--- layout: docs page_title: secrets tune - Command description: |- The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. --- # secrets tune The `secrets tune` command tunes the configuration options for the secrets engine at the given PATH. The argument corresponds to the PATH where the secrets engine is enabled, not the type. ## Examples Before tuning the secret mount, view the current configuration of the mount enabled at "pki/": ```shell-session $ vault read sys/mounts/pki/tune Key Value --- ----- default_lease_ttl 12h description Example PKI mount force_no_cache false max_lease_ttl 24h ``` Tune the default lease, exclude `common_name` and `serial_number` from being HMAC'd in the audit log for the PKI secrets engine: ```shell-session $ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/ Success! Tuned the secrets engine at: pki/ $ vault read sys/mounts/pki/tune Key Value --- ----- audit_non_hmac_request_keys [common_name] audit_non_hmac_response_keys [serial_number] default_lease_ttl 18h description Example PKI mount force_no_cache false max_lease_ttl 24h ``` Specify multiple audit non-hmac request keys: ```shell-session $ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/ ``` ## Usage The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. - `-allowed-response-headers` `(string: "")` - response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-audit-non-hmac-response-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the response data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured default lease TTL, or a previously configured value for the secrets engine. Uses [duration format strings](/docs/concepts/duration-format). - `-description` `(string: "")` - Specifies the description of the mount. This overrides the current stored value, if any. - `-listing-visibility` `(string: "")` - The flag to toggle whether to show the mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. Passing empty string leaves the current setting unchanged. - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured [maximum lease TTL](/docs/configuration#max_lease_ttl), or a previously configured value for the secrets engine. This value is allowed to override the server's global max TTL; it can be longer or shorter. Uses [duration format strings](/docs/concepts/duration-format). - `-passthrough-request-headers` `(string: "")` - request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified either by providing the key names as a comma separated string or by providing this option multiple times, each time with 1 key.