Add token helper partial and pull into auth docs (#7220)

website/source/api/auth/alicloud/index.html.md.erb

@@ -30,18 +30,8 @@ will be able to perform the login operation.
 
 - `role` `(string: <required>)` - Name of the role. Must correspond with the name of the role reflected in the arn.
 - `arn` `(string: <required>)` - The role's arn.
-- `policies` `(array: [])` - Policies to be set on tokens issued using this
-  role.
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role,
-  provided as "1h", where hour is the largest suffix.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
-  this role.
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter.
-- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
-  roles to client IPs falling within the range of the specified CIDR(s).
+
+<%=partial("partials/tokenfields")%>
 
 ### Sample Payload
 
@@ -224,4 +214,4 @@ $ curl \
     "client_token": "c9368254-3f21-aded-8a6f-7c818e81b17a"
   }
 }
-```
+```

website/source/api/auth/approle/index.html.md.erb

@@ -73,37 +73,17 @@ enabled while creating or updating a role.
 - `secret_id_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
   blocks; if set, specifies blocks of IP addresses which can perform the login
   operation.
-- `token_bound_cidrs` `(array: [])` - Comma-separated string or list of CIDR
-  blocks; if set, specifies blocks of IP addresses which can use the auth tokens
-  generated by this role.
-- `policies` `(array: [])` - Comma-separated list of policies set on tokens
-  issued via this AppRole.
 - `secret_id_num_uses` `(integer: 0)` - Number of times any particular SecretID
   can be used to fetch a token from this AppRole, after which the SecretID will
   expire.  A value of zero will allow unlimited uses.
 - `secret_id_ttl` `(string: "")` - Duration in either an integer number of
   seconds (`3600`) or an integer time unit (`60m`) after which any SecretID
   expires.
-- `token_num_uses` `(integer: 0)` - Number of times issued tokens can be used.
-  A value of 0 means unlimited uses.
-- `token_ttl` `(string: "")` - Duration in either an integer number of seconds
-  (`3600`) or an integer time unit (`60m`) to set as the TTL for issued tokens
-  and at renewal time.
-- `token_max_ttl` `(string: "")` - Duration in either an integer number of
-  seconds (`3600`) or an integer time unit (`60m`) after which the issued token
-  can no longer be renewed.
-- `period` `(string: "")` - Duration in either an integer number of seconds
-  (`3600`) or an integer time unit (`60m`). If set, the token generated using
-  this AppRole is a _periodic_ token; so long as it is renewed it never expires,
-  but the TTL set on the token at each renewal is fixed to the value specified
-  here. If this value is modified, the token will pick up the new value at its
-  next renewal.
 - `enable_local_secret_ids` `(bool: false)` - If set, the secret IDs generated
   using this role will be cluster local. This can only be set during role
   creation and once set, it can't be reset later.
-- `token_type` `(string: "")` - The type of token that should be generated via
-  this role. Can be `service`, `batch`, or `default` to use the mount's default
-  (which unless changed will be `service` tokens).
+
+<%=partial("partials/tokenfields")%>
 
 ### Sample Payload
 

website/source/api/auth/aws/index.html.md.erb

@@ -737,16 +737,6 @@ list in order to satisfy that constraint.
   `resolve_aws_unique_ids` is `false`, you **must** specify a
   `bound_iam_principal_arn` of `arn:aws:iam::123456789012:role/MyRoleName` for
   authentication to work.
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role,
-  provided as "1h", where hour is the largest suffix.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
-  this role.
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter.
-- `policies` `(array: [])` - Policies to be set on tokens issued using this
-  role.
 - `allow_instance_migration` `(bool: false)` - If set, allows migration of the
   underlying instance where the client resides. This keys off of pendingTime in
   the metadata document, so essentially, this disables the client nonce check
@@ -761,6 +751,8 @@ list in order to satisfy that constraint.
   This only applies to authentications via the ec2 auth method. This is mutually
   exclusive with `allow_instance_migration`.
 
+<%=partial("partials/tokenfields")%>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/azure/index.html.md.erb

@@ -118,16 +118,6 @@ entities attempting to login.
 
 ### Parameters
 - `name` `(string: <required>)` - Name of the role.
-- `policies` `(array: [])` - Policies to be set on tokens issued using this
-  role.
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role in
-  seconds.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens
-  issued in seconds using this role.
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter.
 - `bound_service_principal_ids` `(array: [])` - The list of Service Principal IDs 
   that login is restricted to.
 - `bound_group_ids` `(array: [])` - The list of group ids that login is restricted 
@@ -140,6 +130,8 @@ entities attempting to login.
 - `bound_scale_sets` `(array: [])` - The list of scale set names that the 
   login is restricted to. 
 
