `(string: "")` - Name of the [password policy](/vault/docs/concepts/password-policies) to use to
generate passwords from. Mutually exclusive with `length` and `formatter`.
**Deprecated parameters**:
@ -257,10 +257,10 @@ The `library` endpoint configures the sets of service accounts that Vault will o
service accounts must already exist in Active Directory.
- `ttl` (duration: "24h", optional): The maximum amount of time a single check-out lasts before Vault
automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` (duration: "24h", optional): The maximum amount of time a check-out last with renewal before Vault
automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `disable_check_in_enforcement` (bool: false, optional): Disable enforcing that service accounts must be
checked in by the entity or client token that checked them out. Defaults to false.
@ -325,7 +325,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
- `ttl` (duration: "", optional): The maximum amount of time a check-out lasts before Vault
automatically checks it back in. Setting it to zero reflects an unlimited lending period.
Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
| Method | Path |
| :----- | :-------------------------------- |

6
website/content/api-docs/secret/alicloud.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AliCloud secrets engine
This is the API documentation for the Vault AliCloud secrets engine. For general
information about the usage and operation of the AliCloud secrets engine, please see
the [Vault AliCloud documentation](/docs/secrets/alicloud).
the [Vault AliCloud documentation](/vault/docs/secrets/alicloud).
This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
in Vault. Since it is possible to enable secrets engines at any location, please
@ -28,7 +28,7 @@ To use instance metadata, leave the static credential configuration unset.
At present, this endpoint does not confirm that the provided AliCloud credentials are
valid AliCloud credentials with proper permissions.
Please see the [Vault AliCloud documentation](/docs/secrets/alicloud) for
Please see the [Vault AliCloud documentation](/vault/docs/secrets/alicloud) for
the policies that should be attached to the access key you provide.
| Method | Path |
@ -77,7 +77,7 @@ The `role` endpoint configures how Vault will generate credentials for users of
- `name` (string, required) Specifies the name of the role to generate credentials against. This is part of the request URL.
- `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
- `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud) regarding trusted actors.
- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/vault/docs/secrets/alicloud) regarding trusted actors.
- `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
- `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.

4
website/content/api-docs/secret/aws.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AWS secrets engine.
This is the API documentation for the Vault AWS secrets engine. For general
information about the usage and operation of the AWS secrets engine, please see
the [Vault AWS documentation](/docs/secrets/aws).
the [Vault AWS documentation](/vault/docs/secrets/aws).
This documentation assumes the AWS secrets engine is enabled at the `/aws` path
in Vault. Since it is possible to enable secrets engines at any location, please
@ -58,7 +58,7 @@ valid AWS credentials with proper permissions.
- `sts_endpoint` `(string: <optional>)`  Specifies a custom HTTP STS endpoint to use.
- `username_template` `(string: <optional>)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string: <optional>)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters)
and STS usernames (capped at 32 characters). Longer usernames result in a 500 error.

16
website/content/api-docs/secret/azure.mdx
View File

@ -29,12 +29,12 @@ service principals. Environment variables will override any parameters set in th
- `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
This value can also be provided with the AZURE_TENANT_ID environment variable.
- `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
with the AZURE_CLIENT_ID environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
with the AZURE_CLIENT_ID environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
- `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
- `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
environment variable. If not specified, Vault will use Azure Public Cloud.
- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
- `use_microsoft_graph_api` `(bool: true)` - Indicates whether the secrets engine should use the
[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/use-the-api).
@ -69,7 +69,7 @@ service principals. Environment variables will override any parameters set in th
Aside from the permissions listed above, setting this to true should be transparent to users.
- `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
rotate-root generates a new client secret. Uses [duration format strings](/docs/concepts/duration-format).
rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -360,8 +360,8 @@ $ vault read azure/creds/my-role
## Revoking/Renewing Secrets
See docs on how to [renew](/api-docs/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases.
See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
[docs]: /docs/secrets/azure
[roles]: /docs/secrets/azure#roles
[groups]: /docs/secrets/azure#azure-groups
[docs]: /vault/docs/secrets/azure
[roles]: /vault/docs/secrets/azure#roles
[groups]: /vault/docs/secrets/azure#azure-groups

6
website/content/api-docs/secret/cassandra.mdx
View File

@ -11,12 +11,12 @@ description: This is the API documentation for the Vault Cassandra secrets engin
~> **Deprecation Note:** This backend is deprecated in favor of the
combined databases backend added in v0.7.1. See the API documentation for
the new implementation of this backend at
[Cassandra database plugin HTTP API](/api-docs/secret/databases/cassandra).
[Cassandra database plugin HTTP API](/vault/api-docs/secret/databases/cassandra).
This is the API documentation for the Vault Cassandra secrets engine. For
general information about the usage and operation of the Cassandra backend,
please see the
[Vault Cassandra backend documentation](/docs/secrets/databases/cassandra).
[Vault Cassandra backend documentation](/vault/docs/secrets/databases/cassandra).
This documentation assumes the Cassandra backend is mounted at the `/cassandra`
path in Vault. Since it is possible to enable secrets engines at any location,
@ -56,7 +56,7 @@ Cassandra.
private key; a certificate, private key, and issuing CA certificate; or just a
CA certificate. For convenience format is the same as the output of the
`issue` command from the `pki` backend; see
[the pki documentation](/docs/secrets/pki).
[the pki documentation](/vault/docs/secrets/pki).
- `protocol_version` `(int: 2)`  Specifies the CQL protocol version to use.

14
website/content/api-docs/secret/consul.mdx
View File

@ -12,7 +12,7 @@ description: This is the API documentation for the Vault Consul secrets engine.
This is the API documentation for the Vault Consul secrets engine. For general
information about the usage and operation of the Consul secrets engine, please
see the [Vault Consul documentation](/docs/secrets/consul).
see the [Vault Consul documentation](/vault/docs/secrets/consul).
This documentation assumes the Consul secrets engine is enabled at the `/consul`
path in Vault. Since it is possible to enable secrets engines at any location,
@ -162,11 +162,11 @@ To create a client token with service identities attached:
- `token_type` <sup>DEPRECATED (1.11)</sup> `(string: "client")` - Specifies the type of token to create
when using this role. Valid values are `"client"` or `"management"`. If a `"management"`
token, the `policy` parameter is not required. Defaults to `"client`". [Deprecated from Consul as of 1.4 and
removed as of Consul 1.11.](https://developer.hashicorp.com/consul/api-docs/acl/legacy)
removed as of Consul 1.11.](/consul/api-docs/acl/legacy)
- `policy` <sup>DEPRECATED (1.11)</sup> `(string: "")` Specifies the base64-encoded ACL policy.
This is required unless the `token_type` is `"management"`. [Deprecated from Consul as of 1.4 and
removed as of Consul 1.11.](https://developer.hashicorp.com/consul/api-docs/acl/legacy)
removed as of Consul 1.11.](/consul/api-docs/acl/legacy)
- `policies` <sup>DEPRECATED (1.11)</sup> `(list: <policy or policies>)` - Same as `consul_policies`.
Deprecated in favor of using `consul_policies`.
@ -179,10 +179,10 @@ To create a client token with service identities attached:
1.4 and greater.
- `ttl` `(duration: "")`  Specifies the TTL for this role. If not
provided, the default Vault TTL is used. Uses [duration format strings](/docs/concepts/duration-format).
provided, the default Vault TTL is used. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` `(duration: "")`  Specifies the max TTL for this role. If not
provided, the default Vault Max TTL is used. Uses [duration format strings](/docs/concepts/duration-format).
provided, the default Vault Max TTL is used. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -197,12 +197,12 @@ To create a client token with policies defined in Consul:
### Parameters for Consul version below 1.4
- `lease` <sup>DEPRECATED (1.11)</sup> `(string: "")`  Specifies the lease for this role.
Uses [duration format strings](/docs/concepts/duration-format). If not
Uses [duration format strings](/vault/docs/concepts/duration-format). If not
provided, the default Vault lease is used.
- `policy` <sup>DEPRECATED (1.11)</sup> `(string: <policy>)` Specifies the base64-encoded ACL policy. The
ACL format can be found in the [Consul ACL
documentation](https://developer.hashicorp.com/consul/docs/security/acl/acl-legacy). This is
documentation](/consul/docs/security/acl/acl-legacy). This is
required unless the `token_type` is `"management"`.
### Sample Payload

2
website/content/api-docs/secret/cubbyhole.mdx
View File

@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Cubbyhole secrets engin
This is the API documentation for the Vault Cubbyhole secrets engine. For
general information about the usage and operation of the Cubbyhole secrets
engine, please see the
[Vault Cubbyhole documentation](/docs/secrets/cubbyhole).
[Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
This documentation assumes the Cubbyhole secrets engine is enabled at the
`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at

8
website/content/api-docs/secret/databases/cassandra.mdx
View File

@ -17,7 +17,7 @@ configured roles for the Cassandra database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -55,7 +55,7 @@ has a number of parameters to further configure a connection.
private key; a certificate, private key, and issuing CA certificate; or just a
CA certificate. The value in this field must be an encoded JSON object. For convenience format is the
same as the output of the `issue` command from the `pki` secrets engine; see
[the pki documentation](/docs/secrets/pki). Only one of `pem_bundle` or `pem_json` can be specified.
[the pki documentation](/vault/docs/secrets/pki). Only one of `pem_bundle` or `pem_json` can be specified.
<details>
<summary><b><tt>pem_json</tt> example</b></summary>
@ -97,7 +97,7 @@ vault write database/config/cassandra-example <...other fields> pem_json=@/path/
definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
valid options.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
<details>
@ -173,7 +173,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

6
website/content/api-docs/secret/databases/couchbase.mdx
View File

@ -17,7 +17,7 @@ configured roles for the Couchbase database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -47,7 +47,7 @@ has a number of parameters to further configure a connection.
- `bucket_name` `(string: "")` - Required for Couchbase versions prior to 6.5.0. This
is only used to verify vault's connection to the server.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
<details>
@ -102,7 +102,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

