From 22f2bcbb6d08d72628dc13d1b0df76a918db4cd7 Mon Sep 17 00:00:00 2001 From: Pierre Fenoll Date: Mon, 10 Jun 2024 20:38:18 +0200 Subject: [PATCH 1/2] add Signed-off-by: Pierre Fenoll --- .github/workflows/shellcheck.yml | 18 + examples/2600hz_kazoo/oas3.star | 10 + .../github.com/hashicorp/vault/.gitignore | 1 + .../github.com/hashicorp/vault/Dockerfile | 6 + .../hashicorp/vault/Dockerfile.dockerignore | 2 + examples/github.com/hashicorp/vault/_ | 4861 +++++++++++++++++ examples/github.com/hashicorp/vault/clone.sh | 13 + .../hashicorp/vault/fuzzymonkey.star | 19 + 8 files changed, 4930 insertions(+) create mode 100644 .github/workflows/shellcheck.yml create mode 100644 examples/2600hz_kazoo/oas3.star create mode 100644 examples/github.com/hashicorp/vault/.gitignore create mode 100644 examples/github.com/hashicorp/vault/Dockerfile create mode 100644 examples/github.com/hashicorp/vault/Dockerfile.dockerignore create mode 100644 examples/github.com/hashicorp/vault/_ create mode 100644 examples/github.com/hashicorp/vault/clone.sh create mode 100644 examples/github.com/hashicorp/vault/fuzzymonkey.star diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000..e1f8d12 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,18 @@ +name: ShellCheck + +on: + push: + pull_request: + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Run shellcheck + uses: ludeeus/action-shellcheck@1.1.0 + with: + check_together: 'yes' + severity: error diff --git a/examples/2600hz_kazoo/oas3.star b/examples/2600hz_kazoo/oas3.star new file mode 100644 index 0000000..00c7ca1 --- /dev/null +++ b/examples/2600hz_kazoo/oas3.star @@ -0,0 +1,10 @@ +monkey.openapi3( + name = "kazoo", + file = "https://raw.githubusercontent.com/2600hz/kazoo/24519b9af9792caa67f7c09bbb9d27e2418f7ad6/applications/crossbar/priv/oas3/openapi.yml", +) + +monkey.shell( + name = "id", + provides = ["kazoo"], + reset = "true", +) diff --git a/examples/github.com/hashicorp/vault/.gitignore b/examples/github.com/hashicorp/vault/.gitignore new file mode 100644 index 0000000..c0fab2a --- /dev/null +++ b/examples/github.com/hashicorp/vault/.gitignore @@ -0,0 +1 @@ +/vault-*/ diff --git a/examples/github.com/hashicorp/vault/Dockerfile b/examples/github.com/hashicorp/vault/Dockerfile new file mode 100644 index 0000000..00951c9 --- /dev/null +++ b/examples/github.com/hashicorp/vault/Dockerfile @@ -0,0 +1,6 @@ +FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99 AS distroless +COPY /vault --chown=nonroot /vault +RUN ls -lha . /vault /vault/vault wefwefw +ARG HOST +ARG TOKEN +ENTRYPOINT ["./vault/bin/vault", "server", "-dev", "-dev-root-token-id=root", "-address=http://127.0.0.1:8200", "-exit-on-core-shutdown"] diff --git a/examples/github.com/hashicorp/vault/Dockerfile.dockerignore b/examples/github.com/hashicorp/vault/Dockerfile.dockerignore new file mode 100644 index 0000000..93e8c85 --- /dev/null +++ b/examples/github.com/hashicorp/vault/Dockerfile.dockerignore @@ -0,0 +1,2 @@ +* +!/vault/ diff --git a/examples/github.com/hashicorp/vault/_ b/examples/github.com/hashicorp/vault/_ new file mode 100644 index 0000000..d755d20 --- /dev/null +++ b/examples/github.com/hashicorp/vault/_ @@ -0,0 +1,4861 @@ +openapi: 3.0.2 +info: + title: HashiCorp Vault API + description: HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + version: 1.10.0 + license: + name: Mozilla Public License 2.0 + url: https://www.mozilla.org/en-US/MPL/2.0 +paths: + /auth/token/accessors/: + description: List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'. + x-vault-sudo: true + get: + summary: |- + List token accessors, which can then be + be used to iterate and discover their properties + or revoke them. Because this can be used to + cause a denial of service, this endpoint + requires 'sudo' capability in addition to + 'list'. + operationId: getAuthTokenAccessors + tags: + - auth + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /auth/token/create: + description: The token create path is used to create new tokens. + post: + summary: The token create path is used to create new tokens. + operationId: postAuthTokenCreate + tags: + - auth + responses: + '200': + description: OK + /auth/token/create-orphan: + description: The token create path is used to create new orphan tokens. + post: + summary: The token create path is used to create new orphan tokens. + operationId: postAuthTokenCreateOrphan + tags: + - auth + responses: + '200': + description: OK + /auth/token/create/{role_name}: + description: This token create path is used to create new tokens adhering to the given role. + parameters: + - name: role_name + description: Name of the role + in: path + schema: + type: string + required: true + post: + summary: This token create path is used to create new tokens adhering to the given role. + operationId: postAuthTokenCreateRole_name + tags: + - auth + responses: + '200': + description: OK + /auth/token/lookup: + description: This endpoint will lookup a token and its properties. + get: + summary: This endpoint will lookup a token and its properties. + operationId: getAuthTokenLookup + tags: + - auth + responses: + '200': + description: OK + post: + summary: This endpoint will lookup a token and its properties. + operationId: postAuthTokenLookup + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + description: Token to lookup (POST request body) + responses: + '200': + description: OK + /auth/token/lookup-accessor: + description: This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. + post: + summary: This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. + operationId: postAuthTokenLookupAccessor + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + accessor: + type: string + description: Accessor of the token to look up (request body) + responses: + '200': + description: OK + /auth/token/lookup-self: + description: This endpoint will lookup a token and its properties. + get: + summary: This endpoint will lookup a token and its properties. + operationId: getAuthTokenLookupSelf + tags: + - auth + responses: + '200': + description: OK + post: + summary: This endpoint will lookup a token and its properties. + operationId: postAuthTokenLookupSelf + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + description: Token to look up (unused, does not need to be set) + responses: + '200': + description: OK + /auth/token/renew: + description: This endpoint will renew the given token and prevent expiration. + post: + summary: This endpoint will renew the given token and prevent expiration. + operationId: postAuthTokenRenew + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the token expiration + format: seconds + default: 0 + token: + type: string + description: Token to renew (request body) + responses: + '200': + description: OK + /auth/token/renew-accessor: + description: This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. + post: + summary: This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. + operationId: postAuthTokenRenewAccessor + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + accessor: + type: string + description: Accessor of the token to renew (request body) + increment: + type: integer + description: The desired increment in seconds to the token expiration + format: seconds + default: 0 + responses: + '200': + description: OK + /auth/token/renew-self: + description: This endpoint will renew the token used to call it and prevent expiration. + post: + summary: This endpoint will renew the token used to call it and prevent expiration. + operationId: postAuthTokenRenewSelf + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the token expiration + format: seconds + default: 0 + token: + type: string + description: Token to renew (unused, does not need to be set) + responses: + '200': + description: OK + /auth/token/revoke: + description: This endpoint will delete the given token and all of its child tokens. + post: + summary: This endpoint will delete the given token and all of its child tokens. + operationId: postAuthTokenRevoke + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + description: Token to revoke (request body) + responses: + '200': + description: OK + /auth/token/revoke-accessor: + description: This endpoint will delete the token associated with the accessor and all of its child tokens. + post: + summary: This endpoint will delete the token associated with the accessor and all of its child tokens. + operationId: postAuthTokenRevokeAccessor + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + accessor: + type: string + description: Accessor of the token (request body) + responses: + '200': + description: OK + /auth/token/revoke-orphan: + description: This endpoint will delete the token and orphan its child tokens. + post: + summary: This endpoint will delete the token and orphan its child tokens. + operationId: postAuthTokenRevokeOrphan + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + description: Token to revoke (request body) + responses: + '200': + description: OK + /auth/token/revoke-self: + description: This endpoint will delete the token used to call it and all of its child tokens. + post: + summary: This endpoint will delete the token used to call it and all of its child tokens. + operationId: postAuthTokenRevokeSelf + tags: + - auth + responses: + '200': + description: OK + /auth/token/roles: + description: This endpoint lists configured roles. + get: + summary: This endpoint lists configured roles. + operationId: getAuthTokenRoles + tags: + - auth + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /auth/token/roles/{role_name}: + parameters: + - name: role_name + description: Name of the role + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + operationId: getAuthTokenRolesRole_name + tags: + - auth + responses: + '200': + description: OK + post: + operationId: postAuthTokenRolesRole_name + tags: + - auth + requestBody: + content: + application/json: + schema: + type: object + properties: + allowed_entity_aliases: + type: array + description: String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing. + items: + type: string + allowed_policies: + type: array + description: If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names. + items: + type: string + allowed_policies_glob: + type: array + description: If set, tokens can be created with any subset of glob matched policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy name globs. + items: + type: string + bound_cidrs: + type: array + description: Use 'token_bound_cidrs' instead. + items: + type: string + deprecated: true + disallowed_policies: + type: array + description: If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names. + items: + type: string + disallowed_policies_glob: + type: array + description: If set, successful token creation via this role will require that no requested policies glob match any of policies in this list. The parameter is a comma-delimited string of policy name globs. + items: + type: string + explicit_max_ttl: + type: integer + description: Use 'token_explicit_max_ttl' instead. + format: seconds + deprecated: true + orphan: + type: boolean + description: If true, tokens created via this role will be orphan tokens (have no parent) + path_suffix: + type: string + description: If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\w[\w-.]