+<%= partial "partials/tokenfields" %>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/cert/index.html.md.erb

@@ -67,24 +67,11 @@ Sets a CA cert and associated parameters in a role name.
   string or array of `oid:value`. Expects the extension value to be some type
   of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
   `value`.
-- `policies` `(string: "")` - A comma-separated list of policies to set on
-  tokens issued when authenticating against this CA certificate.
 - `display_name` `(string: "")` - The `display_name` to set on tokens issued
   when authenticating against this CA certificate. If not set, defaults to the
   name of the role.
-- `ttl` `(string: "")` - The TTL of the token, provided in either number of
-  seconds (`3600`) or a time duration (`1h`). If not provided, the token is
-  valid for the the mount or system default TTL time, in that order.
-- `max_ttl` `(string: "")` - Duration in either number of seconds (`3600`) or a
-  time duration (`1h`) after which the issued token can no longer be renewed.
-- `period` `(string: "")` - Duration in either number of seconds (`3600`) or a
-  time duration (`1h`). If set, the generated token is a periodic token; so long
-  as it is renewed it never expires unless `max_ttl` is also set, but the TTL
-  set on the token at each renewal is fixed to the value specified here. If this
-  value is modified, the token will pick up the new value at its next renewal.
-- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
-  certificates to client IPs falling within the range of the specified
-  CIDR(s).
+
+<%= partial "partials/tokenfields" %>
 
 ### Sample Payload
 

website/source/api/auth/gcp/index.html.md.erb

@@ -111,23 +111,6 @@ entities attempting to login.
   correspond to specific roles and will be rejected otherwise. Please see below
   for more information.
 
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role. This
-  can be specified as an integer number of seconds or as a duration value like
-  "5m".
-
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued in
-  seconds using this role. This can be specified as an integer number of seconds
-  or as a duration value like "5m".
-
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter. This can be specified as an integer number of seconds
-  or as a duration value like "5m".
-
-- `policies` `(array: [default])` - The list of policies to be set on tokens
-  issued using this role.
-
 - `bound_service_accounts` `(array: <required for iam>)` - An array of 
    service account emails or IDs that login is restricted to,
    either directly or through an associated instance. If set to
@@ -142,6 +125,8 @@ entities attempting to login.
    `project-$PROJECT_ID`, `folder-$PROJECT_ID`, and `organization-$ORG_ID`
    for the entities project and all its folder or organization ancestors. This
    requires Vault to have IAM permission `resourcemanager.projects.get`.
+
+<%= partial "partials/tokenfields" %>
     
 #### `iam`-only Parameters
 

website/source/api/auth/github/index.html.md.erb

@@ -32,9 +32,8 @@ distinction between the `create` and `update` capabilities inside ACL policies.
   of.
 - `base_url` `(string: "")` - The API endpoint to use. Useful if you are running
   GitHub Enterprise or an API-compatible authentication server.
-- `ttl` `(string: "")` - Duration after which authentication will be expired.
-- `max_ttl` `(string: "")` - Maximum duration after which authentication will
-  be expired.
+
+<%= partial "partials/tokenfields" %>
 
 ### Sample Payload
 

website/source/api/auth/jwt/index.html.md.erb

@@ -109,15 +109,6 @@ entities attempting to login. At least one of the bound values must be set.
 - `user_claim` `(string: <required>)` - The claim to use to uniquely identify
   the user; this will be used as the name for the Identity entity alias created
   due to a successful login. The claim value must be a string.
-- `policies` `(array: <optional>)` - Policies to be set on tokens issued using
-  this role.
-- `ttl` `(int: <optional>)` - The initial/renewal TTL of tokens issued using
-  this role, in seconds.
-- `max_ttl` `(int: <optional>)` - The maximum allowed lifetime of tokens issued
-  using this role, in seconds.
-- `period` `(int: <optional>)` - If set, indicates that the token generated
-  using this role should never expire, but instead always use the value set
-  here as the TTL for every renewal.
 - `clock_skew_leeway` `(int: <optional>)` - The amount of leeway to add to all claims to 
   account for clock skew, in seconds.  Defaults to `60` seconds if set to `0` and can be disabled
   if set to `-1`. Only applicable with "jwt" roles.
@@ -127,13 +118,8 @@ entities attempting to login. At least one of the bound values must be set.
 - `not_before_leeway` `(int: <optional>)` - The amount of leeway to add to not before (`nbf`) claims to 
   account for clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled
   if set to `-1`. Only applicable with "jwt" roles. 
-- `num_uses` `(int: <optional>)` - If set, puts a use-count limitation on the
-  issued token.
 - `bound_subject` `(string: <optional>)` - If set, requires that the `sub`
   claim matches this value.
-- `bound_cidrs` `(array: <optional>)` - If set, a list of CIDRs valid as the
-  source address for login requests. This value is also encoded into any
-  resulting token.
 - `bound_claims` `(map: <optional>)` - If set, a map of claims/values to match against.
   The expected value may be a single string or a list of strings.
 - `groups_claim` `(string: <optional>)` - The claim to use to uniquely identify
@@ -147,6 +133,8 @@ entities attempting to login. At least one of the bound values must be set.
 - `allowed_redirect_uris` `(list: <required>)` - The list of allowed values for redirect_uri
   during OIDC logins.
 
