--- layout: api page_title: /sys/mounts - HTTP API sidebar_title: /sys/mounts description: The `/sys/mounts` endpoint is used manage secrets engines in Vault. --- # `/sys/mounts` The `/sys/mounts` endpoint is used manage secrets engines in Vault. ## List Mounted Secrets Engines This endpoints lists all the mounted secrets engines. | Method | Path | | :----- | :------------ | | `GET` | `/sys/mounts` | ### Sample Request ``` $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/mounts ``` ### Sample Response ```json { "request_id": "48d2c601-97a0-3904-f549-4fcbc740d718", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "cubbyhole/": { "accessor": "cubbyhole_eb4503de", "config": { "default_lease_ttl": 0, "force_no_cache": false, "max_lease_ttl": 0 }, "description": "per-token private secret storage", "external_entropy_access": false, "local": true, "options": null, "seal_wrap": false, "type": "cubbyhole", "uuid": "79ddaa52-fa07-6f19-653a-f0777f6439fd" }, "identity/": { "accessor": "identity_68a03448", "config": { "default_lease_ttl": 0, "force_no_cache": false, "max_lease_ttl": 0 }, "description": "identity store", "external_entropy_access": false, "local": false, "options": null, "seal_wrap": false, "type": "identity", "uuid": "45f79a67-58f7-3f87-892c-9032084e7801" }, "secret/": { "accessor": "kv_aedd93c1", "config": { "default_lease_ttl": 0, "force_no_cache": false, "max_lease_ttl": 0 }, "description": "key/value secret storage", "external_entropy_access": false, "local": false, "options": { "version": "2" }, "seal_wrap": false, "type": "kv", "uuid": "8074a73f-6921-c0cd-589a-016405dc46ec" }, "sys/": { "accessor": "system_f8df2902", "config": { "default_lease_ttl": 0, "force_no_cache": false, "max_lease_ttl": 0, "passthrough_request_headers": [ "Accept" ] }, "description": "system endpoints used for control, policy and debugging", "external_entropy_access": false, "local": false, "options": null, "seal_wrap": false, "type": "system", "uuid": "c79f4f66-4cfa-4521-9d31-b1238b0a6800" } }, "warnings": null } ``` `default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults are used by this backend. ## Enable Secrets Engine This endpoint enables a new secrets engine at the given path. | Method | Path | | :----- | :------------------ | | `POST` | `/sys/mounts/:path` | ### Parameters - `path` `(string: )` – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. !> **NOTE:** Use ASCII printable characters to specify the desired path. - `type` `(string: )` – Specifies the type of the backend, such as "aws". - `description` `(string: "")` – Specifies the human-friendly description of the mount. - `config` `(map: nil)` – Specifies configuration options for this mount; if set on a specific mount, values will override any global defaults (e.g. the system TTL/Max TTL) - `default_lease_ttl` `(string: "")` - The default lease duration, specified as a string duration like "5s" or "30m". - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a string duration like "5s" or "30m". - `force_no_cache` `(bool: false)` - Disable caching. - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys that will not be HMAC'd by audit devices in the request data object. - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys that will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers to whitelist and pass from the request to the plugin. - `allowed_response_headers` `(array: [])` - Comma-separated list of headers to whitelist, allowing a plugin to include them in the response. - `options` `(map: nil)` - Specifies mount type specific options that are passed to the backend. _Key/Value (KV)_ - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount KV v2. Additionally, the following options are allowed in Vault open-source, but relevant functionality is only supported in Vault Enterprise: - `local` `(bool: false)` – Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication. - `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability. - `external_entropy_access` `(bool: false)` - Enable the secrets engine to access Vault's external entropy source. ### Sample Payload ```json { "type": "aws", "config": { "force_no_cache": true } } ``` ### Sample Request ``` $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/mounts/my-mount ``` ## Disable Secrets Engine This endpoint disables the mount point specified in the URL. | Method | Path | | :------- | :------------------ | | `DELETE` | `/sys/mounts/:path` | `204 (empty body)` | ### Sample Request ``` $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/sys/mounts/my-mount ``` ## Read Mount Configuration This endpoint reads the given mount's configuration. Unlike the `mounts` endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value. | Method | Path | | :----- | :----------------------- | | `GET` | `/sys/mounts/:path/tune` | ### Sample Request ``` $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune ``` ### Sample Response ```json { "default_lease_ttl": 3600, "max_lease_ttl": 7200, "force_no_cache": false } ``` ## Tune Mount Configuration This endpoint tunes configuration parameters for a given mount point. | Method | Path | | :----- | :----------------------- | | `POST` | `/sys/mounts/:path/tune` | ### Parameters - `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This overrides the global default. A value of `0` is equivalent to the system default TTL. - `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This overrides the global default. A value of `0` are equivalent and set to the system max TTL. - `description` `(string: "")` – Specifies the description of the mount. This overrides the current stored value, if any. - `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the request data object. - `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers to whitelist and pass from the request to the plugin. - `allowed_response_headers` `(array: [])` - Comma-separated list of headers to whitelist, allowing a plugin to include them in the response. ### Sample Payload ```json { "default_lease_ttl": 1800, "max_lease_ttl": 3600 } ``` ### Sample Request ``` $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune ```