Commit graph

2321 commits

Author SHA1 Message Date
Saurabh Pal 77e635f7e1 Enable TLS based communication with Zookeeper Backend (#4856)
* The added method customTLSDial() creates a tls connection to the zookeeper backend when 'tls_enabled' is set to true in config

* Update to the document for TLS configuration that is  required to enable TLS connection to Zookeeper backend

* Minor formatting update

* Minor update to the description for example config

* As per review comments from @kenbreeman, additional property description indicating support for multiple Root CAs in a single file has been added

* minor formatting
2018-10-01 14:12:08 -07:00
Brian Kassouf 5f34bbbe6d
Update replication-performance.html.md 2018-10-01 13:59:50 -07:00
Brian Kassouf 45c8894c0d
Update replication-dr.html.md 2018-10-01 13:59:17 -07:00
Brian Kassouf 03cf7958ad
Update replication-dr.html.md 2018-10-01 12:53:20 -07:00
Brian Kassouf e6b337b06f
Update replication-performance.html.md 2018-10-01 12:52:44 -07:00
Becca Petrin d1904e972f Discuss ambient credentials in namespaces (#5431)
* discuss ambient credentials in namespaces

* update aws cred chain description
2018-10-01 15:23:54 -04:00
Chris Pick 36c20e8e2d Note that GCP auth method needs iam API enabled (#5339)
In addition to the specific permissions that are already mentioned, the project also needs the `iam.googleapis.com` API enabled, otherwise authenticating will fail with an error similar to:

```
Error authenticating: Error making API request.

URL: PUT https://localhost:8200/v1/auth/gcp/login
Code: 400. Errors:

* could not find service account key or Google Oauth cert with given 'kid' id
```
2018-10-01 10:09:32 -07:00
Brian Shumate d62d482033 Guide/Identity: use consistent id/accessor example to fix #5340 (#5432) 2018-09-28 17:43:15 -04:00
Mike Christof f7bf4a4384 fixed read-entity-by-name code (#5422) 2018-09-28 07:23:46 -07:00
Calvin Leung Huang 253d999c55 docs: Update CLI page to include namespace and flags info (#5363) 2018-09-27 17:08:14 -07:00
joe miller d39ffc9e25 add allowed_organiztaional_units parameter to cert credential backend (#5252)
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).

Example use cases:

Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.

```
$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering

$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering,support
```
2018-09-27 19:04:55 -05:00
Andy Manoske 32feda57fb
Broken link fix
Fix broken links
2018-09-26 19:48:07 -07:00
Andy Manoske d42a78a2b1
partnerships-format
Some small formatting fixes
2018-09-26 19:41:27 -07:00
Andy Manoske 05f51a4332
Fix header issues
Fix partnerships docs formatting issues
2018-09-26 19:30:28 -07:00
Andy Manoske ab1494389c
Merge branch 'master' into partnerships-add-docs 2018-09-26 19:17:26 -07:00
Andy Manoske 860a655814
Update community.html.erb 2018-09-26 19:16:56 -07:00
Andy Manoske 8b9160035c
Delete partnerships.html.erb 2018-09-26 19:14:06 -07:00
Andy Manoske ece77e4789
Update guides.erb 2018-09-26 19:12:03 -07:00
Andy Manoske 367d75c089
Create index.html.md 2018-09-26 19:06:22 -07:00
Andy Manoske d63e66a902
Update partnerships.html.erb 2018-09-26 18:56:48 -07:00
Jim Kalafut 462dc06a88 operator migrate docs (#5400)
* operator migrate docs

* Address feedback

* Fix title
2018-09-26 10:55:04 -07:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Joel Thompson 5e6f8904d8 Add AWS Secret Engine Root Credential Rotation (#5140)
* Add AWS Secret Engine Root Credential Rotation

This allows the AWS Secret Engine to rotate its credentials used to
access AWS. This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).

Fixes #4385

* Add test for AWS root credential rotation

Also fix a typo in the root credential rotation code

* Add docs for AWS root rotation

* Add locks around reading and writing config/root

And wire the backend up in a bunch of places so the config can get the
lock

* Respond to PR feedback

* Fix casing in error messages

* Fix merge errors

* Fix locking bugs
2018-09-26 07:10:00 -07:00
Clint fec3b70374
Allow force restore for Transit Key Restores (#5382)
* Add test file for testing path_restore in Transit backend. Fails because 'force' is not implemented yet

* initial implementation of 'force', to force restore of existing transit key atomically
2018-09-25 15:20:59 -05:00
Vishal Nayak 68a496dde4
Support operating on entities and groups by their names (#5355)
* Support operating on entities and groups by their names

