ec4d013047
* add tip for how to force a secrets engine disable * add warning to force disable secrets instructions * clean up wording * add force secrets engine disable info to api doc * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/api-docs/system/mounts.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/docs/commands/secrets/disable.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * Update website/content/docs/commands/secrets/disable.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * feedback updates * impl taoism feedback Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
50 lines
1.8 KiB
Plaintext
50 lines
1.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: secrets disable - Command
|
|
description: |-
|
|
The "secrets disable" command disables an secrets engine at a given PATH. The
|
|
argument corresponds to the enabled PATH of the engine, not the TYPE! All
|
|
secrets created by this engine are revoked and its Vault data is removed.
|
|
---
|
|
|
|
# secrets disable
|
|
|
|
The `secrets disable` command disables an secrets engine at a given PATH. The
|
|
argument corresponds to the enabled PATH of the engine, not the TYPE! All
|
|
secrets created by this engine are revoked and its Vault data is removed.
|
|
|
|
When a secrets engine is disabled, **all secrets generated via the secrets
|
|
engine are immediately revoked.** Care should be taken when disabling a
|
|
secret mount with a large number of secrets, as it can cause a high load on
|
|
the system during revocation time.
|
|
|
|
## Examples
|
|
|
|
Disable the secrets engine enabled at aws/:
|
|
|
|
```shell-session
|
|
$ vault secrets disable aws/
|
|
```
|
|
|
|
## Usage
|
|
|
|
There are no flags beyond the [standard set of flags](/docs/commands)
|
|
included on all commands.
|
|
|
|
## Force Disable
|
|
|
|
Because `secrets disable` revokes secrets associated with this mount, possible
|
|
errors can prevent the secrets engine from being disabled if the revocation
|
|
fails.
|
|
|
|
The best way to resolve this is to figure out the underlying issue and then
|
|
disable the secrets engine once the underlying issue is resolved. Often, this
|
|
can be as simple as increasing the timeout (in the event of timeout errors).
|
|
|
|
For recovery situations where the secret was manually removed from the
|
|
secrets backing service, one can force a secrets engine disable in Vault by
|
|
performing a [prefix force revoke](/docs/commands/lease/revoke) on the mount
|
|
prefix, followed by a `secrets disable` when that completes.
|
|
If the underlying secrets were not manually cleaned up, this method might result
|
|
in dangling credentials. This is meant for extreme circumstances.
|