f885d97774
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune * Adding changelog * Adding logic to detect invalid input parameter for auth enable config * Updating tune.mdx * Updating secret enable/tune for comma separated parameters * Adding further parameter checks for auth/secret tests Fixing changelog using builtin type for a switch statement Fixing a possible panic scenario * Changing a function name, using deep.Equal instead of what reflect package provides * Fixing auth/secret enable/tune mdx files * One more mdx file fix * Only when users provide a single comma separated string in a curl command, split the entries by commas * Fixing API docs for auth/mount enable/tune for comma separated entries * updating docs, removing an unnecessary switch case
101 lines
3.8 KiB
Plaintext
101 lines
3.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: secrets enable - Command
|
|
description: |-
|
|
The "secrets enable" command enables an secrets engine at a given path. If an
|
|
secrets engine already exists at the given path, an error is returned. After
|
|
the secrets engine is enabled, it usually needs configuration. The
|
|
configuration varies by secrets engine.
|
|
---
|
|
|
|
# secrets enable
|
|
|
|
The `secrets enable` command enables an secrets engine at a given path. If an
|
|
secrets engine already exists at the given path, an error is returned. After the
|
|
secrets engine is enabled, it usually needs configuration. The configuration
|
|
varies by secrets engine.
|
|
|
|
By default, secrets engines are enabled at the path corresponding to their TYPE,
|
|
but users can customize the path using the `-path` option.
|
|
|
|
Some secrets engines persist data, some act as data pass-through, and some
|
|
generate dynamic credentials. The secrets engine will likely require
|
|
configuration after it is mounted. For details on the specific configuration
|
|
options, please see the [secrets engine
|
|
documentation](/docs/secrets).
|
|
|
|
## Examples
|
|
|
|
Enable the AWS secrets engine at "aws/":
|
|
|
|
```shell-session
|
|
$ vault secrets enable aws
|
|
Success! Enabled the aws secrets engine at: aws/
|
|
```
|
|
|
|
Enable the SSH secrets engine at ssh-prod/:
|
|
|
|
```shell-session
|
|
$ vault secrets enable -path=ssh-prod ssh
|
|
```
|
|
|
|
Enable the database secrets engine with an explicit maximum TTL of 30m:
|
|
|
|
```shell-session
|
|
$ vault secrets enable -max-lease-ttl=30m database
|
|
```
|
|
|
|
Enable a custom plugin (after it is registered in the plugin registry):
|
|
|
|
```shell-session
|
|
$ vault secrets enable -path=my-secrets my-plugin
|
|
```
|
|
|
|
For more information on the specific configuration options and paths, please see
|
|
the [secrets engine](/docs/secrets) documentation.
|
|
|
|
## Usage
|
|
|
|
The following flags are available in addition to the [standard set of
|
|
flags](/docs/commands) included on all commands.
|
|
|
|
- `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
|
|
by audit devices in the request data object. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
An example of this is provided in the [tune section](/docs/commands/secrets/tune).
|
|
|
|
- `-audit-non-hmac-response-keys` `(string: "")` - Key that will not be HMAC'd
|
|
by audit devices in the response data object. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
|
|
engine. If unspecified, this defaults to the Vault server's globally
|
|
configured default lease TTL.
|
|
|
|
- `-description` `(string: "")` - Human-friendly description for the purpose of
|
|
this engine.
|
|
|
|
- `-force-no-cache` `(bool: false)` - Force the secrets engine to disable
|
|
caching. If unspecified, this defaults to the Vault server's globally
|
|
configured cache settings. This does not affect caching of the underlying
|
|
encrypted data storage.
|
|
|
|
- `-local` `(bool: false)` - Mark the secrets engine as local-only. Local
|
|
engines are not replicated or removed by replication.
|
|
|
|
- `-max-lease-ttl` `(duration: "")` The maximum lease TTL for this secrets
|
|
engine. If unspecified, this defaults to the Vault server's globally
|
|
configured maximum lease TTL.
|
|
|
|
- `-path` `(string: "")` Place where the secrets engine will be accessible. This
|
|
must be unique cross all secrets engines. This defaults to the "type" of the
|
|
secrets engine.
|
|
|
|
- `-passthrough-request-headers` `(string: "")` - request header values that will
|
|
be sent to the secrets engine. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-allowed-response-headers` `(string: "")` - response header values that the secrets
|
|
engine will be allowed to set. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|