* address review feedback
2018-09-25 12:28:28 -07:00
Becca Petrin b427a23bbb
update ffi (#5395) 2018-09-25 11:26:58 -07:00
emily b37b8b7edf Docs PR for GCP secrets backend access token changes (#5366)
* initial docs pass

* fix docs
2018-09-21 10:31:49 -07:00
Brian Shumate b43c52d89b Add Enterprise Replication metrics (#3981) 2018-09-21 12:01:44 -04:00
Brian Shumate 25d6d03222 Docs: update policy read API output to address #5298 (#5299) 2018-09-21 10:52:46 -04:00
Brian Shumate 7d692ee614 Update screenshot (#5378)
- Use a Vault dashboard example (previous example was for Consul)
- Rename image file
2018-09-21 09:53:49 -04:00
Roman Iuvshyn 0832153f7d fixes file path option in samples (#5377)
fixes file path option in samples
2018-09-20 15:55:20 -07:00
Yoko 3600f3dfa5
[Guide] Tokens & Leases guide **Correction** (#5375)
* Added Azure Key Vault

* Corrected the info about orphan token creation
2018-09-20 13:58:29 -07:00
Calvin Leung Huang 189b893b35
Add ability to provide env vars to plugins (#5359)
* Add ability to provide env vars to plugins

* Update docs

* Update docs with examples

* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Brian Shumate 74ec835b3b Docs: update Tidy API (#5374)
- Add a sample response to /auth/token/tidy API docs
- Document /auth/approle/tidy/secret-id API docs
2018-09-20 13:25:33 -04:00
Laura Gjerman-Uva 6fcf6ea6fe Add -dr-token flag to commands to generate OTP and decode with OTP (required on DR secondary as of 0.11) (#5368) 2018-09-20 09:19:01 -07:00
Richard Lane 43837ecdf1 Documentation correction - update list identity whitelist sample request (#5369)
Path was incorrectly referencing the roletag-blacklist

Updated the sample to match the correct path
2018-09-19 21:21:57 -07:00
Becca Petrin d05484b586
AliCloud Secrets Docs (#5351) 2018-09-19 08:42:59 -07:00
Jeff Mitchell 43aebacfa8 Fix default_max_request_duration HCL name and update docs (#5321)
* Fix default_max_request_duration HCL name and update docs

* Update tcp.html.md
2018-09-18 14:30:21 -07:00
Yoko 512b64ad77
[Guide] Secure Introduction - Update (#5323)
* Adding Vault Agent to the Secure Intro guide

* Incorporated the feedback

* Deleted extra spaces

* methods -> approaches
2018-09-14 13:51:23 -07:00
Yoko 2cc8610abb
[Guide] Namespaces policy (#5296)
* Added policy info

* Fixed the API URL

* Added webinar recording as a reference material
2018-09-14 11:23:46 -07:00
Evan Grim 7f5c193ace Fix small grammatical error in plugin docs (#5334) 2018-09-13 14:23:24 -07:00
Yoko 04a0dd6d0e
ACL Policy Templating -> ACL Policy Path Templating (#5330) 2018-09-12 16:14:31 -07:00
Clint 5f5af90dfe
Update AWS auth backend iam_request_headers to be TypeHeader (#5320)
Update AWS Auth backend to use TypeHeader for iam request headers

- Remove parseIamRequestHeaders function and test, no longer needed with new TypeHeader
- Update AWS auth login docs
2018-09-12 16:16:16 -05:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Brian Shumate 168b956fbb Docs: clarify max_ttl in Database Secrets Create (#5311)
- Clarify max_ttl on Database Secrets Create API
- Crosslink to TTL general case docs
2018-09-11 19:55:15 -04:00
Jeremy Gerson 7c51265de9 Update pki-engine.html.md (#5322) 2018-09-11 19:49:31 -04:00
Yoko 7683aa3e57
[Guide] Performance Standby Nodes (#5272)
* Performance Standby Nodes guide

* Added a link in the Vault HA guide

* Added links

* Clarified the node selection info

* Incorporated feedback

* Added 'when the Enterprise license includes this feature'

* Fixed the label: server 8 -> VM8

* Incorporated the feedback
2018-09-11 15:22:36 -07:00
Jeff Mitchell d96d10957c Update some text around encrypting with agent 2018-09-11 15:05:44 -04:00
Becca Petrin 625592c5e6
update to match aws (#5315) 2018-09-11 11:10:50 -07:00
Brian Shumate 67bd5e460b Docs: namespaces edit lookup subcommand text (#5310)
* Docs: namespaces edit lookup subcommand text

* precise
2018-09-10 11:56:01 -04:00