6
website/content/api-docs/secret/databases/elasticdb.mdx
View File

@ -17,7 +17,7 @@ configured roles for Elasticsearch.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -35,7 +35,7 @@ has a number of parameters to further configure a connection.
- `client_key` `(string: "")` - The path to the key for the Elasticsearch client to use for communication.
- `tls_server_name` `(string: "")` - This, if set, is used to set the SNI host when connecting via TLS.
- `insecure` `(bool: false)` - Not recommended. Default to `false`. Can be set to `true` to disable certificate verification.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `use_old_xpack` `(bool: false)` - Can be set to `true` to use the `/_xpack/security` base API path when managing Elasticsearch. May be required for Elasticsearch server versions prior to 6.
### Sample Payload
@ -68,7 +68,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/hanadb.mdx
View File

@ -15,7 +15,7 @@ configured roles for the HANA database.
## Configure Connection
In addition to the parameters defined by the [database
secrets engine](/api-docs/secret/databases#configure-connection), this plugin
secrets engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path | Produces |
@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
@ -79,7 +79,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/index.mdx
View File

@ -9,7 +9,7 @@ description: Top page for database secrets engine information
This is the API documentation for the Vault Database secrets engine. For
general information about the usage and operation of the database secrets engine,
please see the
[Vault database secrets engine documentation](/docs/secrets/databases).
[Vault database secrets engine documentation](/vault/docs/secrets/databases).
This documentation assumes the database secrets engine is enabled at the
`/database` path in Vault. Since it is possible to enable secrets engines at any
@ -51,7 +51,7 @@ list of additional parameters.
information on support and formatting for this parameter.
- `password_policy` `(string: "")` - The name of the
[password policy](/docs/concepts/password-policies) to use when generating passwords
[password policy](/vault/docs/concepts/password-policies) to use when generating passwords
for this database. If not specified, this will use a default policy defined as:
20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character.
@ -90,7 +90,7 @@ are supported and any additional details about them.
- `disable_escaping` `(boolean: false)` - Determines whether special characters in the
username and password fields will be escaped. Useful for alternate connection string
formats like ADO. More information regarding this parameter can be found on the
[databases secrets engine docs.](/docs/secrets/databases#disable-character-escaping)
[databases secrets engine docs.](/vault/docs/secrets/databases#disable-character-escaping)
Defaults to `false`.
### Sample Payload
@ -301,7 +301,7 @@ This endpoint creates or updates a role definition.
- `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
associated with this role. Accepts time suffixed strings (`1h`) or an integer
number of seconds. Defaults to `sys/mounts`'s default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case).
number of seconds. Defaults to `sys/mounts`'s default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
- `creation_statements` `(list: <required>)` Specifies the database
statements executed to create and configure a user. See the plugin's API page

8
website/content/api-docs/secret/databases/influxdb.mdx
View File

@ -17,7 +17,7 @@ configured roles for the Influxdb database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -52,11 +52,11 @@ has a number of parameters to further configure a connection.
private key; a certificate, private key, and issuing CA certificate; or just a
CA certificate. For convenience format is the same as the output of the
`issue` command from the `pki` secrets engine; see
[the pki documentation](/docs/secrets/pki).
[the pki documentation](/vault/docs/secrets/pki).
- `connect_timeout` `(string: "5s")` Specifies the connection timeout to use.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
TLS works as follows:
@ -107,7 +107,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

6
website/content/api-docs/secret/databases/mongodb.mdx
View File

@ -17,7 +17,7 @@ configured roles for the MongoDB database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -47,7 +47,7 @@ has a number of parameters to further configure a connection.
- `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the
MongoDB server. Must be PEM encoded.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
<details>
@ -103,7 +103,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/mongodbatlas.mdx
View File

@ -14,7 +14,7 @@ configured roles.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -26,7 +26,7 @@ has a number of parameters to further configure a connection.
- `public_key` `(string: <required>)` The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
- `private_key` `(string: <required>)` - The Private Programmatic API Key used to connect with MongoDB Atlas API.
- `project_id` `(string: <required>)` - The [Project ID](https://docs.atlas.mongodb.com/api/#project-id) the Database User should be created within.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
@ -56,7 +56,7 @@ $ curl \
Statements are configured during Vault role creation and are used by the plugin to
determine what is sent to MongoDB Atlas upon user creation, renewal, and
revocation. For more information on configuring roles see the [Role API](/api-docs/secret/databases#create-role)
revocation. For more information on configuring roles see the [Role API](/vault/api-docs/secret/databases#create-role)
in the Database Secrets Engine docs.
### Parameters
@ -82,7 +82,7 @@ list the plugin does not support that statement type.
- `max_ttl` `(string/int): 0` - Specifies the maximum TTL for the leases associated with this role. Accepts time
suffixed strings (`1h`) or an integer number of seconds. Defaults to `sys/mounts` default TTL time; this value
is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case).
but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
### Sample Creation Statement

8
website/content/api-docs/secret/databases/mssql.mdx
View File

@ -15,7 +15,7 @@ configured roles for the MSSQL database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -44,7 +44,7 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
- `contained_db` `(bool: false)` - If set, specifies that the connection being configured is to a
@ -52,7 +52,7 @@ has a number of parameters to further configure a connection.
like AzureSQL.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
<details>
@ -109,7 +109,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/mysql-maria.mdx
View File

@ -17,7 +17,7 @@ configured roles for the MySQL database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -58,11 +58,11 @@ has a number of parameters to further configure a connection.
- `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification.
Setting this to true is not recommended for production.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
**Default Username Templates:**
@ -150,7 +150,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/oracle.mdx
View File

@ -15,7 +15,7 @@ configured roles for the Oracle database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -41,11 +41,11 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
<details>
@ -102,7 +102,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

8
website/content/api-docs/secret/databases/postgresql.mdx
View File

@ -15,7 +15,7 @@ configured roles for the PostgreSQL database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -48,11 +48,11 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
<details>
@ -147,7 +147,7 @@ for more information. Below are two small examples.
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

4
website/content/api-docs/secret/databases/redis.mdx
View File

@ -15,7 +15,7 @@ configured roles for the Redis database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -64,7 +64,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

2
website/content/api-docs/secret/databases/rediselasticache.mdx
View File

@ -14,7 +14,7 @@ configured roles for the Redis ElastiCache database.
## Configure Connection
In addition to the parameters defined by the [Database
Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |

8
website/content/api-docs/secret/databases/redshift.mdx
View File

@ -15,7 +15,7 @@ configured roles for the Redshift database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
@ -79,7 +79,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters

12
website/content/api-docs/secret/databases/snowflake.mdx
View File

@ -15,7 +15,7 @@ configured roles for the Snowflake database.
## Configure Connection
In addition to the parameters defined by the [Database
Backend](/api-docs/secret/databases#configure-connection), this plugin
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
has a number of parameters to further configure a connection.
| Method | Path |
@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
- `password` `(string: "")` - The root credential password used in the connection URL.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
- `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
for more information. Defaults to `false`.
### Sample Payload
@ -79,7 +79,7 @@ $ curl \
Statements are configured during role creation and are used by the plugin to
determine what is sent to the database on user creation, renewing, and
revocation. For more information on configuring roles see the [Role
API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
### Parameters
@ -93,7 +93,7 @@ list the plugin does not support that statement type.
array. The `{{name}}` and `{{expiration}}` values will be substituted.
The following values will be substituted depending on the
[credential_type](/api-docs/secret/databases#credential_type) of the role:
[credential_type](/vault/api-docs/secret/databases#credential_type) of the role:
- `{{password}}` is substituted for the `password` credential type
- `{{public_key}}` is substituted for the `rsa_private_key` credential type
@ -125,7 +125,7 @@ list the plugin does not support that statement type.
array. The `{{name}}` value will be substituted.
The following values will be substituted depending on the
[credential_type](/api-docs/secret/databases#credential_type) of the role:
[credential_type](/vault/api-docs/secret/databases#credential_type) of the role:
- `{{password}}` is substituted for the `password` credential type
- `{{public_key}}` is substituted for the `rsa_private_key` credential type

24
website/content/api-docs/secret/gcp.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Google Cloud secrets en
This is the API documentation for the Vault Google Cloud Platform (GCP)
secrets engine. For general information about the usage and operation of
the GCP secrets engine, please see [these docs](/docs/secrets/gcp).
the GCP secrets engine, please see [these docs](/vault/docs/secrets/gcp).
This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
in Vault. Since it is possible to mount secrets engines at any path, please
@ -25,15 +25,15 @@ This endpoint configures shared information for the secrets engine.
### Parameters
- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
See docs for [alternative ways](/docs/secrets/gcp#setup)
See docs for [alternative ways](/vault/docs/secrets/gcp#setup)
to pass in to this parameter, as well as the
[required permissions](/docs/secrets/gcp#required-permissions).
[required permissions](/vault/docs/secrets/gcp#required-permissions).
- `ttl` (`int: 0 || string:"0s"`) Specifies default config TTL for long-lived credentials
(i.e. service account keys). Uses [duration format strings](/docs/concepts/duration-format).
(i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` (`int: 0 || string:"0s"`) Specifies the maximum config TTL for long-lived credentials
(i.e. service account keys). Uses [duration format strings](/docs/concepts/duration-format).\*\*
(i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).\*\*
### Sample Payload
@ -115,7 +115,7 @@ $ curl \
| :----- | :------------------- |
| `POST` | `/gcp/roleset/:name` |
This method allows you to create a roleset or update an existing roleset. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
This method allows you to create a roleset or update an existing roleset. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
to learn more about what happens when you create or update a roleset.
**If you update a roleset's bindings, this will effectively revoke any secrets
@ -145,7 +145,7 @@ generated under this roleset.**
#### Sample Bindings:
See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
```hcl
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
@ -307,7 +307,7 @@ $ curl \
| :----- | :-------------------------- |
| `POST` | `/gcp/static-account/:name` |
This method allows you to create a static account or update an existing static account. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
This method allows you to create a static account or update an existing static account. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
to learn more about what happens when you create or update a static account.
**If you update a static account's bindings, this will effectively revoke any secrets
@ -337,7 +337,7 @@ generated under this static account.**
#### Sample Bindings:
See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
```hcl
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
@ -493,7 +493,7 @@ impersonated account.
- `token_scopes` (`array: []`): List of OAuth scopes to assign to access tokens
generated under this impersonation account.
- `ttl` (`duration: ""`): Lifetime of the token generated. Defaults to 1 hour and
is limited to a maximum of 12 hours. Uses [duration format strings](/docs/concepts/duration-format).
is limited to a maximum of 12 hours. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -693,7 +693,7 @@ or the system default if config was not defined.
`enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
- `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/docs/concepts/duration-format). If not set, uses the system default value.
- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/vault/docs/concepts/duration-format). If not set, uses the system default value.
### Sample Payload
@ -742,5 +742,5 @@ $ curl \
## Revoking/Renewing Secrets
See docs on how to [renew](/api-docs/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases.
See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
Note this only applies to service account keys.