+<%= partial "partials/tokenfields" %>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/kubernetes/index.html.md.erb

@@ -107,16 +107,8 @@ entities attempting to login.
 - `bound_service_account_namespaces` `(array: <required>)` - List of namespaces
   allowed to access this role. If set to "\*" all namespaces are allowed, both
   this and bound_service_account_names can not be set to "\*".
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role in
-  seconds.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens
-  issued in seconds using this role.
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter.
-- `policies` `(array: [])` - Policies to be set on tokens issued using this
-  role.
+
+<%= partial "partials/tokenfields" %>
 
 ### Sample Payload
 

website/source/api/auth/ldap/index.html.md.erb

@@ -77,6 +77,8 @@ This endpoint configures the LDAP auth method.
   groupfilter queries returning _group_ objects, use: `cn`. For queries
   returning _user_ objects, use: `memberOf`. The default is `cn`.
 
+<%= partial "partials/tokenfields" %>
+
 ### Sample Request
 
 ```

website/source/api/auth/okta/index.html.md.erb

@@ -35,13 +35,12 @@ distinction between the `create` and `update` capabilities inside ACL policies.
   groups will be enabled.
 - `base_url` `(string: "")` -  If set, will be used as the base domain
   for API requests.  Examples are okta.com, oktapreview.com, and okta-emea.com.
-- `ttl` `(string: "")` - Duration after which authentication will be expired.
-- `max_ttl` `(string: "")` - Maximum duration after which authentication will
-  be expired.
 - `bypass_okta_mfa` `(bool: false)` - Whether to bypass an Okta MFA request.
   Useful if using one of Vault's built-in MFA mechanisms, but this will also
   cause certain other statuses to be ignored, such as `PASSWORD_EXPIRED`.
 
+<%= partial "partials/tokenfields" %>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/pcf/index.html.md.erb

@@ -146,21 +146,12 @@ an instance must be a member of to qualify as a member of this role. Please note
 every time you use `cf push` on an app, its instance ID changes. Also, instance IDs 
 are not verifiable as being presently alive using the PCF API. Thus, we recommend against
 using this setting for most use cases.
-- `bound_cidrs` `(array: [])` - Comma separated string or list of CIDR blocks. 
-If set, specifies the blocks of IP addresses which can perform the login operation.
-- `policies` `(array: [])` - Policies to be set on tokens issued using this role.
 - `disable_ip_matching` `(bool: false)` - If set to true, disables the default behavior 
 that logging in must be performed from an acceptable IP address described by the 
 certificate presented. Should only be set to true if required, generally when a proxy
 is used to perform logins.
-- `ttl` `(string: "")` - The TTL period of tokens issued using this role,
-  provided as "1h", where hour is the largest suffix.
-- `max_ttl` `(string: "")` - The maximum allowed lifetime of tokens issued using
-  this role.
-- `period` `(string: "")` - If set, indicates that the token generated using
-  this role should never expire. The token should be renewed within the duration
-  specified by this value. At each renewal, the token's TTL will be set to the
-  value of this parameter.
+
+<%= partial "partials/tokenfields" %>
 
 ### Sample Payload
 

website/source/api/auth/radius/index.html.md.erb

@@ -40,6 +40,8 @@ RADIUS.
 - `nas_port` `(integer: 10)` - The NAS-Port attribute of the RADIUS request.
   Defaults is 10.
 
+<%= partial "partials/tokenfields" %>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/token/index.html.md.erb

@@ -678,19 +678,9 @@ tokens created against a role to be revoked using the
 - `orphan` `(bool: false)` - If `true`, tokens created against this policy will
   be orphan tokens (they will have no parent). As such, they will not be
   automatically revoked by the revocation of any other token.
-- `period` `(string: "")` - If specified, the token will be periodic; it will have
-  no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
-  will use the given period. Requires a root/sudo token to use.
 - `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
   to be renewed past its initial TTL.  Setting the value to `true` will allow
   the token to be renewable up to the system/mount maximum TTL.
-- `explicit_max_ttl` `(int: 0)` - Provides a maximum lifetime for any
-  tokens issued against this role, including periodic tokens. Unlike direct
-  token creation, where the value for an explicit max TTL is stored in the
-  token, for roles this check will always use the current value set in the
-  role. The main use of this is to provide a hard upper bound on periodic
-  tokens, which otherwise can live forever as long as they are renewed. This is
-  an integer number of seconds.
 - `path_suffix` `(string: "")` - If set, tokens created against this role will
   have the given suffix as part of their path in addition to the role name. This
   can be useful in certain scenarios, such as keeping the same role name in the
@@ -698,22 +688,12 @@ tokens created against a role to be revoked using the
   The suffix can be changed, allowing new callers to have the new suffix as part
   of their path, and then tokens with the old suffix can be revoked via
   `/sys/leases/revoke-prefix`.
-- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
-  generated token to client IPs falling within the range of the specified
-  CIDR(s). Unlike most other role parameters, this is not reevaluated from the
-  current role value at each usage; it is set on the token itself. Root tokens
-  with no TTL will not be bound by these CIDRs; root tokens with TTLs will be
-  bound by these CIDRs.
-- `token_type` `(string: "")` – Specifies the type of tokens that should be
-  returned by the role. If either `service` or `batch` is specified, that kind
-  of token will always be returned. If `default-service`, `service` tokens will
-  be returned unless the client requests a `batch` type token at token creation
-  time. If `default-batch`, `batch` tokens will be returned unless the client
-  requests a `service` type token at token creation time.
 - `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list 
   of allowed entity aliases. If set, specifies the entity aliases which are 
   allowed to be used during token generation. This field supports globbing. 
 
+<%= partial "partial/tokenstorefields" %>
+
 ### Sample Payload
 
