open-vault/website/content/api-docs/system/policies-password.mdx
Jim Kalafut 75caf59093
Replace docs references to PUT with POST (#14270)
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.

A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
2022-02-25 06:52:24 -08:00

199 lines
4.9 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/policies/password - HTTP API
description: >-
The `/sys/policies/password` endpoints are used to manage password generation policies in Vault.
---
# `/sys/policies/password/`
The `/sys/policies/password/` endpoints are used to manage password generation policies in Vault.
Not all secret engines utilize password policies, so check the documentation for the engine you
are using for compatibility.
~> Password policies are only available in Vault version 1.5+.
See [Password Policies](/docs/concepts/password-policies) for details of how password policies work
as well as the syntax of the policies themselves.
## Create/Update Password Policy
This endpoint adds a new or updates an existing password policy. Once a policy is updated,
it takes effect immediately to all associated secret engines.
Prior to Vault saving the password policy, it will attempt to generate a number of passwords
from the policy. This helps prevent creating password policies that are impossible to satisfy
as well as prevent password policies that are overly restrictive which prevents both a poor
security posture for the policy as well as preventing performance problems due to slow
generation times.
| Method | Path |
| :----- | :----------------------------- |
| `POST` | `/sys/policies/password/:name` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the password policy to create.
This is specified as part of the request URL.
- `policy` `(string: <required>)` - Specifies the password policy document. This can be
base64-encoded to avoid string escaping. See [Password Policy Syntax](/docs/concepts/password-policies#password-policy-syntax)
for details on password policy definitions.
### Sample Payload
```json
{
"policy": "length = 20\nrule \"charset\" { ..."
}
```
### Sample Request
**cURL:**
```shell
$ cat payload.json
{
"policy": "length = 20\nrule \"charset\" {\n charset = \"abcde\"\n}\n"
}
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/policies/password/my-policy
```
**Vault CLI:**
```shell
$ cat my-policy.hcl
length = 20
rule "charset" {
charset = "abcde"
}
$ vault write sys/policies/password/my-policy policy=@my-policy.hcl
```
## List Password Policies
This endpoints list the password policies.
| Method | Path |
| :------ | :--------------------------------- |
| `LIST` | `/sys/policies/password` |
| `GET` | `/sys/policies/password?list=true` |
### Sample Request
```shell
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/sys/policies/password
```
### Sample Response
```json
{
"request_id": "58e2540f-8c51-6390-46de-38e279e75468",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"my-policy"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
## Read Password Policy
This endpoint retrieves information about the named password policy.
| Method | Path |
| :----- | :----------------------------- |
| `GET` | `/sys/policies/password/:name` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the password policy to retrieve.
This is specified as part of the request URL.
### Sample Request
```shell
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/policies/password/my-policy
```
### Sample Response
```json
{
"policy": "length = 20\nrule \"charset\" { ..."
}
```
## Delete Password Policy
This endpoint deletes the password policy with the given name. This does not check if any
secret engines are using it prior to deletion, so you should ensure that any engines that
are utilizing this password policy are changed to a different policy (or to that engines'
default behavior).
| Method | Path |
| :------- | :----------------------------- |
| `DELETE` | `/sys/policies/password/:name` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the password policy to delete.
This is specified as part of the request URL.
### Sample Request
```shell
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE
http://127.0.0.1:8200/v1/sys/policies/password/my-policy
```
## Generate Password from Password Policy
This endpoint generates a password from the specified existing password policy.
| Method | Path |
| :----- | :-------------------------------------- |
| `GET` | `/sys/policies/password/:name/generate` |
### Parameters
- `name` `(string: <required>)`  Specifies the name of the password policy to generate
a password from. This is specified as part of the request URL.
### Sample Request
```shell
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/policies/password/my-policy/generate
```
### Sample Response
```json
{
"password": "..."
}
```