2
website/content/api-docs/secret/gcpkms.mdx
View File

@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Google Cloud KMS secret
This is the API documentation for the Vault Google Cloud KMS secrets engine. For
general information about the usage and operation of the Google Cloud KMS
secrets engine, please see the
[Google Cloud KMS documentation](/docs/secrets/gcpkms).
[Google Cloud KMS documentation](/vault/docs/secrets/gcpkms).
This documentation assumes the Google Cloud KMS secrets engine is enabled at the
`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any

2
website/content/api-docs/secret/identity/entity.mdx
View File

@ -398,7 +398,7 @@ $ curl \
This endpoint merges many entities into one entity. Additionally, all groups associated with `from_entity_ids` are merged with those of `to_entity_id`.
Note that if these entities contain aliases sharing the same mount accessor, the merge will fail unless `conflicting_alias_ids_to_keep` is present, and
entities must be merged one at a time. This is because each entity can only have one alias with each mount accessor - for more
information, see the [identity concepts page](/docs/concepts/identity).
information, see the [identity concepts page](/vault/docs/concepts/identity).
| Method | Path |
| :----- | :----------------------- |

18
website/content/api-docs/secret/identity/index.mdx
View File

@ -8,15 +8,15 @@ description: This is the API documentation for the Vault Identity secrets engine
This is the API documentation for the Vault Identity secrets engine. For general
information about the usage and operation of the Identity secrets engine, please
see the [Vault Identity documentation](/docs/secrets/identity).
see the [Vault Identity documentation](/vault/docs/secrets/identity).
## API Sections
- [Entity](/api-docs/secret/identity/entity)
- [Entity Alias](/api-docs/secret/identity/entity-alias)
- [Group](/api-docs/secret/identity/group)
- [Group Alias](/api-docs/secret/identity/group-alias)
- [Identity Tokens](/api-docs/secret/identity/tokens)
- [Lookup](/api-docs/secret/identity/lookup)
- [OIDC Provider](/api-docs/secret/identity/oidc-provider)
- [MFA](/api-docs/secret/identity/mfa)
- [Entity](/vault/api-docs/secret/identity/entity)
- [Entity Alias](/vault/api-docs/secret/identity/entity-alias)
- [Group](/vault/api-docs/secret/identity/group)
- [Group Alias](/vault/api-docs/secret/identity/group-alias)
- [Identity Tokens](/vault/api-docs/secret/identity/tokens)
- [Lookup](/vault/api-docs/secret/identity/lookup)
- [OIDC Provider](/vault/api-docs/secret/identity/oidc-provider)
- [MFA](/vault/api-docs/secret/identity/mfa)

2
website/content/api-docs/secret/identity/mfa/duo.mdx
View File

@ -103,7 +103,7 @@ $ curl \
## Delete Duo MFA Method
This endpoint deletes a Duo MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
| Method | Path |
| :------- | :----------------------------- |

12
website/content/api-docs/secret/identity/mfa/index.mdx
View File

@ -9,18 +9,18 @@ description: >-
## Supported MFA types.
- [TOTP](/api-docs/secret/identity/mfa/totp)
- [TOTP](/vault/api-docs/secret/identity/mfa/totp)
- [Okta](/api-docs/secret/identity/mfa/okta)
- [Okta](/vault/api-docs/secret/identity/mfa/okta)
- [Duo](/api-docs/secret/identity/mfa/duo)
- [Duo](/vault/api-docs/secret/identity/mfa/duo)
- [PingID](/api-docs/secret/identity/mfa/pingid)
- [PingID](/vault/api-docs/secret/identity/mfa/pingid)
## Other
- [Login Enforcement](/api-docs/secret/identity/mfa/login-enforcement)
- [MFA Validate](/api-docs/system/mfa/validate)
- [Login Enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement)
- [MFA Validate](/vault/api-docs/system/mfa/validate)
While the above endpoints are available in both the open source and Enterprise versions of Vault,
they are namespace aware. MFA methods and login enforcements created in one namespace are separate from other

2
website/content/api-docs/secret/identity/mfa/okta.mdx
View File

@ -96,7 +96,7 @@ $ curl \
## Delete Okta MFA Method
This endpoint deletes a Okta MFA method. The MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
| Method | Path |
| :------- | :------------------------------ |

2
website/content/api-docs/secret/identity/mfa/pingid.mdx
View File

@ -90,7 +90,7 @@ $ curl \
## Delete PingID MFA Method
This endpoint deletes a PingID MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
| Method | Path |
| :------- | :-------------------------------- |

2
website/content/api-docs/secret/identity/mfa/totp.mdx
View File

@ -104,7 +104,7 @@ $ curl \
## Delete TOTP MFA Method
This endpoint deletes a TOTP MFA method. MFA methods can only be deleted if they're not currently in use
by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
| Method | Path |
| :------- | :------------------------------ |

18
website/content/api-docs/secret/identity/oidc-provider.mdx
View File

@ -87,7 +87,7 @@ This endpoint returns a list of all OIDC providers.
### Query Parameters
- `allowed_client_id` `(string: <optional>)` Filters the list of OIDC providers to those
that allow the given client ID in their set of [allowed_client_ids](/api-docs/secret/identity/oidc-provider#allowed_client_ids).
that allow the given client ID in their set of [allowed_client_ids](/vault/api-docs/secret/identity/oidc-provider#allowed_client_ids).
### Sample Request
@ -152,7 +152,7 @@ This endpoint creates or updates a scope.
- `name` `(string: <required>)` The name of the scope. This parameter is specified as part of the URL. The `openid` scope name is reserved.
- `template` `(string: <optional>)` - The [JSON template](/docs/concepts/oidc-provider#scopes)
- `template` `(string: <optional>)` - The [JSON template](/vault/docs/concepts/oidc-provider#scopes)
string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
- `description` `(string: <optional>)` A description of the scope.
@ -269,9 +269,9 @@ This endpoint creates or updates a client.
- `name` `(string: <required>)` The name of the client. This parameter is specified as part of the URL.
- `key` `(string: "default")` A reference to a [named key](/api-docs/secret/identity/tokens#create-a-named-key)
- `key` `(string: "default")` A reference to a [named key](/vault/api-docs/secret/identity/tokens#create-a-named-key)
resource. This key will be used to sign ID tokens for the client. This cannot be modified
after creation. If not supplied, defaults to the built-in [default key](/docs/concepts/oidc-provider#keys).
after creation. If not supplied, defaults to the built-in [default key](/vault/docs/concepts/oidc-provider#keys).
- `redirect_uris` `([]string: <optional>)` - Redirection URI values used by the client. One of these values
must exactly match the `redirect_uri` parameter value used in each [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
@ -280,7 +280,7 @@ This endpoint creates or updates a client.
the client. Client assignments limit the Vault entities and groups that are allowed to
authenticate through the client. By default, no Vault entities are allowed. To allow all
Vault entities to authenticate through the client, supply the built-in
[allow_all](/docs/concepts/oidc-provider#assignments) assignment.
[allow_all](/vault/docs/concepts/oidc-provider#assignments) assignment.
- `client_type` `(string: "confidential")` The [client type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
based on its ability to maintain confidentiality of credentials. This cannot be modified
@ -300,11 +300,11 @@ This endpoint creates or updates a client.
for the authorization code flow
- `id_token_ttl` `(int or duration: "24h")` The time-to-live for ID tokens obtained by the client.
Accepts [duration format strings](/docs/concepts/duration-format). The value should be less than the `verification_ttl`
Accepts [duration format strings](/vault/docs/concepts/duration-format). The value should be less than the `verification_ttl`
on the key.
- `access_token_ttl` `(int or duration: "24h")` The time-to-live for access tokens obtained by the client.
Accepts [duration format strings](/docs/concepts/duration-format).
Accepts [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -440,9 +440,9 @@ This endpoint creates or updates an assignment.
- `name` `(string: <required>)` The name of the assignment. This parameter is specified as part of the URL.
- `entity_ids` `([]string: <optional>)` - A list of Vault [entity](https://www.vaultproject.io/docs/secrets/identity#entities-and-aliases) IDs.
- `entity_ids` `([]string: <optional>)` - A list of Vault [entity](/vault/docs/secrets/identity#entities-and-aliases) IDs.
- `group_ids` `([]string: <optional>)` A list of Vault [group](https://www.vaultproject.io/docs/secrets/identity#identity-groups) IDs.
- `group_ids` `([]string: <optional>)` A list of Vault [group](/vault/docs/secrets/identity#identity-groups) IDs.
### Sample Payload

6
website/content/api-docs/secret/identity/tokens.mdx
View File

@ -86,9 +86,9 @@ This endpoint creates or updates a named key which is used by a role to sign tok
- `name` `(string)` Name of the named key.
- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Uses [duration format strings](/docs/concepts/duration-format).
- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses [duration format strings](/docs/concepts/duration-format).
- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `allowed_client_ids` `(list: [])` - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "\*", all roles are allowed.
@ -244,7 +244,7 @@ Create or update a role. ID tokens are generated against a role and signed again
- `client_id` `(string: <optional>)` - Optional client ID. A random ID will be generated if left unset.
- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Uses [duration format strings](/docs/concepts/duration-format).
- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload

2
website/content/api-docs/secret/key-management/gcpkms.mdx
View File

@ -38,7 +38,7 @@ the given parameter values.
- `credentials` `(map<string|string>: nil)` The credentials to use for authentication with GCP
Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified
as environment variables. See the [authentication](/docs/secrets/key-management/gcpkms#authentication)
as environment variables. See the [authentication](/vault/docs/secrets/key-management/gcpkms#authentication)
section for details on precedence.
- `service_account_file` `(string: <required>)` - The path to a Google service account key file. The

4
website/content/api-docs/secret/key-management/index.mdx
View File

@ -8,7 +8,7 @@ description: The API documentation for the Key Management secrets engine.
This is the API documentation for the Key Management secrets engine. For general
information about the usage and operation of the secrets engine, please see the
[Key Management secrets engine documentation](/docs/secrets/key-management).
[Key Management secrets engine documentation](/vault/docs/secrets/key-management).
This documentation assumes the Key Management secrets engine is enabled at the
`/keymgmt` path in Vault. Since it is possible to enable secrets engines at any
@ -265,7 +265,7 @@ the given parameter values.
- `provider` `(string: <required>)` Specifies the name of a KMS provider that's external to
Vault. Cannot be changed after creation. For more information about each provider, refer to
the [KMS Providers](/docs/secrets/key-management#kms-providers) section. The following values
the [KMS Providers](/vault/docs/secrets/key-management#kms-providers) section. The following values
are supported:
- `azurekeyvault`

2
website/content/api-docs/secret/kmip.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault KMIP secrets engine.
This is the API documentation for the Vault KMIP secrets engine. For general
information about the usage and operation of
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).
the KMIP secrets engine, please see [these docs](/vault/docs/secrets/kmip).
This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path
in Vault. Since it is possible to mount secrets engines at any path, please

14
website/content/api-docs/secret/kubernetes.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kubernetes secrets engi
This is the API documentation for the Vault Kubernetes secrets engine. To
learn more about the usage and operation, see the
[Kubernetes secrets engine documentation](/docs/secrets/kubernetes).
[Kubernetes secrets engine documentation](/vault/docs/secrets/kubernetes).
This documentation assumes the Kubernetes secrets engine is mounted at the
`/kubernetes` path in Vault. Since it is possible to enable secrets engines at
@ -136,15 +136,15 @@ Only one of `service_account_name`, `kubernetes_role_name` or
namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value
should be of type
[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)
as illustrated in [Sample Payload 4](/api-docs/secret/kubernetes#sample-payload-4) and
[Sample Payload 5](/api-docs/secret/kubernetes#sample-payload-5) below.
as illustrated in [Sample Payload 4](/vault/api-docs/secret/kubernetes#sample-payload-4) and
[Sample Payload 5](/vault/api-docs/secret/kubernetes#sample-payload-5) below.
If set with `allowed_kubernetes_namespaces`, the conditions are `OR`ed.
- `token_max_ttl` `(string: "")` - The maximum TTL for generated Kubernetes
tokens, specified in seconds or as a Go duration format string, e.g. `"1h"`.
If not set or set to 0, the [system default](/docs/configuration#max_lease_ttl) will be used.
If not set or set to 0, the [system default](/vault/docs/configuration#max_lease_ttl) will be used.
- `token_default_ttl` `(string: "")` - The default TTL for generated Kubernetes
tokens, specified in seconds or as a Go duration format string, e.g. `"1h"`.
If not set or set to 0, the [system default](/docs/configuration#default_lease_ttl) will be used.
If not set or set to 0, the [system default](/vault/docs/configuration#default_lease_ttl) will be used.
- `service_account_name` `(string: "")` - The pre-existing service account to
generate tokens for. Mutually exclusive with all role parameters. If set, only
a Kubernetes token will be created when credentials are requested. See the
@ -164,10 +164,10 @@ Only one of `service_account_name`, `kubernetes_role_name` or
[PolicyRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#policyrule-v1-rbac-authorization-k8s-io)
objects, as illustrated in the
[Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
and [Sample Payload 3](/api-docs/secret/kubernetes#sample-payload-3) below.
and [Sample Payload 3](/vault/api-docs/secret/kubernetes#sample-payload-3) below.
- `name_template` `(string: "")` - The name template to use when generating
service accounts, roles and role bindings. If unset, a default template is
used. See [username templating](https://www.vaultproject.io/docs/concepts/username-templating)
used. See [username templating](/vault/docs/concepts/username-templating)
for details on how to write a custom template.
- `extra_annotations` `(map<string|string>: nil)` - Additional annotations to
apply to all generated Kubernetes objects. See the

6
website/content/api-docs/secret/kv/index.mdx
View File

@ -8,8 +8,8 @@ description: This is the API documentation for the Vault KV secrets engine.
This backend can be run in one of two versions. Each of which have a distinct API.
Choose the version below you are running. For more information on the KV secrets
engine see the [Vault kv documentation](/docs/secrets/kv).
engine see the [Vault kv documentation](/vault/docs/secrets/kv).
- [KV Version 1 API](/api-docs/secret/kv/kv-v1)
- [KV Version 1 API](/vault/api-docs/secret/kv/kv-v1)
- [KV Version 2 API](/api-docs/secret/kv/kv-v2)
- [KV Version 2 API](/vault/api-docs/secret/kv/kv-v2)

6
website/content/api-docs/secret/kv/kv-v1.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault KV secrets engine.
This is the API documentation for the Vault KV secrets engine. For general
information about the usage and operation of the kv secrets engine, please
see the [Vault kv documentation](/docs/secrets/kv).
see the [Vault kv documentation](/vault/docs/secrets/kv).
~> Note: This documentation assumes the kv secrets engine is enabled at the
`/secret` path in Vault. Since it is possible to enable secrets engines at any
@ -53,7 +53,7 @@ $ curl \
_Note_: the `lease_duration` field, which will be populated if a "ttl" field
was included in the data, is advisory. No lease is created. This is a way for
writers to indicate how often a given value should be re-read by the client.
See the [Vault KV secrets engine documentation](/docs/secrets/kv)
See the [Vault KV secrets engine documentation](/vault/docs/secrets/kv)
for more details.
## List Secrets
@ -120,7 +120,7 @@ policy granting the `update` capability.
be held at the given location. Multiple key/value pairs can be specified, and
all will be returned on a read operation. A key called `ttl` will trigger
some special behavior. See the [Vault KV secrets engine
documentation](/docs/secrets/kv) for details.
documentation](/vault/docs/secrets/kv) for details.
### Sample Payload

8
website/content/api-docs/secret/kv/kv-v2.mdx
View File

@ -9,7 +9,7 @@ description: This is the API documentation for the Vault KV secrets engine.
This is the API documentation for the Vault KV secrets engine while running in
versioned mode. For general information about the usage and operation of the kv
secrets engine, please see the [Vault kv
documentation](/docs/secrets/kv).
documentation](/vault/docs/secrets/kv).
~> Note: This documentation assumes the kv secrets engine is enabled at the
`/secret` path in Vault and that versioning has been enabled. Since it is
@ -38,7 +38,7 @@ key-value store.
- `delete_version_after` `(string:"0s")` If set, specifies the length
of time before a version is deleted.
Accepts [duration format strings](/docs/concepts/duration-format).
Accepts [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -95,7 +95,7 @@ This endpoint retrieves the secret at the specified location. The metadata
fields `created_time`, `deletion_time`, `destroyed`, and `version` are version
specific. The `custom_metadata` field is part of the secret's key metadata and
is included in the response whether or not the calling token has `read` access to
the associated [metadata endpoint](/api-docs/secret/kv/kv-v2#read-secret-metadata).
the associated [metadata endpoint](/vault/api-docs/secret/kv/kv-v2#read-secret-metadata).
| Method | Path |
| :----- | :------------------------------------------- |
@ -654,7 +654,7 @@ not create a new version.
written to this key. If not set, the backend's `delete_version_after` will be
used. If the value is greater than the backend's `delete_version_after`, the
backend's `delete_version_after` will be used. Accepts [duration format
strings](/docs/concepts/duration-format).
strings](/vault/docs/concepts/duration-format).
- `custom_metadata` `(map<string|string>: nil)` - A map of arbitrary string to string valued user-provided metadata meant
to describe the secret.