+\w + period: + type: integer + description: Use 'token_period' instead. + format: seconds + deprecated: true + renewable: + type: boolean + description: Tokens created via this role will be renewable or not according to this value. Defaults to "true". + default: true + token_bound_cidrs: + type: array + description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. + items: + type: string + x-vault-displayAttrs: + name: Generated Token's Bound CIDRs + group: Tokens + token_explicit_max_ttl: + type: integer + description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. + format: seconds + x-vault-displayAttrs: + name: Generated Token's Explicit Maximum TTL + group: Tokens + token_no_default_policy: + type: boolean + description: If true, the 'default' policy will not automatically be added to generated tokens + x-vault-displayAttrs: + name: Do Not Attach 'default' Policy To Generated Tokens + group: Tokens + token_num_uses: + type: integer + description: The maximum number of times a token may be used, a value of zero means unlimited + x-vault-displayAttrs: + name: Maximum Uses of Generated Tokens + group: Tokens + token_period: + type: integer + description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). + format: seconds + x-vault-displayAttrs: + name: Generated Token's Period + group: Tokens + token_type: + type: string + description: The type of token to generate, service or batch + default: default-service + x-vault-displayAttrs: + name: Generated Token's Type + group: Tokens + responses: + '200': + description: OK + delete: + operationId: deleteAuthTokenRolesRole_name + tags: + - auth + responses: + '204': + description: empty body + /auth/token/tidy: + description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. + post: + summary: |- + This endpoint performs cleanup tasks that can be run if certain error + conditions have occurred. + operationId: postAuthTokenTidy + tags: + - auth + responses: + '200': + description: OK + /cubbyhole/{path}: + description: Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage. + parameters: + - name: path + description: Specifies the path of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + summary: Retrieve the secret at the specified location. + operationId: getCubbyholePath + tags: + - secrets + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + post: + summary: Store a secret at the specified location. + operationId: postCubbyholePath + tags: + - secrets + responses: + '200': + description: OK + delete: + summary: Deletes the secret at the specified location. + operationId: deleteCubbyholePath + tags: + - secrets + responses: + '204': + description: empty body + /identity/alias: + description: Create a new alias. + post: + summary: Create a new alias. + operationId: postIdentityAlias + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: Entity ID to which this alias belongs to + entity_id: + type: string + description: Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'. + id: + type: string + description: ID of the alias + mount_accessor: + type: string + description: Mount accessor to which this alias belongs to + name: + type: string + description: Name of the alias + responses: + '200': + description: OK + /identity/alias/id: + description: List all the alias IDs. + get: + summary: List all the alias IDs. + operationId: getIdentityAliasId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/alias/id/{id}: + description: Update, read or delete an alias ID. + parameters: + - name: id + description: ID of the alias + in: path + schema: + type: string + required: true + get: + summary: Update, read or delete an alias ID. + operationId: getIdentityAliasIdId + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update, read or delete an alias ID. + operationId: postIdentityAliasIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: Entity ID to which this alias should be tied to + entity_id: + type: string + description: Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'. + mount_accessor: + type: string + description: Mount accessor to which this alias belongs to + name: + type: string + description: Name of the alias + responses: + '200': + description: OK + delete: + summary: Update, read or delete an alias ID. + operationId: deleteIdentityAliasIdId + tags: + - identity + responses: + '204': + description: empty body + /identity/entity: + description: Create a new entity + post: + summary: Create a new entity + operationId: postIdentityEntity + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + disabled: + type: boolean + description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). + id: + type: string + description: ID of the entity. If set, updates the corresponding existing entity. + metadata: + type: object + description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + name: + type: string + description: Name of the entity + policies: + type: array + description: Policies to be tied to the entity. + items: + type: string + responses: + '200': + description: OK + /identity/entity-alias: + description: Create a new alias. + post: + summary: Create a new alias. + operationId: postIdentityEntityAlias + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: Entity ID to which this alias belongs + custom_metadata: + type: object + description: User provided key-value pairs + format: kvpairs + entity_id: + type: string + description: Entity ID to which this alias belongs. This field is deprecated, use canonical_id. + id: + type: string + description: ID of the entity alias. If set, updates the corresponding entity alias. + mount_accessor: + type: string + description: Mount accessor to which this alias belongs to; unused for a modify + name: + type: string + description: Name of the alias; unused for a modify + responses: + '200': + description: OK + /identity/entity-alias/id: + description: List all the alias IDs. + get: + summary: List all the alias IDs. + operationId: getIdentityEntityAliasId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/entity-alias/id/{id}: + description: Update, read or delete an alias ID. + parameters: + - name: id + description: ID of the alias + in: path + schema: + type: string + required: true + get: + summary: Update, read or delete an alias ID. + operationId: getIdentityEntityAliasIdId + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update, read or delete an alias ID. + operationId: postIdentityEntityAliasIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: Entity ID to which this alias should be tied to + custom_metadata: + type: object + description: User provided key-value pairs + format: kvpairs + entity_id: + type: string + description: Entity ID to which this alias belongs to. This field is deprecated, use canonical_id. + mount_accessor: + type: string + description: (Unused) + name: + type: string + description: (Unused) + responses: + '200': + description: OK + delete: + summary: Update, read or delete an alias ID. + operationId: deleteIdentityEntityAliasIdId + tags: + - identity + responses: + '204': + description: empty body + /identity/entity/batch-delete: + description: Delete all of the entities provided + post: + summary: Delete all of the entities provided + operationId: postIdentityEntityBatchDelete + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + entity_ids: + type: array + description: Entity IDs to delete + items: + type: string + responses: + '200': + description: OK + /identity/entity/id: + description: List all the entity IDs + get: + summary: List all the entity IDs + operationId: getIdentityEntityId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/entity/id/{id}: + description: Update, read or delete an entity using entity ID + parameters: + - name: id + description: ID of the entity. If set, updates the corresponding existing entity. + in: path + schema: + type: string + required: true + get: + summary: Update, read or delete an entity using entity ID + operationId: getIdentityEntityIdId + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update, read or delete an entity using entity ID + operationId: postIdentityEntityIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + disabled: + type: boolean + description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). + metadata: + type: object + description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + name: + type: string + description: Name of the entity + policies: + type: array + description: Policies to be tied to the entity. + items: + type: string + responses: + '200': + description: OK + delete: + summary: Update, read or delete an entity using entity ID + operationId: deleteIdentityEntityIdId + tags: + - identity + responses: + '204': + description: empty body + /identity/entity/merge: + description: Merge two or more entities together + post: + summary: Merge two or more entities together + operationId: postIdentityEntityMerge + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + force: + type: boolean + description: Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts. + from_entity_ids: + type: array + description: Entity IDs which needs to get merged + items: + type: string + to_entity_id: + type: string + description: Entity ID into which all the other entities need to get merged + responses: + '200': + description: OK + /identity/entity/name: + description: List all the entity names + get: + summary: List all the entity names + operationId: getIdentityEntityName + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/entity/name/{name}: + description: Update, read or delete an entity using entity name + parameters: + - name: name + description: Name of the entity + in: path + schema: + type: string + required: true + get: + summary: Update, read or delete an entity using entity name + operationId: getIdentityEntityNameName + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update, read or delete an entity using entity name + operationId: postIdentityEntityNameName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + disabled: + type: boolean + description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). + id: + type: string + description: ID of the entity. If set, updates the corresponding existing entity. + metadata: + type: object + description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + policies: + type: array + description: Policies to be tied to the entity. + items: + type: string + responses: + '200': + description: OK + delete: + summary: Update, read or delete an entity using entity name + operationId: deleteIdentityEntityNameName + tags: + - identity + responses: + '204': + description: empty body + /identity/group: + description: Create a new group. + post: + summary: Create a new group. + operationId: postIdentityGroup + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + type: string + description: ID of the group. If set, updates the corresponding existing group. + member_entity_ids: + type: array + description: Entity IDs to be assigned as group members. + items: + type: string + member_group_ids: + type: array + description: Group IDs to be assigned as group members. + items: + type: string + metadata: + type: object + description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + name: + type: string + description: Name of the group. + policies: + type: array + description: Policies to be tied to the group. + items: + type: string + type: + type: string + description: Type of the group, 'internal' or 'external'. Defaults to 'internal' + responses: + '200': + description: OK + /identity/group-alias: + description: Creates a new group alias, or updates an existing one. + post: + summary: Creates a new group alias, or updates an existing one. + operationId: postIdentityGroupAlias + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: ID of the group to which this is an alias. + id: + type: string + description: ID of the group alias. + mount_accessor: + type: string + description: Mount accessor to which this alias belongs to. + name: + type: string + description: Alias of the group. + responses: + '200': + description: OK + /identity/group-alias/id: + description: List all the group alias IDs. + get: + summary: List all the group alias IDs. + operationId: getIdentityGroupAliasId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/group-alias/id/{id}: + parameters: + - name: id + description: ID of the group alias. + in: path + schema: + type: string + required: true + get: + operationId: getIdentityGroupAliasIdId + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityGroupAliasIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + canonical_id: + type: string + description: ID of the group to which this is an alias. + mount_accessor: + type: string + description: Mount accessor to which this alias belongs to. + name: + type: string + description: Alias of the group. + responses: + '200': + description: OK + delete: + operationId: deleteIdentityGroupAliasIdId + tags: + - identity + responses: + '204': + description: empty body + /identity/group/id: + description: List all the group IDs. + get: + summary: List all the group IDs. + operationId: getIdentityGroupId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/group/id/{id}: + description: Update or delete an existing group using its ID. + parameters: + - name: id + description: ID of the group. If set, updates the corresponding existing group. + in: path + schema: + type: string + required: true + get: + summary: Update or delete an existing group using its ID. + operationId: getIdentityGroupIdId + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update or delete an existing group using its ID. + operationId: postIdentityGroupIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + member_entity_ids: + type: array + description: Entity IDs to be assigned as group members. + items: + type: string + member_group_ids: + type: array + description: Group IDs to be assigned as group members. + items: + type: string + metadata: + type: object + description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + name: + type: string + description: Name of the group. + policies: + type: array + description: Policies to be tied to the group. + items: + type: string + type: + type: string + description: Type of the group, 'internal' or 'external'. Defaults to 'internal' + responses: + '200': + description: OK + delete: + summary: Update or delete an existing group using its ID. + operationId: deleteIdentityGroupIdId + tags: + - identity + responses: + '204': + description: empty body + /identity/group/name: + get: + operationId: getIdentityGroupName + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/group/name/{name}: + parameters: + - name: name + description: Name of the group. + in: path + schema: + type: string + required: true + get: + operationId: getIdentityGroupNameName + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityGroupNameName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + type: string + description: ID of the group. If set, updates the corresponding existing group. + member_entity_ids: + type: array + description: Entity IDs to be assigned as group members. + items: + type: string + member_group_ids: + type: array + description: Group IDs to be assigned as group members. + items: + type: string + metadata: + type: object + description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + policies: + type: array + description: Policies to be tied to the group. + items: + type: string + type: + type: string + description: Type of the group, 'internal' or 'external'. Defaults to 'internal' + responses: + '200': + description: OK + delete: + operationId: deleteIdentityGroupNameName + tags: + - identity + responses: + '204': + description: empty body + /identity/lookup/entity: + description: Query entities based on various properties. + post: + summary: Query entities based on various properties. + operationId: postIdentityLookupEntity + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + alias_id: + type: string + description: ID of the alias. + alias_mount_accessor: + type: string + description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. + alias_name: + type: string + description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. + id: + type: string + description: ID of the entity. + name: + type: string + description: Name of the entity. + responses: + '200': + description: OK + /identity/lookup/group: + description: Query groups based on various properties. + post: + summary: Query groups based on various properties. + operationId: postIdentityLookupGroup + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + alias_id: + type: string + description: ID of the alias. + alias_mount_accessor: + type: string + description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. + alias_name: + type: string + description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. + id: + type: string + description: ID of the group. + name: + type: string + description: Name of the group. + responses: + '200': + description: OK + /identity/oidc/.well-known/keys: + description: Retrieve public keys + x-vault-unauthenticated: true + get: + summary: Retrieve public keys + operationId: getIdentityOidcWellKnownKeys + tags: + - identity + responses: + '200': + description: OK + /identity/oidc/.well-known/openid-configuration: + description: Query OIDC configurations + x-vault-unauthenticated: true + get: + summary: Query OIDC configurations + operationId: getIdentityOidcWellKnownOpenidConfiguration + tags: + - identity + responses: + '200': + description: OK + /identity/oidc/assignment: + description: List OIDC assignments + get: + operationId: getIdentityOidcAssignment + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/assignment/{name}: + description: CRUD operations for OIDC assignments. + parameters: + - name: name + description: Name of the assignment + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + operationId: getIdentityOidcAssignmentName + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcAssignmentName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + entity_ids: + type: array + description: Comma separated string or array of identity entity IDs + items: + type: string + group_ids: + type: array + description: Comma separated string or array of identity group IDs + items: + type: string + responses: + '200': + description: OK + delete: + operationId: deleteIdentityOidcAssignmentName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/client: + description: List OIDC clients + get: + operationId: getIdentityOidcClient + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/client/{name}: + description: CRUD operations for OIDC clients. + parameters: + - name: name + description: Name of the client. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + operationId: getIdentityOidcClientName + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcClientName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + access_token_ttl: + type: integer + description: The time-to-live for access tokens obtained by the client. + format: seconds + default: 24h + assignments: + type: array + description: Comma separated string or array of assignment resources. + items: + type: string + id_token_ttl: + type: integer + description: The time-to-live for ID tokens obtained by the client. + format: seconds + default: 24h + key: + type: string + description: A reference to a named key resource. Cannot be modified after creation. + redirect_uris: + type: array + description: Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + items: + type: string + required: + - key + responses: + '200': + description: OK + delete: + operationId: deleteIdentityOidcClientName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/config: + description: OIDC configuration + get: + summary: OIDC configuration + operationId: getIdentityOidcConfig + tags: + - identity + responses: + '200': + description: OK + post: + summary: OIDC configuration + operationId: postIdentityOidcConfig + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + issuer: + type: string + description: Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used. + responses: + '200': + description: OK + /identity/oidc/introspect: + description: Verify the authenticity of an OIDC token + post: + summary: Verify the authenticity of an OIDC token + operationId: postIdentityOidcIntrospect + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + client_id: + type: string + description: Optional client_id to verify + token: + type: string + description: Token to verify + responses: + '200': + description: OK + /identity/oidc/key: + description: List OIDC keys + get: + summary: List OIDC keys + operationId: getIdentityOidcKey + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/key/{name}: + description: CRUD operations for OIDC keys. + parameters: + - name: name + description: Name of the key + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + summary: CRUD operations for OIDC keys. + operationId: getIdentityOidcKeyName + tags: + - identity + responses: + '200': + description: OK + post: + summary: CRUD operations for OIDC keys. + operationId: postIdentityOidcKeyName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + algorithm: + type: string + description: Signing algorithm to use. This will default to RS256. + default: RS256 + allowed_client_ids: + type: array + description: Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed. + items: + type: string + rotation_period: + type: integer + description: How often to generate a new keypair. + format: seconds + default: 24h + verification_ttl: + type: integer + description: Controls how long the public portion of a key will be available for verification after being rotated. + format: seconds + default: 24h + responses: + '200': + description: OK + delete: + summary: CRUD operations for OIDC keys. + operationId: deleteIdentityOidcKeyName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/key/{name}/rotate: + description: Rotate a named OIDC key. + parameters: + - name: name + description: Name of the key + in: path + schema: + type: string + required: true + post: + summary: Rotate a named OIDC key. + operationId: postIdentityOidcKeyNameRotate + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + verification_ttl: + type: integer + description: Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key. + format: seconds + responses: + '200': + description: OK + /identity/oidc/provider: + description: List OIDC providers + get: + operationId: getIdentityOidcProvider + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/provider/{name}: + description: CRUD operations for OIDC providers. + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + operationId: getIdentityOidcProviderName + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcProviderName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + allowed_client_ids: + type: array + description: The client IDs that are permitted to use the provider + items: + type: string + issuer: + type: string + description: Specifies what will be used for the iss claim of ID tokens. + scopes_supported: + type: array + description: The scopes supported for requesting on the provider + items: + type: string + responses: + '200': + description: OK + delete: + operationId: deleteIdentityOidcProviderName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/provider/{name}/.well-known/keys: + description: Retrieve public keys + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + get: + operationId: getIdentityOidcProviderNameWellKnownKeys + tags: + - identity + responses: + '200': + description: OK + /identity/oidc/provider/{name}/.well-known/openid-configuration: + description: Query OIDC configurations + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + get: + operationId: getIdentityOidcProviderNameWellKnownOpenidConfiguration + tags: + - identity + responses: + '200': + description: OK + /identity/oidc/provider/{name}/authorize: + description: Provides the OIDC Authorization Endpoint. + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + get: + operationId: getIdentityOidcProviderNameAuthorize + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcProviderNameAuthorize + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + client_id: + type: string + description: The ID of the requesting client. + max_age: + type: integer + description: The allowable elapsed time in seconds since the last time the end-user was actively authenticated. + nonce: + type: string + description: The value that will be returned in the ID token nonce claim after a token exchange. + redirect_uri: + type: string + description: The redirection URI to which the response will be sent. + response_type: + type: string + description: 'The OIDC authentication flow to be used. The following response types are supported: ''code''' + scope: + type: string + description: A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required. + state: + type: string + description: The value used to maintain state between the authentication request and client. + required: + - response_type + - state + - nonce + - client_id + - scope + - redirect_uri + responses: + '200': + description: OK + /identity/oidc/provider/{name}/token: + description: Provides the OIDC Token Endpoint. + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + post: + operationId: postIdentityOidcProviderNameToken + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + code: + type: string + description: The authorization code received from the provider's authorization endpoint. + grant_type: + type: string + description: 'The authorization grant type. The following grant types are supported: ''authorization_code''.' + redirect_uri: + type: string + description: The callback location where the authentication response was sent. + required: + - code + - grant_type + - redirect_uri + responses: + '200': + description: OK + /identity/oidc/provider/{name}/userinfo: + description: Provides the OIDC UserInfo Endpoint. + parameters: + - name: name + description: Name of the provider + in: path + schema: + type: string + required: true + get: + operationId: getIdentityOidcProviderNameUserinfo + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcProviderNameUserinfo + tags: + - identity + responses: + '200': + description: OK + /identity/oidc/role: + description: List configured OIDC roles + get: + summary: List configured OIDC roles + operationId: getIdentityOidcRole + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/role/{name}: + description: CRUD operations on OIDC Roles + parameters: + - name: name + description: Name of the role + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + summary: CRUD operations on OIDC Roles + operationId: getIdentityOidcRoleName + tags: + - identity + responses: + '200': + description: OK + post: + summary: CRUD operations on OIDC Roles + operationId: postIdentityOidcRoleName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + client_id: + type: string + description: Optional client_id + key: + type: string + description: The OIDC key to use for generating tokens. The specified key must already exist. + template: + type: string + description: The template string to use for generating tokens. This may be in string-ified JSON or base64 format. + ttl: + type: integer + description: TTL of the tokens generated against the role. + format: seconds + default: 24h + required: + - key + responses: + '200': + description: OK + delete: + summary: CRUD operations on OIDC Roles + operationId: deleteIdentityOidcRoleName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/scope: + description: List OIDC scopes + get: + operationId: getIdentityOidcScope + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/oidc/scope/{name}: + description: CRUD operations for OIDC scopes. + parameters: + - name: name + description: Name of the scope + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + operationId: getIdentityOidcScopeName + tags: + - identity + responses: + '200': + description: OK + post: + operationId: postIdentityOidcScopeName + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + description: + type: string + description: The description of the scope + template: + type: string + description: The template string to use for the scope. This may be in string-ified JSON or base64 format. + responses: + '200': + description: OK + delete: + operationId: deleteIdentityOidcScopeName + tags: + - identity + responses: + '204': + description: empty body + /identity/oidc/token/{name}: + description: Generate an OIDC token + parameters: + - name: name + description: Name of the role + in: path + schema: + type: string + required: true + get: + summary: Generate an OIDC token + operationId: getIdentityOidcTokenName + tags: + - identity + responses: + '200': + description: OK + /identity/persona: + description: Create a new alias. + post: + summary: Create a new alias. + operationId: postIdentityPersona + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + entity_id: + type: string + description: Entity ID to which this persona belongs to + id: + type: string + description: ID of the persona + metadata: + type: object + description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + mount_accessor: + type: string + description: Mount accessor to which this persona belongs to + name: + type: string + description: Name of the persona + responses: + '200': + description: OK + /identity/persona/id: + description: List all the alias IDs. + get: + summary: List all the alias IDs. + operationId: getIdentityPersonaId + tags: + - identity + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /identity/persona/id/{id}: + description: Update, read or delete an alias ID. + parameters: + - name: id + description: ID of the persona + in: path + schema: + type: string + required: true + get: + summary: Update, read or delete an alias ID. + operationId: getIdentityPersonaIdId + tags: + - identity + responses: + '200': + description: OK + post: + summary: Update, read or delete an alias ID. + operationId: postIdentityPersonaIdId + tags: + - identity + requestBody: + content: + application/json: + schema: + type: object + properties: + entity_id: + type: string + description: Entity ID to which this persona should be tied to + metadata: + type: object + description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' + format: kvpairs + mount_accessor: + type: string + description: Mount accessor to which this persona belongs to + name: + type: string + description: Name of the persona + responses: + '200': + description: OK + delete: + summary: Update, read or delete an alias ID. + operationId: deleteIdentityPersonaIdId + tags: + - identity + responses: + '204': + description: empty body + /secret/.*: {} + /secret/config: + description: Configures settings for the KV store + x-vault-createSupported: true + get: + summary: Read the backend level settings. + operationId: getSecretConfig + tags: + - secrets + responses: + '200': + description: OK + post: + summary: Configure backend level settings that are applied to every key in the key-value store. + operationId: postSecretConfig + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + cas_required: + type: boolean + description: If true, the backend will require the cas parameter to be set for each write + delete_version_after: + type: integer + description: If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string. + format: seconds + max_versions: + type: integer + description: The number of versions to keep for each key. Defaults to 10 + responses: + '200': + description: OK + /secret/data/{path}: + description: Write, Patch, Read, and Delete data in the Key-Value Store. + parameters: + - name: path + description: Location of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + summary: Write, Patch, Read, and Delete data in the Key-Value Store. + operationId: getSecretDataPath + tags: + - secrets + responses: + '200': + description: OK + post: + summary: Write, Patch, Read, and Delete data in the Key-Value Store. + operationId: postSecretDataPath + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + data: + type: object + description: The contents of the data map will be stored and returned on read. + format: map + options: + type: object + description: Options for writing a KV entry. Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. + format: map + version: + type: integer + description: If provided during a read, the value at the version number will be returned + responses: + '200': + description: OK + delete: + summary: Write, Patch, Read, and Delete data in the Key-Value Store. + operationId: deleteSecretDataPath + tags: + - secrets + responses: + '204': + description: empty body + /secret/delete/{path}: + description: Marks one or more versions as deleted in the KV store. + parameters: + - name: path + description: Location of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + post: + summary: Marks one or more versions as deleted in the KV store. + operationId: postSecretDeletePath + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + versions: + type: array + description: The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests. + items: + type: integer + responses: + '200': + description: OK + /secret/destroy/{path}: + description: Permanently removes one or more versions in the KV store + parameters: + - name: path + description: Location of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + post: + summary: Permanently removes one or more versions in the KV store + operationId: postSecretDestroyPath + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + versions: + type: array + description: The versions to destroy. Their data will be permanently deleted. + items: + type: integer + responses: + '200': + description: OK + /secret/metadata/{path}: + description: Configures settings for the KV store + parameters: + - name: path + description: Location of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + get: + summary: Configures settings for the KV store + operationId: getSecretMetadataPath + tags: + - secrets + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + post: + summary: Configures settings for the KV store + operationId: postSecretMetadataPath + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + cas_required: + type: boolean + description: If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. + custom_metadata: + type: object + description: User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret. + format: kvpairs + delete_version_after: + type: integer + description: The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error. + format: seconds + max_versions: + type: integer + description: The number of versions to keep. If not set, the backend’s configured max version is used. + responses: + '200': + description: OK + delete: + summary: Configures settings for the KV store + operationId: deleteSecretMetadataPath + tags: + - secrets + responses: + '204': + description: empty body + /secret/undelete/{path}: + description: Undeletes one or more versions from the KV store. + parameters: + - name: path + description: Location of the secret. + in: path + schema: + type: string + required: true + x-vault-createSupported: true + post: + summary: Undeletes one or more versions from the KV store. + operationId: postSecretUndeletePath + tags: + - secrets + requestBody: + content: + application/json: + schema: + type: object + properties: + versions: + type: array + description: The versions to unarchive. The versions will be restored and their data will be returned on normal get requests. + items: + type: integer + responses: + '200': + description: OK + /sys/audit: + description: List the currently enabled audit backends. + x-vault-sudo: true + get: + summary: List the enabled audit devices. + operationId: getSysAudit + tags: + - system + responses: + '200': + description: OK + /sys/audit-hash/{path}: + description: The hash of the given string via the given audit backend + parameters: + - name: path + description: 'The name of the backend. Cannot be delimited. Example: "mysql"' + in: path + schema: + type: string + required: true + post: + summary: The hash of the given string via the given audit backend + operationId: postSysAuditHashPath + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + input: + type: string + responses: + '200': + description: OK + /sys/audit/{path}: + description: Enable or disable audit backends. + parameters: + - name: path + description: 'The name of the backend. Cannot be delimited. Example: "mysql"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Enable a new audit device at the supplied path. + operationId: postSysAuditPath + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + description: + type: string + description: User-friendly description for this audit backend. + local: + type: boolean + description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. + default: false + options: + type: object + description: Configuration options for the audit backend. + format: kvpairs + type: + type: string + description: 'The type of the backend. Example: "mysql"' + responses: + '200': + description: OK + delete: + summary: Disable the audit device at the given path. + operationId: deleteSysAuditPath + tags: + - system + responses: + '204': + description: empty body + /sys/auth: + description: List the currently enabled credential backends. + get: + summary: List the currently enabled credential backends. + operationId: getSysAuth + tags: + - system + responses: + '200': + description: OK + /sys/auth/{path}: + description: Enable a new credential backend with a name. + parameters: + - name: path + description: 'The path to mount to. Cannot be delimited. Example: "user"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Enables a new auth method. + description: |- + After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix. + + For example, enable the "foo" auth method will make it accessible at /auth/foo. + operationId: postSysAuthPath + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + config: + type: object + description: Configuration for this mount, such as plugin_name. + format: map + description: + type: string + description: User-friendly description for this credential backend. + external_entropy_access: + type: boolean + description: Whether to give the mount access to Vault's external entropy. + default: false + local: + type: boolean + description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. + default: false + options: + type: object + description: The options to pass into the backend. Should be a json object with string keys and values. + format: kvpairs + plugin_name: + type: string + description: Name of the auth plugin to use based from the name in the plugin catalog. + seal_wrap: + type: boolean + description: Whether to turn on seal wrapping for the mount. + default: false + type: + type: string + description: 'The type of the backend. Example: "userpass"' + responses: + '200': + description: OK + delete: + summary: Disable the auth method at the given auth path + operationId: deleteSysAuthPath + tags: + - system + responses: + '204': + description: empty body + /sys/auth/{path}/tune: + description: Tune the configuration parameters for an auth path. + parameters: + - name: path + description: Tune the configuration parameters for an auth path. + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Reads the given auth path's configuration. + description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. + operationId: getSysAuthPathTune + tags: + - system + responses: + '200': + description: OK + post: + summary: Tune configuration parameters for a given auth path. + description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. + operationId: postSysAuthPathTune + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + allowed_response_headers: + type: array + description: A list of headers to whitelist and allow a plugin to set on responses. + items: + type: string + audit_non_hmac_request_keys: + type: array + description: The list of keys in the request data object that will not be HMAC'ed by audit devices. + items: + type: string + audit_non_hmac_response_keys: + type: array + description: The list of keys in the response data object that will not be HMAC'ed by audit devices. + items: + type: string + default_lease_ttl: + type: string + description: The default lease TTL for this mount. + description: + type: string + description: User-friendly description for this credential backend. + listing_visibility: + type: string + description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. + max_lease_ttl: + type: string + description: The max lease TTL for this mount. + options: + type: object + description: The options to pass into the backend. Should be a json object with string keys and values. + format: kvpairs + passthrough_request_headers: + type: array + description: A list of headers to whitelist and pass from the request to the plugin. + items: + type: string + token_type: + type: string + description: The type of token to issue (service or batch). + responses: + '200': + description: OK + /sys/capabilities: + description: Fetches the capabilities of the given token on the given path. + post: + summary: Fetches the capabilities of the given token on the given path. + operationId: postSysCapabilities + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + path: + type: array + description: Use 'paths' instead. + items: + type: string + deprecated: true + paths: + type: array + description: Paths on which capabilities are being queried. + items: + type: string + token: + type: string + description: Token for which capabilities are being queried. + responses: + '200': + description: OK + /sys/capabilities-accessor: + description: Fetches the capabilities of the token associated with the given token, on the given path. + post: + summary: Fetches the capabilities of the token associated with the given token, on the given path. + operationId: postSysCapabilitiesAccessor + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + accessor: + type: string + description: Accessor of the token for which capabilities are being queried. + path: + type: array + description: Use 'paths' instead. + items: + type: string + deprecated: true + paths: + type: array + description: Paths on which capabilities are being queried. + items: + type: string + responses: + '200': + description: OK + /sys/capabilities-self: + description: Fetches the capabilities of the given token on the given path. + post: + summary: Fetches the capabilities of the given token on the given path. + operationId: postSysCapabilitiesSelf + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + path: + type: array + description: Use 'paths' instead. + items: + type: string + deprecated: true + paths: + type: array + description: Paths on which capabilities are being queried. + items: + type: string + token: + type: string + description: Token for which capabilities are being queried. + responses: + '200': + description: OK + /sys/config/auditing/request-headers: + description: Lists the headers configured to be audited. + x-vault-sudo: true + get: + summary: List the request headers that are configured to be audited. + operationId: getSysConfigAuditingRequestHeaders + tags: + - system + responses: + '200': + description: OK + /sys/config/auditing/request-headers/{header}: + description: Configures the headers sent to the audit logs. + parameters: + - name: header + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: List the information for the given request header. + operationId: getSysConfigAuditingRequestHeadersHeader + tags: + - system + responses: + '200': + description: OK + post: + summary: Enable auditing of a header. + operationId: postSysConfigAuditingRequestHeadersHeader + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + hmac: + type: boolean + responses: + '200': + description: OK + delete: + summary: Disable auditing of the given request header. + operationId: deleteSysConfigAuditingRequestHeadersHeader + tags: + - system + responses: + '204': + description: empty body + /sys/config/cors: + description: This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests. + x-vault-sudo: true + get: + summary: Return the current CORS settings. + operationId: getSysConfigCors + tags: + - system + responses: + '200': + description: OK + post: + summary: Configure the CORS settings. + operationId: postSysConfigCors + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + allowed_headers: + type: array + description: A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests. + items: + type: string + allowed_origins: + type: array + description: A comma-separated string or array of strings indicating origins that may make cross-origin requests. + items: + type: string + enable: + type: boolean + description: Enables or disables CORS headers on requests. + responses: + '200': + description: OK + delete: + summary: Remove any CORS settings. + operationId: deleteSysConfigCors + tags: + - system + responses: + '204': + description: empty body + /sys/config/reload/{subsystem}: + parameters: + - name: subsystem + in: path + schema: + type: string + required: true + post: + summary: Reload the given subsystem + operationId: postSysConfigReloadSubsystem + tags: + - system + responses: + '200': + description: OK + /sys/config/state/sanitized: + get: + summary: Return a sanitized version of the Vault server configuration. + description: The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry. + operationId: getSysConfigStateSanitized + tags: + - system + responses: + '200': + description: OK + /sys/config/ui/headers/: + description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. + x-vault-sudo: true + get: + summary: Return a list of configured UI headers. + operationId: getSysConfigUiHeaders + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/config/ui/headers/{header}: + description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. + parameters: + - name: header + description: The name of the header. + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Return the given UI header's configuration + operationId: getSysConfigUiHeadersHeader + tags: + - system + responses: + '200': + description: OK + post: + summary: Configure the values to be returned for the UI header. + operationId: postSysConfigUiHeadersHeader + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + multivalue: + type: boolean + description: Returns multiple values if true + values: + type: array + description: The values to set the header. + items: + type: string + responses: + '200': + description: OK + delete: + summary: Remove a UI header. + operationId: deleteSysConfigUiHeadersHeader + tags: + - system + responses: + '204': + description: empty body + /sys/generate-root: + description: Reads, generates, or deletes a root token regeneration process. + get: + summary: Read the configuration and progress of the current root generation attempt. + operationId: getSysGenerateRoot + tags: + - system + responses: + '200': + description: OK + post: + summary: Initializes a new root generation attempt. + description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. + operationId: postSysGenerateRoot + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + pgp_key: + type: string + description: Specifies a base64-encoded PGP public key. + responses: + '200': + description: OK + delete: + summary: Cancels any in-progress root generation attempt. + operationId: deleteSysGenerateRoot + tags: + - system + responses: + '204': + description: empty body + /sys/generate-root/attempt: + description: Reads, generates, or deletes a root token regeneration process. + x-vault-unauthenticated: true + get: + summary: Read the configuration and progress of the current root generation attempt. + operationId: getSysGenerateRootAttempt + tags: + - system + responses: + '200': + description: OK + post: + summary: Initializes a new root generation attempt. + description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. + operationId: postSysGenerateRootAttempt + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + pgp_key: + type: string + description: Specifies a base64-encoded PGP public key. + responses: + '200': + description: OK + delete: + summary: Cancels any in-progress root generation attempt. + operationId: deleteSysGenerateRootAttempt + tags: + - system + responses: + '204': + description: empty body + /sys/generate-root/update: + description: Reads, generates, or deletes a root token regeneration process. + x-vault-unauthenticated: true + post: + summary: Enter a single master key share to progress the root generation attempt. + description: If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call. + operationId: postSysGenerateRootUpdate + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + key: + type: string + description: Specifies a single master key share. + nonce: + type: string + description: Specifies the nonce of the attempt. + responses: + '200': + description: OK + /sys/health: + description: Checks the health status of the Vault. + x-vault-unauthenticated: true + get: + summary: Returns the health status of Vault. + operationId: getSysHealth + tags: + - system + responses: + '200': + description: initialized, unsealed, and active + '429': + description: unsealed and standby + '472': + description: data recovery mode replication secondary and active + '501': + description: not initialized + '503': + description: sealed + /sys/host-info: + description: Information about the host instance that this Vault server is running on. + get: + summary: Information about the host instance that this Vault server is running on. + description: "Information about the host instance that this Vault server is running on.\n\t\tThe information that gets collected includes host hardware information, and CPU,\n\t\tdisk, and memory utilization" + operationId: getSysHostInfo + tags: + - system + responses: + '200': + description: OK + /sys/init: + description: Initializes or returns the initialization status of the Vault. + x-vault-unauthenticated: true + get: + summary: Returns the initialization status of Vault. + operationId: getSysInit + tags: + - system + responses: + '200': + description: OK + post: + summary: Initialize a new Vault. + description: The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM. + operationId: postSysInit + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + pgp_keys: + type: array + description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`. + items: + type: string + recovery_pgp_keys: + type: array + description: Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`. + items: + type: string + recovery_shares: + type: integer + description: Specifies the number of shares to split the recovery key into. + recovery_threshold: + type: integer + description: Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`. + root_token_pgp_key: + type: string + description: Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation. + secret_shares: + type: integer + description: Specifies the number of shares to split the master key into. + secret_threshold: + type: integer + description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`. + stored_shares: + type: integer + description: Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`. + responses: + '200': + description: OK + /sys/internal/counters/activity: + description: Query the historical count of clients. + get: + summary: Report the client count metrics, for this namespace and all child namespaces. + operationId: getSysInternalCountersActivity + tags: + - system + responses: + '200': + description: OK + /sys/internal/counters/activity/monthly: + description: Count of active clients so far this month. + get: + summary: Report the number of clients for this month, for this namespace and all child namespaces. + operationId: getSysInternalCountersActivityMonthly + tags: + - system + responses: + '200': + description: OK + /sys/internal/counters/config: + description: Control the collection and reporting of client counts. + get: + summary: Read the client count tracking configuration. + operationId: getSysInternalCountersConfig + tags: + - system + responses: + '200': + description: OK + post: + summary: Enable or disable collection of client count, set