 ```json

website/source/api/auth/userpass/index.html.md.erb

@@ -31,13 +31,8 @@ Create a new user or update an existing user. This path honors the distinction b
 - `username` `(string: <required>)` – The username for the user.
 - `password` `(string: <required>)` - The password for the user. Only required
   when creating the user.
-- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
-  string, only the `default` policy will be applicable to the user.
-- `ttl` `(string: "")` - The lease duration which decides login expiration.
-- `max_ttl` `(string: "")` - Maximum duration after which login should expire.
-- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
-  login and token to client IPs falling within the range of the specified
-  CIDR(s).
+
+<%= partial "partials/tokenfields" %>
 
 ### Sample Payload
 

website/source/partials/_tokenfields.html.md.erb

@@ -0,0 +1,11 @@
+- `token_ttl` `(integer: 0 or string: "")` - The incremental lifetime for
+generated tokens. This current value of this will be referenced at renewal
+time.
+- `token_max_ttl` `(integer: 0 or string: "")` - The maximum lifetime for
+generated tokens. This current value of this will be referenced at renewal
+time.
+- `token_policies` `(array: [] or comma-delimited string: "")` - List of
+policies to encode onto generated tokens. Depending on the auth method, this
+list may be supplemented by user/group/other values.
+
+<%= partial "partials/tokenstorefields" %>

website/source/partials/_tokenstorefields.html.md.erb

@@ -0,0 +1,22 @@
+- `token_bound_cidrs` `(array: [] or comma-delimited string: "")` - List of
+  CIDR blocks; if set, specifies blocks of IP addresses which can authenticate
+  successfully, and ties the resulting token to these blocks as well.
+- `token_explicit_max_ttl` `(integer: 0 or string: "")` - If set, will encode
+an [explicit max
+TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+onto the token. This is a hard cap even if `token_ttl` and `token_max_ttl`
+would otherwise allow a renewal.
+- `token_no_default_policy` `(bool: false)` - If set, the `default` policy will
+not be set on generated tokens; otherwise it will be added to the policies set
+in `token_policies`.
+- `token_num_uses` `(integer: 0)` - The maximum number of times a generated
+token may be used (within its lifetime); 0 means unlimited.
+- `token_period` `(integer: 0 or string: "")` - The
+[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
+if any, to set on the token.
+- `token_type` `(string: "")` - The type of token that should be generated. Can
+be `service`, `batch`, or `default` to use the mount's tuned default (which
+unless changed will be `service` tokens). For token store roles, there are two
+additional possibilities: `default-service` and `default-batch` which specify
+the type to return unless the client requests a different type at generation
+time.