32
website/content/api-docs/secret/ldap.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault LDAP secrets engine.
This is the API documentation for the Vault LDAP secrets engine. For general
information about the usage and operation of the LDAP secrets engine,
please see the [LDAP secrets engine docs](/docs/secrets/ldap).
please see the [LDAP secrets engine docs](/vault/docs/secrets/ldap).
This documentation assumes the LDAP secrets engine is enabled at the `/ldap` path
in Vault. Since it is possible to mount secrets engines at any path, please
@ -38,15 +38,15 @@ to search and change entry passwords in LDAP.
`ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g.
`ldaps://ldap.myorg.com, ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if
there are errors during the connection process.`.
- `password_policy` `(string: <optional>)` - The name of the [password policy](/docs/concepts/password-policies)
- `password_policy` `(string: <optional>)` - The name of the [password policy](/vault/docs/concepts/password-policies)
to use to generate passwords. Note that this accepts the name of the policy, not the policy itself.
- `schema` `(string: "openldap")` - The LDAP schema to use when storing entry passwords.
Valid schemas include `openldap`, `ad`, and `racf`.
- `userdn` `(string: <optional>)` - The base DN under which to perform user search in
[library management](/api-docs/secret/ldap#library-management) and [static roles](/api-docs/secret/ldap#static-roles).
[library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
For example, `ou=Users,dc=hashicorp,dc=com`.
- `userattr` `(string: <optional>)` The attribute field name used to perform user search
in [library management](/api-docs/secret/ldap#library-management) and [static roles](/api-docs/secret/ldap#static-roles).
in [library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
Defaults to `cn` for the `openldap` schema, `userPrincipalName` for the `ad` schema, and
`racfid` for the `racf` schema.
- `upndomain` (string: `optional`) - The domain (userPrincipalDomain) used to construct a UPN
@ -78,11 +78,11 @@ configuration if both are specified.
prior to the introduction of password policies).
- If `length` is set, the same algorithm is used, but with the length specified instead of the default length.
- If `password_policy` is set, the password will be generated from the associated
[password policy](/docs/concepts/password-policies). The policy is not exercised prior to saving the configuration.
[password policy](/vault/docs/concepts/password-policies). The policy is not exercised prior to saving the configuration.
The policy will need to exist prior to passwords needing to be generated by this engine, but does not need to exist
prior to saving the configuration.
See [LDAP secrets engine docs](/docs/secrets/ldap) for additional information.
See [LDAP secrets engine docs](/vault/docs/secrets/ldap) for additional information.
### Sample Payload
@ -164,9 +164,9 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
### Parameters
- `username` `(string: <required>)` - The username of the existing LDAP entry to manage
password rotation for. LDAP search for the username will be rooted at the [userdn](/api-docs/secret/ldap#userdn)
password rotation for. LDAP search for the username will be rooted at the [userdn](/vault/api-docs/secret/ldap#userdn)
configuration value. The attribute to use when searching for the user can be configured
with the [userattr](/api-docs/secret/ldap#userattr) configuration value. This is useful
with the [userattr](/vault/api-docs/secret/ldap#userattr) configuration value. This is useful
when `dn` isn't used for login purposes (such as SSH). Cannot be modified after creation.<br />
**Example:** `"bob"`
- `dn` `(string: <optional>)` - Distinguished name (DN) of the existing LDAP entry to manage
@ -174,7 +174,7 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
search performed during password rotation. Cannot be modified after creation.<br />
**Example:** `cn=bob,ou=Users,dc=hashicorp,dc=com`
- `rotation_period` `(string: <required>)` - How often Vault should rotate the password of the user entry. Accepts
[duration format strings](/docs/concepts/duration-format). The minimum rotation period is 5 seconds.<br />
[duration format strings](/vault/docs/concepts/duration-format). The minimum rotation period is 5 seconds.<br />
**Example:** `"3600", "5s", "1h"`
### Sample Payload
@ -338,14 +338,14 @@ v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}
</details>
- `default_ttl` `(string/int)` - Specifies the TTL for the leases associated with this role. Accepts
[duration format strings](/docs/concepts/duration-format). Defaults to system/engine default TTL time.
[duration format strings](/vault/docs/concepts/duration-format). Defaults to system/engine default TTL time.
- `max_ttl` `(string/int)` - Specifies the maximum TTL for the leases associated with this role. Accepts
[duration format strings](/docs/concepts/duration-format). Defaults to system/mount default TTL time;
[duration format strings](/vault/docs/concepts/duration-format). Defaults to system/mount default TTL time;
this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
but it is not allowed to be longer.
The `creation_ldif`, `deletion_ldif`, `rollback_ldif`, and `username_template` fields are all templated fields. See
[Username Templating](/docs/concepts/username-templating) for details on how to use templating. Also see
[Username Templating](/vault/docs/concepts/username-templating) for details on how to use templating. Also see
[Templates](#templates) for specifics on what data is available for each template.
#### Sample Payload
@ -443,7 +443,7 @@ The following parameters are available within the LDIF templates:
**Default pattern:** `v_<display name>_<role name>_<10 random chars>_<unix timestamp>`
`.Password` - The generated password (optionally from
[password policies](https://www.vaultproject.io/docs/concepts/password-policies))
[password policies](/vault/docs/concepts/password-policies))
`.RoleName` - The name of the role that credentials are being generated for.
@ -568,10 +568,10 @@ When adding a service account to the library, Vault verifies it already exists i
service accounts must already exist in the LDAP directory.
- `ttl` `(duration: "24h", optional)` - The maximum amount of time a single check-out lasts before Vault
automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` `(duration: "24h", optional)` - The maximum amount of time a check-out last with renewal before Vault
automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `disable_check_in_enforcement` `(bool: false, optional)` - Disable enforcing that service accounts must be
checked in by the entity or client token that checked them out. Defaults to false.
@ -672,7 +672,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
- `ttl` `(duration: "", optional)` - The maximum amount of time a check-out lasts before Vault
automatically checks it back in. Setting it to zero reflects an unlimited lending period.
Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample POST Request

8
website/content/api-docs/secret/nomad.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Nomad secrets engine.
This is the API documentation for the Vault Nomad secrets engine. For general
information about the usage and operation of the Nomad secrets engine, please see the
[Vault Nomad secrets engine documentation](/docs/secrets/nomad).
[Vault Nomad secrets engine documentation](/vault/docs/secrets/nomad).
This documentation assumes the Nomad secrets engine is mounted at the `/nomad` path
in Vault. Since it is possible to mount secrets engines at any location, please
@ -107,9 +107,9 @@ This endpoint configures the lease settings for generated tokens.
### Parameters
- `ttl` `(string: "")` Specifies the ttl for the lease. Uses [duration format strings](/docs/concepts/duration-format).
- `ttl` `(string: "")` Specifies the ttl for the lease. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` `(string: "")` Specifies the max ttl for the lease. Uses [duration format strings](/docs/concepts/duration-format).
- `max_ttl` `(string: "")` Specifies the max ttl for the lease. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -188,7 +188,7 @@ updated attributes.
- `policies` `(string: "")` Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
- `global` `(bool: "false")` Specifies if the token should be global, as defined in the [Nomad Documentation](https://learn.hashicorp.com/collections/nomad/access-control#acl-tokens).
- `global` `(bool: "false")` Specifies if the token should be global, as defined in the [Nomad Documentation](/nomad/tutorials/access-control#acl-tokens).
- `type` `(string: "client")` - Specifies the type of token to create when
using this role. Valid values are `"client"` or `"management"`.

22
website/content/api-docs/secret/pki.mdx
View File

@ -10,7 +10,7 @@ description: This is the API documentation for the Vault PKI secrets engine.
This is the API documentation for the Vault PKI secrets engine. For general
information about the usage and operation of the PKI secrets engine, please see
the [PKI documentation](/docs/secrets/pki).
the [PKI documentation](/vault/docs/secrets/pki).
This documentation assumes the PKI secrets engine is enabled at the `/pki` path
in Vault. Since it is possible to enable secrets engines at any location, please
@ -583,7 +583,7 @@ when signing an externally-owned intermediate.
- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
backdate the NotBefore property. This value has no impact in the validity period
of the requested certificate, specified in the `ttl` field.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `not_after` `(string)` - Set the Not After field of the certificate with
specified date value. The value format should be given in UTC format
@ -1662,7 +1662,7 @@ use the values set via `config/urls`.
- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
backdate the NotBefore property. This value has no impact in the validity period
of the requested certificate, specified in the `ttl` field.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `not_after` `(string)` - Set the Not After field of the certificate with
specified date value. The value format should be given in UTC format
@ -1728,7 +1728,7 @@ key. If using Vault as a root (and, like many other CAs), the various parameters
on the final signed certificate are set at signing time and _may or may not honor
the parameters set here_ (and transmitted in the returned CSR).
Note that this API supports [Managed Keys](/docs/enterprise/managed-keys);
Note that this API supports [Managed Keys](/vault/docs/enterprise/managed-keys);
additional details are available [below in a dedicated section](#managed-keys).
The parameters below are mostly meant as a helper function; not all possible
@ -1952,7 +1952,7 @@ imported entries present in the same bundle).
issues; this may impact long-term use of these issuers, but some issuers or
keys may still be imported as a result of this process.
~> Warning: See the [note](/docs/secrets/pki/considerations#issuer-subjects-and-crls)
~> Warning: See the [note](/vault/docs/secrets/pki/considerations#issuer-subjects-and-crls)
regarding Subject naming on externally created CA certificates and
shortcomings with CRL building.
@ -2594,7 +2594,7 @@ request is denied.
`foo.*.example.com` and `bar` is a subdomain of that.
- `allowed_domains_template` `(bool: false)` - When set, `allowed_domains`
may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
Non-templated domains are also still permitted.
- `allow_bare_domains` `(bool: false)` - Specifies if clients can request
@ -2662,7 +2662,7 @@ request is denied.
`spiffe://hostname/*`).
- `allowed_uri_sans_template` `(bool: false)` - When set, `allowed_uri_sans`
may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
Non-templated domains are also still permitted.
- `allowed_other_sans` `(string: "")` - Defines allowed custom OID/UTF8-string
@ -3059,7 +3059,7 @@ This endpoint allows setting the value of the default issuer.
generation) will become the default and it will look (to anyone strictly
using old APIs) that it is the only issuer in the mount. However, it is
encouraged for applications to update to the newer, safer semantics
associated with [multi-issuer rotation](/docs/secrets/pki/rotation-primitives).
associated with [multi-issuer rotation](/vault/docs/secrets/pki/rotation-primitives).
~> Note: When an import creates more than one new issuer with key material
known to this mount, no default update will occur.
@ -3641,7 +3641,7 @@ expiration time.
if present). Migration will only occur after `issuer_safety_buffer` has
passed since the last successful migration.
- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/docs/concepts/duration-format)
- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
certificates from being removed from the CRL that, due to clock skew, might
still be considered valid on other hosts. For a certificate to be expunged,
@ -3733,7 +3733,7 @@ status endpoint described below.
if present). Migration will only occur after `issuer_safety_buffer` has
passed since the last successful migration.
- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/docs/concepts/duration-format)
- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
certificates from being removed from the CRL that, due to clock skew, might
still be considered valid on other hosts. For a certificate to be expunged,
@ -3872,7 +3872,7 @@ $ curl \
## Cluster Scalability
See [PKI Cluster Scalability](/docs/secrets/pki/considerations#cluster-scalability) in the considerations page.
See [PKI Cluster Scalability](/vault/docs/secrets/pki/considerations#cluster-scalability) in the considerations page.
## Managed Keys

