open-vault/website/content/api-docs/system/leases.mdx
swayne275 9724f59180
Vault 1979: Query API for Irrevocable Leases (#11607)
* build out lease count (not fully working), start lease list

* build out irrevocable lease list

* bookkeeping

* test irrevocable lease counts for API/CLI

* fix listIrrevocableLeases, test listIrrevocableLeases, cleanup

* test expiration API limit

* namespace tweaks, test force flag on lease list

* integration test leases/count API, plenty of fixes and improvements

* test lease list API, fixes and improvements

* test force flag for irrevocable lease list API

* i guess this wasn't saved on the last refactor...

* fixes and improvements found during my review

* better test error msg

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* return warning with data if more than default leases to list without force flag

* make api doc more generalized

* list leases in general, not by mount point

* change force flag to include_large_results

* sort leases by LeaseID for consistent API response

* switch from bool flag for API limit to string value

* sort first by leaseID, then stable sort by expiration

* move some utils to be in oss and ent

* improve sort efficiency for API response

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-02 10:11:30 -06:00

311 lines
7.6 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/leases - HTTP API
description: The `/sys/leases` endpoints are used to view and manage leases.
---
# `/sys/leases`
The `/sys/leases` endpoints are used to view and manage leases in Vault.
## Read Lease
This endpoint retrieve lease metadata.
| Method | Path |
| :----- | :------------------- |
| `PUT` | `/sys/leases/lookup` |
### Parameters
- `lease_id` `(string: <required>)`  Specifies the ID of the lease to lookup.
### Sample Payload
```json
{
"lease_id": "aws/creds/deploy/abcd-1234..."
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/leases/lookup
```
### Sample Response
```json
{
"id": "auth/token/create/25c75065466dfc5f920525feafe47502c4c9915c",
"issue_time": "2017-04-30T10:18:11.228946471-04:00",
"expire_time": "2017-04-30T11:18:11.228946708-04:00",
"last_renewal_time": null,
"renewable": true,
"ttl": 3558
}
```
## List Leases
This endpoint returns a list of lease ids.
**This endpoint requires 'sudo' capability.**
| Method | Path |
| :----- | :--------------------------- |
| `LIST` | `/sys/leases/lookup/:prefix` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/sys/leases/lookup/aws/creds/deploy/
```
### Sample Response
```json
{
"data": {
"keys": ["abcd-1234...", "efgh-1234...", "ijkl-1234..."]
}
}
```
## Renew Lease
This endpoint renews a lease, requesting to extend the lease. Token leases
cannot be renewed using this endpoint, use instead the auth/token/renew endpoint.
| Method | Path |
| :----- | :------------------ |
| `PUT` | `/sys/leases/renew` |
### Parameters
- `lease_id` `(string: <required>)`  Specifies the ID of the lease to extend.
This can be specified as part of the URL or as part of the request body.
- `increment` `(int: 0)`  Specifies the requested amount of time (in seconds)
to extend the lease.
### Sample Payload
```json
{
"lease_id": "aws/creds/deploy/abcd-1234...",
"increment": 1800
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/leases/renew
```
### Sample Response
```json
{
"lease_id": "aws/creds/deploy/abcd-1234...",
"renewable": true,
"lease_duration": 2764790
}
```
## Revoke Lease
This endpoint revokes a lease immediately.
| Method | Path |
| :----- | :------------------- |
| `PUT` | `/sys/leases/revoke` |
### Parameters
- `lease_id` `(string: <required>)` Specifies the ID of the lease to revoke.
- `sync` `(bool: false)` - Instead of the default behaviour of queueing the lease
revocation, sync=true will revoke the lease immediately and only return once
complete.
### Sample Payload
```json
{
"lease_id": "postgresql/creds/readonly/abcd-1234..."
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/leases/revoke
```
## Revoke Force
This endpoint revokes all secrets or tokens generated under a given prefix
immediately. Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors
encountered during revocation. This is _potentially very dangerous_ and should
only be used in specific emergency situations where errors in the backend or the
connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the
issued credentials or secrets are properly revoked and/or cleaned up. Access to
this endpoint should be tightly controlled.
**This endpoint requires 'sudo' capability.**
| Method | Path |
| :----- | :--------------------------------- |
| `PUT` | `/sys/leases/revoke-force/:prefix` |
### Parameters
- `prefix` `(string: <required>)`  Specifies the prefix to revoke. This is
specified as part of the URL.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
http://127.0.0.1:8200/v1/sys/leases/revoke-force/aws/creds
```
## Revoke Prefix
This endpoint revokes all secrets (via a lease ID prefix) or tokens (via the
tokens' path property) generated under a given prefix immediately. This requires
`sudo` capability and access to it should be tightly controlled as it can be
used to revoke very large numbers of secrets/tokens at once.
**This endpoint requires 'sudo' capability.**
| Method | Path |
| :----- | :---------------------------------- |
| `PUT` | `/sys/leases/revoke-prefix/:prefix` |
### Parameters
- `prefix` `(string: <required>)`  Specifies the prefix to revoke. This is
specified as part of the URL.
- `sync` `(bool: false)` - Instead of the default behaviour of queueing the lease
revocations, sync=true will revoke ths leases immediately and only return once
complete.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/aws/creds
```
## Tidy Leases
This endpoint cleans up the dangling storage entries for leases: for each lease
entry in storage, Vault will verify that it has an associated valid non-expired
token in storage, and if not, the lease will be revoked.
Generally, running this is not needed unless upgrade notes or support personnel
suggest it. This may perform a lot of I/O to the storage method so should be
used sparingly.
| Method | Path |
| :----- | :----------------- |
| `POST` | `/sys/leases/tidy` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
http://127.0.0.1:8200/v1/sys/leases/tidy
```
## Lease Counts
This endpoint returns the total count of a `type` of lease, as well as a count
per mount point. Note that it currently only supports type "irrevocable".
This can help determine if particular endpoints are disproportionately
resulting in irrevocable leases.
This endpoint was added in Vault 1.8.
### Parameters
- `type` (string: <required>) - Specifies the type of lease.
- `include_child_namespaces` (bool: false) - Specifies if leases in child
namespaces should be included in the result.
| Method | Path |
| :----- | :----------------- |
| `GET` | `/sys/leases/count`|
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/sys/leases/count \
-d type=irrevocable
```
## Leases List
This endpoint returns the total count of a `type` of lease, as well as a list
of leases per mount point. Note that it currently only supports type
"irrevocable".
This can help determine if particular endpoints or causes are disproportionately
resulting in irrevocable leases.
This endpoint was added in Vault 1.8.
### Parameters
- `type` (string: <required>) - Specifies the type of lease.
- `include_child_namespaces` (bool: false) - Specifies if leases in child
namespaces should be included in the result
- `limit` (string: "") - Specifies the maximum number of leases to return in a
request. To return all results, set to `none`. If not set, this API will
return a maximum of 10,000 leases. If not set to `none` and there exist more
leases than `limit`, the response will include a warning.
| Method | Path |
| :----- | :------------ |
| `GET` | `/sys/leases` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/sys/leases \
-d type=irrevocable
```