6
website/content/api-docs/secret/rabbitmq.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault RabbitMQ secrets engine
This is the API documentation for the Vault RabbitMQ secrets engine. For general
information about the usage and operation of the RabbitMQ secrets engine, please
see the [RabbitMQ documentation](/docs/secrets/rabbitmq).
see the [RabbitMQ documentation](/vault/docs/secrets/rabbitmq).
This documentation assumes the RabbitMQ secrets engine is enabled at the
`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
@ -33,10 +33,10 @@ RabbitMQ.
- `verify_connection` `(bool: true)`  Specifies whether to verify connection URI, username, and password.
- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
dynamic usernames are generated.
### Sample Payload

4
website/content/api-docs/secret/ssh.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault SSH secrets engine.
This is the API documentation for the Vault SSH secrets engine. For general
information about the usage and operation of the SSH secrets engine, please see
the [SSH documentation](/docs/secrets/ssh).
the [SSH documentation](/vault/docs/secrets/ssh).
This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
in Vault. Since it is possible to enable secrets engines at any location, please
@ -261,7 +261,7 @@ This endpoint creates or updates a named role.
explicit `algorithm_signer=rsa-sha` parameter or has been migrated to such.
- `not_before_duration` `(duration: "30s")`  Specifies the duration by which to
backdate the `ValidAfter` property. Uses [duration format strings](/docs/concepts/duration-format).
backdate the `ValidAfter` property. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload

8
website/content/api-docs/secret/terraform.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Terraform Cloud secret
This is the API documentation for the Vault Terraform Cloud secret backend. For general
information about the usage and operation of the Terraform Cloud backend, please see the
[Vault Terraform Cloud backend documentation](/docs/secrets/terraform).
[Vault Terraform Cloud backend documentation](/vault/docs/secrets/terraform).
This documentation assumes the Terraform Cloud backend is mounted at the `/terraform` path
in Vault. Since it is possible to mount secret backends at any location, please
@ -102,7 +102,7 @@ with the `/rotate-role` endpoint.
Please see the [Terraform Cloud API
Token documentation for more
information](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens).
information](/terraform/cloud-docs/users-teams-organizations/api-tokens).
| Method | Path |
| :----- | :---------------------- |
@ -126,11 +126,11 @@ information](https://www.terraform.io/cloud-docs/users-teams-organizations/api-t
- `ttl` `(duration: "")`  Specifies the TTL for this role. If not
provided, the default Vault TTL is used. Only applies to User API tokens.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_ttl` `(duration: "")`  Specifies the max TTL for this role. If not
provided, the default Vault Max TTL is used. Only applies to User API tokens.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload

2
website/content/api-docs/secret/totp.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault TOTP secrets engine.
This is the API documentation for the Vault TOTP secrets engine. For general
information about the usage and operation of the TOTP secrets engine, please see
the [TOTP documentation](/docs/secrets/totp).
the [TOTP documentation](/vault/docs/secrets/totp).
This documentation assumes the TOTP secrets engine is enabled at the `/totp`
path in Vault. Since it is possible to enable secrets engines at any location,

8
website/content/api-docs/secret/transform.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Transform secrets engine.
This is the API documentation for the Transform secrets engine. For general
information about the usage and operation of the secrets engine, please see the
[Transform secrets engine documentation](/docs/secrets/transform).
[Transform secrets engine documentation](/vault/docs/secrets/transform).
This documentation assumes the transform secrets engine is enabled at the
`/transform` path in Vault. Since it is possible to enable secrets engines at any
@ -974,7 +974,7 @@ The database user configured here should only have permission to `SELECT`,
- `max_connection_lifetime` `(duration: 0)` -
The maximum amount of time a connection can be open before closing it.
0 means no limit. Uses [duration format strings](/docs/concepts/duration-format).
0 means no limit. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payloads
@ -1890,7 +1890,7 @@ This endpoint starts or continues retrieving an export of tokenization
state, including the tokens and their decoded values. This call is only
supported on tokenization stores configured with the `exportable` mapping
mode. Refer to the Tokenization
[documentation](../../docs/secrets/transform/tokenization#security-considerations)
[documentation](/vault/docs/secrets/transform/tokenization#security-considerations)
for when to use the `exportable` mapping mode.
Decoded values are in Base64 representation.
@ -2011,7 +2011,7 @@ Only valid for tokenization transformations.
- `auto_rotate_period` `(duration: "0", optional)` - The period at which this key
should be rotated automatically. Setting this to "0" will disable automatic key
rotation. This value cannot be shorter than one hour. Uses
[duration format strings](/docs/concepts/duration-format).
[duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload

14
website/content/api-docs/secret/transit.mdx
View File

@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Transit secrets engine.
This is the API documentation for the Vault Transit secrets engine. For general
information about the usage and operation of the Transit secrets engine, please
see the [transit documentation](/docs/secrets/transit).
see the [transit documentation](/vault/docs/secrets/transit).
This documentation assumes the transit secrets engine is enabled at the
`/transit` path in Vault. Since it is possible to enable secrets engines at any
@ -79,7 +79,7 @@ values set here cannot be changed after key creation.
- `auto_rotate_period` `(duration: "0", optional)` The period at which
this key should be rotated automatically. Setting this to "0" (the default)
will disable automatic key rotation. This value cannot be shorter than one
hour. Uses [duration format strings](/docs/concepts/duration-format).
hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -119,7 +119,7 @@ two values: an ephemeral 256-bit AES key wrapped using the wrapping key
returned by Vault and the encryption of the import key material under the
provided AES key. The wrapped AES key should be the first 512 bytes of the
ciphertext, and the encrypted key material should be the remaining bytes.
See the BYOK section of the [Transit secrets engine documentation](/docs/secrets/transit#bring-your-own-key-byok)
See the BYOK section of the [Transit secrets engine documentation](/vault/docs/secrets/transit#bring-your-own-key-byok)
for more information on constructing the ciphertext.
- `hash_function` `(string: "SHA256")` - The hash function used for the
@ -212,7 +212,7 @@ two values: an ephemeral 256-bit AES key wrapped using the wrapping key
returned by Vault and the encryption of the import key material under the
provided AES key. The wrapped AES key should be the first 512 bytes of the
ciphertext, and the encrypted key material should be the remaining bytes.
See the BYOK section of the [Transit secrets engine documentation](/docs/secrets/transit#bring-your-own-key-byok)
See the BYOK section of the [Transit secrets engine documentation](/vault/docs/secrets/transit#bring-your-own-key-byok)
for more information on constructing the ciphertext.
- `hash_function` `(string: "SHA256")` - The hash function used for the
@ -414,7 +414,7 @@ are returned during a read operation on the named key.)
- `auto_rotate_period` `(duration: "", optional)` The period at which this
key should be rotated automatically. Setting this to "0" will disable automatic
key rotation. This value cannot be shorter than one hour. When no value is
provided, the period remains unchanged. Uses [duration format strings](/docs/concepts/duration-format).
provided, the period remains unchanged. Uses [duration format strings](/vault/docs/concepts/duration-format).
### Sample Payload
@ -697,7 +697,7 @@ Use the base64-encoded plaintext in the payload:
}
```
!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/docs/configuration/listener/tcp) in the Vault server configuration.
!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/vault/docs/configuration/listener/tcp) in the Vault server configuration.
### Sample Request
@ -1750,4 +1750,4 @@ $ curl \
},
```
[sys-plugin-reload-backend]: /api-docs/system/plugins-reload-backend#reload-plugins
[sys-plugin-reload-backend]: /vault/api-docs/system/plugins-reload-backend#reload-plugins

4
website/content/api-docs/system/experiments.mdx
View File

@ -12,8 +12,8 @@ The `/sys/experiments` endpoint returns information about experiments on the Vau
This endpoint returns the experiments available and enabled on the Vault node.
Experiments are per-node and cannot be changed while the node is running. See
the [`-experiment`](/docs/commands/server#experiment) flag and the
[`experiments`](/docs/configuration#experiments) config key documentation for
the [`-experiment`](/vault/docs/commands/server#experiment) flag and the
[`experiments`](/vault/docs/configuration#experiments) config key documentation for
details on enabling experiments.
| Method | Path |

2
website/content/api-docs/system/init.mdx
View File

@ -35,7 +35,7 @@ $ curl \
This endpoint initializes a new Vault. The Vault must not have been previously
initialized. The recovery options, as well as the stored shares option, are only
available when using [Auto Unseal](/docs/concepts/seal#auto-unseal).
available when using [Auto Unseal](/vault/docs/concepts/seal#auto-unseal).
| Method | Path |
| :----- | :---------- |

4
website/content/api-docs/system/inspect/index.mdx
View File

@ -10,7 +10,7 @@ description: >-
The `/sys/internal/inspect` family of endpoints is intended to inspect a specific internal subsystem for debugging purposes.
This endpoint is off by default. See the
[Vault configuration documentation](/docs/configuration) to
[Vault configuration documentation](/vault/docs/configuration) to
enable. Once the endpoint is turned on, it can be accessed with a root token or sudo privileges.
~> **NOTE**: These endpoints are only available in Vault version 1.13+. Backwards compatibility is not guaranteed. These endpoints are subject to change or may disappear without notice.
@ -18,5 +18,5 @@ enable. Once the endpoint is turned on, it can be accessed with a root token or
## Supported Inspection Paths
- [Router](/api-docs/system/inspect/router)
- [Router](/vault/api-docs/system/inspect/router)

2
website/content/api-docs/system/internal-counters.mdx
View File

@ -318,7 +318,7 @@ That is to say, the response will appear as follows.
```
Please visit the [client count](/docs/concepts/client-count) concepts page for
Please visit the [client count](/vault/docs/concepts/client-count) concepts page for
more information on how clients map to these client IDs and how they are
counted, or for more information about how the new clients for the current month
are estimated in a billing period.

2
website/content/api-docs/system/internal-specs-openapi.mdx
View File

@ -15,7 +15,7 @@ The set of included paths is based on the permissions of the request token.
The response may include Vault-specific [extensions](https://github.com/oai/openapi-specification/blob/master/versions/3.0.2.md#specification-extensions). Three are currently defined:
- `x-vault-sudo` - Endpoint requires [sudo](/docs/concepts/policies#sudo) privileges.
- `x-vault-sudo` - Endpoint requires [sudo](/vault/docs/concepts/policies#sudo) privileges.
- `x-vault-unauthenticated` - Endpoint is unauthenticated.
- `x-vault-create-supported` - Endpoint allows creation of new items, in addition to updating existing items.

2
website/content/api-docs/system/license.mdx
View File

@ -15,7 +15,7 @@ Vault.
## License Status
This endpoint returns information about licensing. See [license autoloading](/docs/enterprise/license/autoloading) for additional background.
This endpoint returns information about licensing. See [license autoloading](/vault/docs/enterprise/license/autoloading) for additional background.
In the response:

4
website/content/api-docs/system/managed-keys.mdx
View File

@ -7,7 +7,7 @@ description: The `/sys/managed-keys` endpoint is used to manage the managed keys
# `/sys/managed-keys`
The `/sys/managed-keys` endpoint is used to manage the Managed Key configuration within Vault.
See the [Managed Keys](/docs/enterprise/managed-keys) section for further details on the Managed Keys system.
See the [Managed Keys](/vault/docs/enterprise/managed-keys) section for further details on the Managed Keys system.
## List managed keys.
@ -101,7 +101,7 @@ $ curl \
- `type` `(string: "pkcs11")` - To select a PKCS#11 backend, the type parameter must be set to `pkcs11`.
- `library` `(string: <required>)` - The name of the `kms_library` stanza to use from Vault's config to
lookup the local library path. See [kms_library stanza](/docs/configuration/kms-library) for further details.
lookup the local library path. See [kms_library stanza](/vault/docs/configuration/kms-library) for further details.
- `key_label` `(string: <required>)` - The label of the key to use. If the key does not exist
and generation is enabled, this is the label that will be given to the generated key. This

12
website/content/api-docs/system/mfa/index.mdx
View File

@ -13,17 +13,17 @@ behaviors in Vault Enterprise MFA.
## Supported MFA types
- [TOTP](/api-docs/system/mfa/totp)
- [TOTP](/vault/api-docs/system/mfa/totp)
- [Okta](/api-docs/system/mfa/okta)
- [Okta](/vault/api-docs/system/mfa/okta)
- [Duo](/api-docs/system/mfa/duo)
- [Duo](/vault/api-docs/system/mfa/duo)
- [PingID](/api-docs/system/mfa/pingid)
- [PingID](/vault/api-docs/system/mfa/pingid)
## Step-up Enterprise MFA
[Vault Enterprise](/docs/enterprise/mfa) allows MFA for login and access to
[Vault Enterprise](/vault/docs/enterprise/mfa) allows MFA for login and access to
sensitive resources in Vault. The Step-up Enterprise MFA expects the method
creator to specify a name for the method; Login MFA does not, and instead
returns an ID when a method is created. Although MFA methods supported with Step-up Enterprise MFA are supported with the Login MFA, they use different API endpoints.
@ -34,5 +34,5 @@ returns an ID when a method is created. Although MFA methods supported with Step
~> **Note:** While the `sys/mfa` endpoint is supported for both OSS and Vault Enterprise, `sys/mfa/method/:type/:/name` is only supported for Vault Enterprise.
Refer to the [Login MFA
FAQ](/docs/auth/login-mfa/faq#q-are-there-new-mfa-api-endpoints-introduced-as-part-of-the-new-vault-version-1-10-mfa-for-login-functionality) document
FAQ](/vault/docs/auth/login-mfa/faq#q-are-there-new-mfa-api-endpoints-introduced-as-part-of-the-new-vault-version-1-10-mfa-for-login-functionality) document
for more details.

2
website/content/api-docs/system/mounts.mdx
View File

@ -242,7 +242,7 @@ simple as increasing the timeout (in the event of timeout errors).
For recovery situations where the secret was manually removed from the
secrets backing service, one can force a secrets engine disable in Vault by
performing a [force revoke](/api-docs/system/leases)
performing a [force revoke](/vault/api-docs/system/leases)
on the mount prefix, followed by a secrets disable when that completes.
If the underlying secrets were not manually cleaned up, this method might result
in dangling credentials. This is meant for extreme circumstances.

2
website/content/api-docs/system/namespaces.mdx
View File

@ -172,7 +172,7 @@ $ curl \
This endpoint locks the API for the current namespace path or optional subpath.
The behavior when interacting with Vault from a locked namespace is described in
[API Locked Response](/docs/concepts/namespace-api-lock#api-locked-response).
[API Locked Response](/vault/docs/concepts/namespace-api-lock#api-locked-response).
| Method | Path |
| :----- | :---------------------- |

4
website/content/api-docs/system/policies-password.mdx
View File

@ -13,7 +13,7 @@ are using for compatibility.
~> Password policies are only available in Vault version 1.5+.
See [Password Policies](/docs/concepts/password-policies) for details of how password policies work
See [Password Policies](/vault/docs/concepts/password-policies) for details of how password policies work
as well as the syntax of the policies themselves.
## Create/Update Password Policy
@ -37,7 +37,7 @@ generation times.
This is specified as part of the request URL.
- `policy` `(string: <required>)` - Specifies the password policy document. This can be
base64-encoded to avoid string escaping. See [Password Policy Syntax](/docs/concepts/password-policies#password-policy-syntax)
base64-encoded to avoid string escaping. See [Password Policy Syntax](/vault/docs/concepts/password-policies#password-policy-syntax)
for details on password policy definitions.
### Sample Payload

2
website/content/api-docs/system/raw.mdx
View File

@ -9,7 +9,7 @@ description: The `/sys/raw` endpoint is used to access the raw underlying store
The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
This endpoint is off by default. See the
[Vault configuration documentation](/docs/configuration) to
[Vault configuration documentation](/vault/docs/configuration) to
enable.
## Read Raw

2
website/content/api-docs/system/remount.mdx
View File

@ -17,7 +17,7 @@ engines and auth methods.
The remount operation returns a migration ID to the user. The user may utilize the migration ID to look up
the status of the mount migration. More details about the remount operation are described in
[Mount Migration](/docs/concepts/mount-migration).
[Mount Migration](/vault/docs/concepts/mount-migration).
~> Note: This endpoint requires a policy with both `sudo` and `update` capabilities to `sys/remount`

2
website/content/api-docs/system/replication/replication-dr.mdx
View File

@ -343,7 +343,7 @@ result in data loss!
~> It is not safe to replicate from a newer version of Vault to an older version.
When upgrading replicated clusters, ensure that upstream clusters are always
on older versions of Vault than downstream clusters. See
[Upgrading Vault](/docs/upgrading#replication-installations) for an example.
[Upgrading Vault](/vault/docs/upgrading#replication-installations) for an example.
| Method | Path |

4
website/content/api-docs/system/storage/index.mdx
View File

@ -6,6 +6,6 @@ description: |-
The '/sys/storage' endpoints are used to manage Vault's storage backends.
---
This API sub-section is currently only used to manage [Raft](/api-docs/system/storage/raft) storage backend.
This API sub-section is currently only used to manage [Raft](/vault/api-docs/system/storage/raft) storage backend.
On Enterprise there are additional endpoints for working with [Raft Automated Snapshots](/api-docs/system/storage/raftautosnapshots).
On Enterprise there are additional endpoints for working with [Raft Automated Snapshots](/vault/api-docs/system/storage/raftautosnapshots).

6
website/content/api-docs/system/storage/raftautopilot.mdx
View File

@ -10,12 +10,12 @@ description: |-
# `/sys/storage/raft/autopilot`
The `/sys/storage/raft/autopilot` endpoints are used to manage raft clusters using autopilot
with Vault's [Integrated Storage backend](/docs/internals/integrated-storage).
Refer to the [Integrated Storage Autopilot](https://learn.hashicorp.com/tutorials/vault/raft-autopilot?in=vault/raft) tutorial to learn how to manage raft clusters using autopilot.
with Vault's [Integrated Storage backend](/vault/docs/internals/integrated-storage).
Refer to the [Integrated Storage Autopilot](/vault/tutorials/raft/raft-autopilot) tutorial to learn how to manage raft clusters using autopilot.
## Get Cluster State
This endpoint is used to retrieve the raft cluster state. See the [docs page](/docs/commands/operator/raft#autopilot-state) for a description of the output.
This endpoint is used to retrieve the raft cluster state. See the [docs page](/vault/docs/commands/operator/raft#autopilot-state) for a description of the output.
| Method | Path |
| :----- | :---------------------------------- |

2
website/content/api-docs/system/user-lockout.mdx
View File

@ -8,7 +8,7 @@ description: The `/sys/locked-users` endpoint is used to manage locked users in
The `/sys/locked-users` endpoint is used to list and unlock locked users in Vault.
Please visit [user lockout](/docs/concepts/user-lockout) concepts page for more details about the feature.
Please visit [user lockout](/vault/docs/concepts/user-lockout) concepts page for more details about the feature.
## List Locked Users

12
website/content/docs/agent/apiproxy.mdx
View File

@ -13,20 +13,20 @@ for Vault's API.
## Functionality
The [`listener` stanza](/docs/agent#listener-stanza) for Vault Agent configures a listener for Vault Agent. If
The [`listener` stanza](/vault/docs/agent#listener-stanza) for Vault Agent configures a listener for Vault Agent. If
its `role` is not set to `metrics_only`, it will act as a proxy for the Vault server that
has been configured in the [`vault` stanza](/docs/agent#vault-stanza) stanza of Vault Agent. This enables access to the Vault
has been configured in the [`vault` stanza](/vault/docs/agent#vault-stanza) stanza of Vault Agent. This enables access to the Vault
API from the Agent API, and can be configured to optionally allow or force the automatic use of
the Auto-Auth token for these requests, as described below.
If a `listener` has been configured alongside a `cache` stanza, the API Proxy will
first attempt to utilize the cache subsystem for qualifying requests, before forwarding the
request to Vault. See the [caching docs](/docs/agent/caching) for more information on caching.
request to Vault. See the [caching docs](/vault/docs/agent/caching) for more information on caching.
## Using Auto-Auth Token
Vault Agent allows for easy authentication to Vault in a wide variety of
environments using [Auto-Auth](/docs/agent/autoauth). By setting the
environments using [Auto-Auth](/vault/docs/agent/autoauth). By setting the
`use_auto_auth_token` (see below) configuration, clients will not be required
to provide a Vault token to the requests made to the Agent. When this
configuration is set, if the request doesn't already bear a token, then the
@ -40,7 +40,7 @@ request to the Vault server.
Vault Agent can be configured to force the use of the auto-auth token by using
the value `force` for the `use_auto_auth_token` option. This configuration
overrides the default behavior described above in [Using Auto-Auth
Token](/docs/agent/apiproxy#using-auto-auth-token), and instead ignores any
Token](/vault/docs/agent/apiproxy#using-auto-auth-token), and instead ignores any
existing Vault token in the request and instead uses the auto-auth token.
@ -57,7 +57,7 @@ auto-auth token, overwriting the attached Vault token if set.
The following two `api_proxy` options are only useful when making requests to a Vault
Enterprise cluster, and are documented as part of its
[Eventual Consistency](/docs/enterprise/consistency#vault-agent-and-consistency-headers)
[Eventual Consistency](/vault/docs/enterprise/consistency#vault-agent-and-consistency-headers)
page.
- `enforce_consistency` `(string: "never")` - Set to one of `"always"`

12
website/content/docs/agent/autoauth/index.mdx
View File

@ -31,7 +31,7 @@ configured Sinks, subject to their configuration.
Sinks support some advanced features, including the ability for the written
values to be encrypted or
[response-wrapped](/docs/concepts/response-wrapping).
[response-wrapped](/vault/docs/concepts/response-wrapping).
Both mechanisms can be used concurrently; in this case, the value will be
response-wrapped, then encrypted.
@ -110,7 +110,7 @@ The top level `auto_auth` block has two configuration entries:
Agent does not track the number of uses remaining, and may allow the token to
expire before attempting to renew it. For example, if using AppRole auto-auth,
you must use 0 (meaning unlimited) as the value for
[`token_num_uses`](https://www.vaultproject.io/api-docs/auth/approle#token_num_uses).
[`token_num_uses`](/vault/api-docs/auth/approle#token_num_uses).
These are common configuration values that live within the `method` block:
@ -135,14 +135,14 @@ These are common configuration values that live within the `method` block:
automatically reauthenticate when it expires. Rather than a simple string,
the written value will be a JSON-encoded
[SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
structure. Uses [duration format strings](/docs/concepts/duration-format).
structure. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `min_backoff` `(string or integer: "1s")` - The minimum backoff time Agent
will delay before retrying after a failed auth attempt. The backoff will start
at the configured value and double (with some randomness) after successive
failures, capped by `max_backoff.` If Agent templating is being used, this
value is also used as the min backoff time for the templating server.
Uses [duration format strings](/docs/concepts/duration-format).
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `max_backoff` `(string or integer: "5m")` - The maximum time Agent will delay
before retrying after a failed auth attempt. The backoff will start at
@ -150,7 +150,7 @@ These are common configuration values that live within the `method` block:
capped by `max_backoff.` If Agent templating is being used, this value is also
used as the max backoff time for the templating server. `max_backoff` is the
duration between retries, and **not** the duration that retries will be
performed before giving up. Uses [duration format strings](/docs/concepts/duration-format).
performed before giving up. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `exit_on_err` `(bool: false)` - When set to true, Vault Agent will exit if any
errors occur during authentication. This configurable only affects login attempts
@ -173,7 +173,7 @@ These configuration values are common to all Sinks:
reauthenticate when it expires. Rather than a simple string, the written
value will be a JSON-encoded
[SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
structure. Uses [duration format strings](/docs/concepts/duration-format).
structure. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `dh_type` `(string: optional)` - If specified, the type of Diffie-Hellman exchange to
perform, meaning, which ciphers and/or curves. Currently only `curve25519` is

2
website/content/docs/agent/autoauth/methods/alicloud.mdx
View File

@ -7,7 +7,7 @@ description: AliCloud Method for Vault Agent Auto-Auth
# Vault Agent Auto-Auth AliCloud Method
The `alicloud` method performs authentication against the [AliCloud Auth
method](/docs/auth/alicloud).
method](/vault/docs/auth/alicloud).
## Credentials

8
website/content/docs/agent/autoauth/methods/approle.mdx
View File

@ -8,7 +8,7 @@ description: AppRole Method for Vault Agent Auto-Auth
The `approle` method reads in a role ID and a secret ID from files and sends
the values to the [AppRole Auth
method](/docs/auth/approle).
method](/vault/docs/auth/approle).
The method caches values and it is safe to delete the role ID/secret ID files
after they have been read. In fact, by default, after reading the secret ID,
@ -32,15 +32,15 @@ cached.
- `secret_id_response_wrapping_path` `(string: optional)` - If set, the value
at `secret_id_file_path` will be expected to be a [Response-Wrapping
Token](/docs/concepts/response-wrapping)
Token](/vault/docs/concepts/response-wrapping)
containing the output of the secret ID retrieval endpoint for the role (e.g.
`auth/approle/role/webservers/secret-id`) and the creation path for the
response-wrapping token must match the value set here.
## Example Configuration
An example configuration, using approle to enable [auto-auth](/docs/agent/autoauth)
and creating both a plaintext token sink and a [response-wrapped token sink file](/docs/agent/autoauth#wrap_ttl), follows:
An example configuration, using approle to enable [auto-auth](/vault/docs/agent/autoauth)
and creating both a plaintext token sink and a [response-wrapped token sink file](/vault/docs/agent/autoauth#wrap_ttl), follows:
```hcl
pid_file = "./pidfile"

8
website/content/docs/agent/autoauth/methods/aws.mdx
View File

@ -7,7 +7,7 @@ description: AWS Method for Vault Agent Auto-Auth
# Vault Agent Auto-Auth AWS Method
The `aws` method performs authentication against the [AWS Auth
method](/docs/auth/aws). Both `ec2` and `iam`
method](/vault/docs/auth/aws). Both `ec2` and `iam`
authentication types are supported. If `ec2` is used, the agent will store the
reauthentication value in memory and use it for reauthenticating, but will not
persist it to disk.
@ -48,17 +48,17 @@ parameters unset in your configuration.
- `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
region Agent uses should match that corresponding to
[`sts_endpoint`](/api-docs/auth/aws#sts_endpoint),
[`sts_endpoint`](/vault/api-docs/auth/aws#sts_endpoint),
if a custom endpoint has been configured on the Vault server.
- `session_token` `(string: optional)` - The session token to use for authentication, if needed.
- `header_value` `(string: optional)` - If configured in Vault, the value to use for
[`iam_server_id_header_value`](/api-docs/auth/aws#iam_server_id_header_value).
[`iam_server_id_header_value`](/vault/api-docs/auth/aws#iam_server_id_header_value).
- `nonce` `(string: optional)` - If not provided, Vault will generate a new UUID every time `vault agent` runs.
If set, make sure you understand the importance of generating a good, unique `nonce` and protecting it.
See [Client Nonce](/docs/auth/aws#client-nonce) for more information.
See [Client Nonce](/vault/docs/auth/aws#client-nonce) for more information.
## Tutorial

2
website/content/docs/agent/autoauth/methods/azure.mdx
View File

@ -8,7 +8,7 @@ description: Azure Method for Vault Agent Auto-Auth
The `azure` method reads in Azure instance credentials and uses them to
authenticate with the [Azure Auth
method](/docs/auth/azure). It reads most
method](/vault/docs/auth/azure). It reads most
parameters needed for authentication directly from instance information based
on the value of the `resource` parameter.

4
website/content/docs/agent/autoauth/methods/cert.mdx
View File

@ -14,13 +14,13 @@ It is strongly advised to provide TLS settings in the configuration stanza
within the auth method to avoid agent cache, if also enabled, from using the
same TLS settings when proxying requests. If TLS settings are not present in the
config stanza, Agent will fall back to using TLS settings from the [`vault`
Stanza](/docs/agent#vault-stanza).
Stanza](/vault/docs/agent#vault-stanza).
## Configuration
- `name` `(string: optional)` - The trusted certificate role which should be used
when authenticating with TLS. If a `name` is not specified, the auth method will
try to authenticate against [all trusted certificates](/docs/auth/cert#authentication).
try to authenticate against [all trusted certificates](/vault/docs/auth/cert#authentication).
- `ca_cert` `(string: optional)` - Path on the local disk to a single
PEM-encoded CA certificate to verify the Vault server's SSL certificate.

2
website/content/docs/agent/autoauth/methods/cf.mdx
View File

@ -7,7 +7,7 @@ description: CF Method for Vault Agent Auto-Auth
# Vault Agent Auto-Auth CF Method
The `cf` method performs authentication against the [CF Auth
method](/docs/auth/cf).
method](/vault/docs/auth/cf).
## Credentials

2
website/content/docs/agent/autoauth/methods/gcp.mdx
View File

@ -7,7 +7,7 @@ description: GCP Method for Vault Agent Auto-Auth
# Vault Agent Auto-Auth GCP Method
The `gcp` method performs authentication against the [GCP Auth
method](/docs/auth/gcp). Both `gce` and `iam`
method](/vault/docs/auth/gcp). Both `gce` and `iam`
authentication types are supported.
## Credentials

2
website/content/docs/agent/autoauth/methods/jwt.mdx
View File

@ -7,7 +7,7 @@ description: JWT Method for Vault Agent Auto-Auth
# Vault Agent Auto-Auth JWT Method
The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
method](/docs/auth/jwt).
method](/vault/docs/auth/jwt).
## Configuration

2
website/content/docs/agent/autoauth/methods/kerberos.mdx
View File

@ -13,7 +13,7 @@ a Vault token for Kerberos entities. It reads in configuration and
identification information from the surrounding environment, and uses
it to authenticate to Vault.
For more on this auth method, see the [Kerberos auth method](/docs/auth/kerberos).
For more on this auth method, see the [Kerberos auth method](/vault/docs/auth/kerberos).
## Configuration

Some files were not shown because too many files have changed in this diff Show More