retention period, or set default reporting period. + operationId: postSysInternalCountersConfig + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + default_report_months: + type: integer + description: Number of months to report if no start date specified. + default: 12 + enabled: + type: string + description: 'Enable or disable collection of client count: enable, disable, or default.' + default: default + retention_months: + type: integer + description: Number of months of client data to retain. Setting to 0 will clear all existing data. + default: 24 + responses: + '200': + description: OK + /sys/internal/counters/entities: + description: Count of active entities in this Vault cluster. + get: + summary: Backwards compatibility is not guaranteed for this API + operationId: getSysInternalCountersEntities + tags: + - system + responses: + '200': + description: OK + /sys/internal/counters/requests: + description: Currently unsupported. Previously, count of requests seen by this Vault cluster over time. + get: + summary: Backwards compatibility is not guaranteed for this API + operationId: getSysInternalCountersRequests + tags: + - system + responses: + '200': + description: OK + /sys/internal/counters/tokens: + description: Count of active tokens in this Vault cluster. + get: + summary: Backwards compatibility is not guaranteed for this API + operationId: getSysInternalCountersTokens + tags: + - system + responses: + '200': + description: OK + /sys/internal/specs/openapi: + x-vault-unauthenticated: true + get: + summary: Generate an OpenAPI 3 document of all mounted paths. + operationId: getSysInternalSpecsOpenapi + tags: + - system + responses: + '200': + description: OK + /sys/internal/ui/feature-flags: + description: Enabled feature flags. Internal API; its location, inputs, and outputs may change. + get: + summary: Lists enabled feature flags. + operationId: getSysInternalUiFeatureFlags + tags: + - system + responses: + '200': + description: OK + /sys/internal/ui/mounts: + description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. + x-vault-unauthenticated: true + get: + summary: Lists all enabled and visible auth and secrets mounts. + operationId: getSysInternalUiMounts + tags: + - system + responses: + '200': + description: OK + /sys/internal/ui/mounts/{path}: + description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. + parameters: + - name: path + description: The path of the mount. + in: path + schema: + type: string + required: true + x-vault-unauthenticated: true + get: + summary: Return information about the given mount. + operationId: getSysInternalUiMountsPath + tags: + - system + responses: + '200': + description: OK + /sys/internal/ui/namespaces: + description: Information about visible child namespaces. Internal API; its location, inputs, and outputs may change. + x-vault-unauthenticated: true + get: + summary: Backwards compatibility is not guaranteed for this API + operationId: getSysInternalUiNamespaces + tags: + - system + responses: + '200': + description: OK + /sys/internal/ui/resultant-acl: + description: Information about a token's resultant ACL. Internal API; its location, inputs, and outputs may change. + get: + summary: Backwards compatibility is not guaranteed for this API + operationId: getSysInternalUiResultantAcl + tags: + - system + responses: + '200': + description: OK + /sys/key-status: + description: Provides information about the backend encryption key. + get: + summary: Provides information about the backend encryption key. + operationId: getSysKeyStatus + tags: + - system + responses: + '200': + description: OK + /sys/leader: + description: Check the high availability status and current leader of Vault + x-vault-unauthenticated: true + get: + summary: Returns the high availability status and current leader instance of Vault. + operationId: getSysLeader + tags: + - system + responses: + '200': + description: OK + /sys/leases: + description: List leases associated with this Vault cluster + x-vault-sudo: true + get: + summary: List leases associated with this Vault cluster + operationId: getSysLeases + tags: + - system + responses: + '200': + description: OK + /sys/leases/count: + description: Count of leases associated with this Vault cluster + get: + summary: Count of leases associated with this Vault cluster + operationId: getSysLeasesCount + tags: + - system + responses: + '200': + description: OK + /sys/leases/lookup: + description: View or list lease metadata. + post: + summary: Retrieve lease metadata. + operationId: postSysLeasesLookup + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/leases/lookup/: + description: View or list lease metadata. + x-vault-sudo: true + get: + summary: Returns a list of lease ids. + operationId: getSysLeasesLookup + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/leases/lookup/{prefix}: + description: View or list lease metadata. + parameters: + - name: prefix + description: 'The path to list leases under. Example: "aws/creds/deploy"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Returns a list of lease ids. + operationId: getSysLeasesLookupPrefix + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/leases/renew: + description: Renew a lease on a secret + post: + summary: Renews a lease, requesting to extend the lease. + operationId: postSysLeasesRenew + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the lease + format: seconds + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + url_lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/leases/renew/{url_lease_id}: + description: Renew a lease on a secret + parameters: + - name: url_lease_id + description: The lease identifier to renew. This is included with a lease. + in: path + schema: + type: string + required: true + post: + summary: Renews a lease, requesting to extend the lease. + operationId: postSysLeasesRenewUrl_lease_id + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the lease + format: seconds + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/leases/revoke: + description: Revoke a leased secret immediately + post: + summary: Revokes a lease immediately. + operationId: postSysLeasesRevoke + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + url_lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/leases/revoke-force/{prefix}: + description: Revoke all secrets generated in a given prefix, ignoring errors. + parameters: + - name: prefix + description: 'The path to revoke keys under. Example: "prod/aws/ops"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Revokes all secrets or tokens generated under a given prefix immediately + description: |- + Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. + + By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. + operationId: postSysLeasesRevokeForcePrefix + tags: + - system + responses: + '200': + description: OK + /sys/leases/revoke-prefix/{prefix}: + description: Revoke all secrets generated in a given prefix + parameters: + - name: prefix + description: 'The path to revoke keys under. Example: "prod/aws/ops"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately. + operationId: postSysLeasesRevokePrefixPrefix + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + responses: + '200': + description: OK + /sys/leases/revoke/{url_lease_id}: + description: Revoke a leased secret immediately + parameters: + - name: url_lease_id + description: The lease identifier to renew. This is included with a lease. + in: path + schema: + type: string + required: true + post: + summary: Revokes a lease immediately. + operationId: postSysLeasesRevokeUrl_lease_id + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + responses: + '200': + description: OK + /sys/leases/tidy: + description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. + post: + summary: |- + This endpoint performs cleanup tasks that can be run if certain error + conditions have occurred. + operationId: postSysLeasesTidy + tags: + - system + responses: + '200': + description: OK + /sys/metrics: + description: Export the metrics aggregated for telemetry purpose. + parameters: + - name: format + description: Format to export metrics into. Currently accepts only "prometheus". + in: query + schema: + type: string + get: + summary: Export the metrics aggregated for telemetry purpose. + operationId: getSysMetrics + tags: + - system + responses: + '200': + description: OK + /sys/monitor: + parameters: + - name: log_level + description: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error". + in: query + schema: + type: string + get: + operationId: getSysMonitor + tags: + - system + responses: + '200': + description: OK + /sys/mounts: + description: List the currently mounted backends. + get: + summary: List the currently mounted backends. + operationId: getSysMounts + tags: + - system + responses: + '200': + description: OK + /sys/mounts/{path}: + description: Mount a new backend at a new path. + parameters: + - name: path + description: 'The path to mount to. Example: "aws/east"' + in: path + schema: + type: string + required: true + get: + summary: Read the configuration of the secret engine at the given path. + operationId: getSysMountsPath + tags: + - system + responses: + '200': + description: OK + post: + summary: Enable a new secrets engine at the given path. + operationId: postSysMountsPath + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + config: + type: object + description: Configuration for this mount, such as default_lease_ttl and max_lease_ttl. + format: map + description: + type: string + description: User-friendly description for this mount. + external_entropy_access: + type: boolean + description: Whether to give the mount access to Vault's external entropy. + default: false + local: + type: boolean + description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. + default: false + options: + type: object + description: The options to pass into the backend. Should be a json object with string keys and values. + format: kvpairs + plugin_name: + type: string + description: Name of the plugin to mount based from the name registered in the plugin catalog. + seal_wrap: + type: boolean + description: Whether to turn on seal wrapping for the mount. + default: false + type: + type: string + description: 'The type of the backend. Example: "passthrough"' + responses: + '200': + description: OK + delete: + summary: Disable the mount point specified at the given path. + operationId: deleteSysMountsPath + tags: + - system + responses: + '204': + description: empty body + /sys/mounts/{path}/tune: + description: Tune backend configuration parameters for this mount. + parameters: + - name: path + description: 'The path to mount to. Example: "aws/east"' + in: path + schema: + type: string + required: true + get: + summary: Tune backend configuration parameters for this mount. + operationId: getSysMountsPathTune + tags: + - system + responses: + '200': + description: OK + post: + summary: Tune backend configuration parameters for this mount. + operationId: postSysMountsPathTune + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + allowed_response_headers: + type: array + description: A list of headers to whitelist and allow a plugin to set on responses. + items: + type: string + audit_non_hmac_request_keys: + type: array + description: The list of keys in the request data object that will not be HMAC'ed by audit devices. + items: + type: string + audit_non_hmac_response_keys: + type: array + description: The list of keys in the response data object that will not be HMAC'ed by audit devices. + items: + type: string + default_lease_ttl: + type: string + description: The default lease TTL for this mount. + description: + type: string + description: User-friendly description for this credential backend. + listing_visibility: + type: string + description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. + max_lease_ttl: + type: string + description: The max lease TTL for this mount. + options: + type: object + description: The options to pass into the backend. Should be a json object with string keys and values. + format: kvpairs + passthrough_request_headers: + type: array + description: A list of headers to whitelist and pass from the request to the plugin. + items: + type: string + token_type: + type: string + description: The type of token to issue (service or batch). + responses: + '200': + description: OK + /sys/plugins/catalog: + description: Lists all the plugins known to Vault + get: + summary: Lists all the plugins known to Vault + operationId: getSysPluginsCatalog + tags: + - system + responses: + '200': + description: OK + /sys/plugins/catalog/{name}: + description: Configures the plugins known to Vault + parameters: + - name: name + description: The name of the plugin + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Return the configuration data for the plugin with the given name. + operationId: getSysPluginsCatalogName + tags: + - system + responses: + '200': + description: OK + post: + summary: Register a new plugin, or updates an existing one with the supplied name. + operationId: postSysPluginsCatalogName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + args: + type: array + description: The args passed to plugin command. + items: + type: string + command: + type: string + description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. + env: + type: array + description: The environment variables passed to plugin command. Each entry is of the form "key=value". + items: + type: string + sha256: + type: string + description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. + sha_256: + type: string + description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. + type: + type: string + description: The type of the plugin, may be auth, secret, or database + responses: + '200': + description: OK + delete: + summary: Remove the plugin with the given name. + operationId: deleteSysPluginsCatalogName + tags: + - system + responses: + '204': + description: empty body + /sys/plugins/catalog/{type}: + description: Configures the plugins known to Vault + parameters: + - name: type + description: The type of the plugin, may be auth, secret, or database + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: List the plugins in the catalog. + operationId: getSysPluginsCatalogType + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/plugins/catalog/{type}/{name}: + description: Configures the plugins known to Vault + parameters: + - name: name + description: The name of the plugin + in: path + schema: + type: string + required: true + - name: type + description: The type of the plugin, may be auth, secret, or database + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Return the configuration data for the plugin with the given name. + operationId: getSysPluginsCatalogTypeName + tags: + - system + responses: + '200': + description: OK + post: + summary: Register a new plugin, or updates an existing one with the supplied name. + operationId: postSysPluginsCatalogTypeName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + args: + type: array + description: The args passed to plugin command. + items: + type: string + command: + type: string + description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. + env: + type: array + description: The environment variables passed to plugin command. Each entry is of the form "key=value". + items: + type: string + sha256: + type: string + description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. + sha_256: + type: string + description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. + responses: + '200': + description: OK + delete: + summary: Remove the plugin with the given name. + operationId: deleteSysPluginsCatalogTypeName + tags: + - system + responses: + '204': + description: empty body + /sys/plugins/reload/backend: + description: Reload mounts that use a particular backend plugin. + post: + summary: Reload mounted plugin backends. + description: Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally. + operationId: postSysPluginsReloadBackend + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + mounts: + type: array + description: The mount paths of the plugin backends to reload. + items: + type: string + plugin: + type: string + description: The name of the plugin to reload, as registered in the plugin catalog. + scope: + type: string + responses: + '200': + description: OK + /sys/policies/acl: + description: List the configured access control policies. + get: + summary: List the configured access control policies. + operationId: getSysPoliciesAcl + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/policies/acl/{name}: + description: Read, Modify, or Delete an access control policy. + parameters: + - name: name + description: 'The name of the policy. Example: "ops"' + in: path + schema: + type: string + required: true + get: + summary: Retrieve information about the named ACL policy. + operationId: getSysPoliciesAclName + tags: + - system + responses: + '200': + description: OK + post: + summary: Add a new or update an existing ACL policy. + operationId: postSysPoliciesAclName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + policy: + type: string + description: The rules of the policy. + responses: + '200': + description: OK + delete: + summary: Delete the ACL policy with the given name. + operationId: deleteSysPoliciesAclName + tags: + - system + responses: + '204': + description: empty body + /sys/policies/password/{name}: + description: Read, Modify, or Delete a password policy. + parameters: + - name: name + description: The name of the password policy. + in: path + schema: + type: string + required: true + get: + summary: Retrieve an existing password policy. + operationId: getSysPoliciesPasswordName + tags: + - system + responses: + '200': + description: OK + post: + summary: Add a new or update an existing password policy. + operationId: postSysPoliciesPasswordName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + policy: + type: string + description: The password policy + responses: + '200': + description: OK + delete: + summary: Delete a password policy. + operationId: deleteSysPoliciesPasswordName + tags: + - system + responses: + '204': + description: empty body + /sys/policies/password/{name}/generate: + description: Generate a password from an existing password policy. + parameters: + - name: name + description: The name of the password policy. + in: path + schema: + type: string + required: true + get: + summary: Generate a password from an existing password policy. + operationId: getSysPoliciesPasswordNameGenerate + tags: + - system + responses: + '200': + description: OK + /sys/policy: + description: List the configured access control policies. + get: + summary: List the configured access control policies. + operationId: getSysPolicy + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/policy/{name}: + description: Read, Modify, or Delete an access control policy. + parameters: + - name: name + description: 'The name of the policy. Example: "ops"' + in: path + schema: + type: string + required: true + get: + summary: Retrieve the policy body for the named policy. + operationId: getSysPolicyName + tags: + - system + responses: + '200': + description: OK + post: + summary: Add a new or update an existing policy. + operationId: postSysPolicyName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + policy: + type: string + description: The rules of the policy. + rules: + type: string + description: The rules of the policy. + deprecated: true + responses: + '200': + description: OK + delete: + summary: Delete the policy with the given name. + operationId: deleteSysPolicyName + tags: + - system + responses: + '204': + description: empty body + /sys/pprof/: + get: + summary: Returns an HTML page listing the available profiles. + description: |- + Returns an HTML page listing the available + profiles. This should be mainly accessed via browsers or applications that can + render pages. + operationId: getSysPprof + tags: + - system + responses: + '200': + description: OK + /sys/pprof/allocs: + get: + summary: Returns a sampling of all past memory allocations. + description: Returns a sampling of all past memory allocations. + operationId: getSysPprofAllocs + tags: + - system + responses: + '200': + description: OK + /sys/pprof/block: + get: + summary: Returns stack traces that led to blocking on synchronization primitives + description: Returns stack traces that led to blocking on synchronization primitives + operationId: getSysPprofBlock + tags: + - system + responses: + '200': + description: OK + /sys/pprof/cmdline: + get: + summary: Returns the running program's command line. + description: Returns the running program's command line, with arguments separated by NUL bytes. + operationId: getSysPprofCmdline + tags: + - system + responses: + '200': + description: OK + /sys/pprof/goroutine: + get: + summary: Returns stack traces of all current goroutines. + description: Returns stack traces of all current goroutines. + operationId: getSysPprofGoroutine + tags: + - system + responses: + '200': + description: OK + /sys/pprof/heap: + get: + summary: Returns a sampling of memory allocations of live object. + description: Returns a sampling of memory allocations of live object. + operationId: getSysPprofHeap + tags: + - system + responses: + '200': + description: OK + /sys/pprof/mutex: + get: + summary: Returns stack traces of holders of contended mutexes + description: Returns stack traces of holders of contended mutexes + operationId: getSysPprofMutex + tags: + - system + responses: + '200': + description: OK + /sys/pprof/profile: + get: + summary: Returns a pprof-formatted cpu profile payload. + description: Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified. + operationId: getSysPprofProfile + tags: + - system + responses: + '200': + description: OK + /sys/pprof/symbol: + get: + summary: Returns the program counters listed in the request. + description: Returns the program counters listed in the request. + operationId: getSysPprofSymbol + tags: + - system + responses: + '200': + description: OK + /sys/pprof/threadcreate: + get: + summary: Returns stack traces that led to the creation of new OS threads + description: Returns stack traces that led to the creation of new OS threads + operationId: getSysPprofThreadcreate + tags: + - system + responses: + '200': + description: OK + /sys/pprof/trace: + get: + summary: Returns the execution trace in binary form. + description: Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified. + operationId: getSysPprofTrace + tags: + - system + responses: + '200': + description: OK + /sys/quotas/config: + description: Create, update and read the quota configuration. + get: + operationId: getSysQuotasConfig + tags: + - system + responses: + '200': + description: OK + post: + operationId: postSysQuotasConfig + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + enable_rate_limit_audit_logging: + type: boolean + description: If set, starts audit logging of requests that get rejected due to rate limit quota rule violations. + enable_rate_limit_response_headers: + type: boolean + description: If set, additional rate limit quota HTTP headers will be added to responses. + rate_limit_exempt_paths: + type: array + description: Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt. + items: + type: string + responses: + '200': + description: OK + /sys/quotas/rate-limit: + description: Lists the names of all the rate limit quotas. + get: + operationId: getSysQuotasRateLimit + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + /sys/quotas/rate-limit/{name}: + description: Get, create or update rate limit resource quota for an optional namespace or mount. + parameters: + - name: name + description: Name of the quota rule. + in: path + schema: + type: string + required: true + get: + operationId: getSysQuotasRateLimitName + tags: + - system + responses: + '200': + description: OK + post: + operationId: postSysQuotasRateLimitName + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + block_interval: + type: integer + description: If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed. + format: seconds + interval: + type: integer + description: The duration to enforce rate limiting for (default '1s'). + format: seconds + path: + type: string + description: Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. + rate: + type: number + description: The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive. + format: float + type: + type: string + description: Type of the quota rule. + responses: + '200': + description: OK + delete: + operationId: deleteSysQuotasRateLimitName + tags: + - system + responses: + '204': + description: empty body + /sys/raw: + description: Write, Read, and Delete data directly in the Storage backend. + x-vault-sudo: true + get: + summary: Read the value of the key at the given path. + operationId: getSysRaw + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + post: + summary: Update the value of the key at the given path. + operationId: postSysRaw + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + path: + type: string + value: + type: string + responses: + '200': + description: OK + delete: + summary: Delete the key with given path. + operationId: deleteSysRaw + tags: + - system + responses: + '204': + description: empty body + /sys/raw/{path}: + description: Write, Read, and Delete data directly in the Storage backend. + parameters: + - name: path + in: path + schema: + type: string + required: true + x-vault-sudo: true + get: + summary: Read the value of the key at the given path. + operationId: getSysRawPath + tags: + - system + parameters: + - name: list + description: Return a list if `true` + in: query + schema: + type: string + responses: + '200': + description: OK + post: + summary: Update the value of the key at the given path. + operationId: postSysRawPath + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + value: + type: string + responses: + '200': + description: OK + delete: + summary: Delete the key with given path. + operationId: deleteSysRawPath + tags: + - system + responses: + '204': + description: empty body + /sys/rekey/backup: + description: Allows fetching or deleting the backup of the rotated unseal keys. + get: + summary: Return the backup copy of PGP-encrypted unseal keys. + operationId: getSysRekeyBackup + tags: + - system + responses: + '200': + description: OK + delete: + summary: Delete the backup copy of PGP-encrypted unseal keys. + operationId: deleteSysRekeyBackup + tags: + - system + responses: + '204': + description: empty body + /sys/rekey/init: + x-vault-unauthenticated: true + get: + summary: Reads the configuration and progress of the current rekey attempt. + operationId: getSysRekeyInit + tags: + - system + responses: + '200': + description: OK + post: + summary: Initializes a new rekey attempt. + description: Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce. + operationId: postSysRekeyInit + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + backup: + type: boolean + description: Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys. + pgp_keys: + type: array + description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares. + items: + type: string + require_verification: + type: boolean + description: Turns on verification functionality + secret_shares: + type: integer + description: Specifies the number of shares to split the master key into. + secret_threshold: + type: integer + description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares. + responses: + '200': + description: OK + delete: + summary: Cancels any in-progress rekey. + description: 'This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.' + operationId: deleteSysRekeyInit + tags: + - system + responses: + '204': + description: empty body + /sys/rekey/recovery-key-backup: + description: Allows fetching or deleting the backup of the rotated unseal keys. + get: + summary: Allows fetching or deleting the backup of the rotated unseal keys. + operationId: getSysRekeyRecoveryKeyBackup + tags: + - system + responses: + '200': + description: OK + delete: + summary: Allows fetching or deleting the backup of the rotated unseal keys. + operationId: deleteSysRekeyRecoveryKeyBackup + tags: + - system + responses: + '204': + description: empty body + /sys/rekey/update: + x-vault-unauthenticated: true + post: + summary: Enter a single master key share to progress the rekey of the Vault. + operationId: postSysRekeyUpdate + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + key: + type: string + description: Specifies a single master key share. + nonce: + type: string + description: Specifies the nonce of the rekey attempt. + responses: + '200': + description: OK + /sys/rekey/verify: + x-vault-unauthenticated: true + get: + summary: Read the configuration and progress of the current rekey verification attempt. + operationId: getSysRekeyVerify + tags: + - system + responses: + '200': + description: OK + post: + summary: Enter a single new key share to progress the rekey verification operation. + operationId: postSysRekeyVerify + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + key: + type: string + description: Specifies a single master share key from the new set of shares. + nonce: + type: string + description: Specifies the nonce of the rekey verification operation. + responses: + '200': + description: OK + delete: + summary: Cancel any in-progress rekey verification operation. + description: This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt. + operationId: deleteSysRekeyVerify + tags: + - system + responses: + '204': + description: empty body + /sys/remount: + description: Move the mount point of an already-mounted backend. + x-vault-sudo: true + post: + summary: Move the mount point of an already-mounted backend. + operationId: postSysRemount + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + from: + type: string + description: The previous mount point. + to: + type: string + description: The new mount point. + responses: + '200': + description: OK + /sys/renew: + description: Renew a lease on a secret + post: + summary: Renews a lease, requesting to extend the lease. + operationId: postSysRenew + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the lease + format: seconds + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + url_lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/renew/{url_lease_id}: + description: Renew a lease on a secret + parameters: + - name: url_lease_id + description: The lease identifier to renew. This is included with a lease. + in: path + schema: + type: string + required: true + post: + summary: Renews a lease, requesting to extend the lease. + operationId: postSysRenewUrl_lease_id + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + increment: + type: integer + description: The desired increment in seconds to the lease + format: seconds + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/replication/status: + x-vault-unauthenticated: true + get: + operationId: getSysReplicationStatus + tags: + - system + responses: + '200': + description: OK + /sys/revoke: + description: Revoke a leased secret immediately + post: + summary: Revokes a lease immediately. + operationId: postSysRevoke + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + url_lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + responses: + '200': + description: OK + /sys/revoke-force/{prefix}: + description: Revoke all secrets generated in a given prefix, ignoring errors. + parameters: + - name: prefix + description: 'The path to revoke keys under. Example: "prod/aws/ops"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Revokes all secrets or tokens generated under a given prefix immediately + description: |- + Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. + + By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. + operationId: postSysRevokeForcePrefix + tags: + - system + responses: + '200': + description: OK + /sys/revoke-prefix/{prefix}: + description: Revoke all secrets generated in a given prefix + parameters: + - name: prefix + description: 'The path to revoke keys under. Example: "prod/aws/ops"' + in: path + schema: + type: string + required: true + x-vault-sudo: true + post: + summary: Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately. + operationId: postSysRevokePrefixPrefix + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + responses: + '200': + description: OK + /sys/revoke/{url_lease_id}: + description: Revoke a leased secret immediately + parameters: + - name: url_lease_id + description: The lease identifier to renew. This is included with a lease. + in: path + schema: + type: string + required: true + post: + summary: Revokes a lease immediately. + operationId: postSysRevokeUrl_lease_id + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + lease_id: + type: string + description: The lease identifier to renew. This is included with a lease. + sync: + type: boolean + description: Whether or not to perform the revocation synchronously + default: true + responses: + '200': + description: OK + /sys/rotate: + description: Rotates the backend encryption key used to persist data. + x-vault-sudo: true + post: + summary: Rotates the backend encryption key used to persist data. + operationId: postSysRotate + tags: + - system + responses: + '200': + description: OK + /sys/rotate/config: + description: Configures settings related to the backend encryption key management. + get: + operationId: getSysRotateConfig + tags: + - system + responses: + '200': + description: OK + post: + operationId: postSysRotateConfig + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + enabled: + type: boolean + description: Whether automatic rotation is enabled. + interval: + type: integer + description: How long after installation of an active key term that the key will be automatically rotated. + format: seconds + max_operations: + description: The number of encryption operations performed before the barrier key is automatically rotated. + format: unknown + responses: + '200': + description: OK + /sys/seal: + description: Seals the Vault. + post: + summary: Seal the Vault. + operationId: postSysSeal + tags: + - system + responses: + '200': + description: OK + /sys/seal-status: + description: Returns the seal status of the Vault. + x-vault-unauthenticated: true + get: + summary: Check the seal status of a Vault. + operationId: getSysSealStatus + tags: + - system + responses: + '200': + description: OK + /sys/step-down: + post: + summary: Cause the node to give up active status. + description: This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again. + operationId: postSysStepDown + tags: + - system + responses: + '204': + description: empty body + /sys/tools/hash: + description: Generate a hash sum for input data + post: + summary: Generate a hash sum for input data + operationId: postSysToolsHash + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + algorithm: + type: string + description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' + default: sha2-256 + format: + type: string + description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". + default: hex + input: + type: string + description: The base64-encoded input data + urlalgorithm: + type: string + description: Algorithm to use (POST URL parameter) + responses: + '200': + description: OK + /sys/tools/hash/{urlalgorithm}: + description: Generate a hash sum for input data + parameters: + - name: urlalgorithm + description: Algorithm to use (POST URL parameter) + in: path + schema: + type: string + required: true + post: + summary: Generate a hash sum for input data + operationId: postSysToolsHashUrlalgorithm + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + algorithm: + type: string + description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' + default: sha2-256 + format: + type: string + description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". + default: hex + input: + type: string + description: The base64-encoded input data + responses: + '200': + description: OK + /sys/tools/random: + description: Generate random bytes + post: + summary: Generate random bytes + operationId: postSysToolsRandom + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + bytes: + type: integer + description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). + default: 32 + format: + type: string + description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". + default: base64 + urlbytes: + type: string + description: The number of bytes to generate (POST URL parameter) + responses: + '200': + description: OK + /sys/tools/random/{urlbytes}: + description: Generate random bytes + parameters: + - name: urlbytes + description: The number of bytes to generate (POST URL parameter) + in: path + schema: + type: string + required: true + post: + summary: Generate random bytes + operationId: postSysToolsRandomUrlbytes + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + bytes: + type: integer + description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). + default: 32 + format: + type: string + description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". + default: base64 + responses: + '200': + description: OK + /sys/unseal: + description: Unseals the Vault. + x-vault-unauthenticated: true + post: + summary: Unseal the Vault. + operationId: postSysUnseal + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + key: + type: string + description: Specifies a single master key share. This is required unless reset is true. + reset: + type: boolean + description: Specifies if previously-provided unseal keys are discarded and the unseal process is reset. + responses: + '200': + description: OK + /sys/wrapping/lookup: + description: Looks up the properties of a response-wrapped token. + x-vault-unauthenticated: true + get: + summary: Look up wrapping properties for the requester's token. + operationId: getSysWrappingLookup + tags: + - system + responses: + '200': + description: OK + post: + summary: Look up wrapping properties for the given token. + operationId: postSysWrappingLookup + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + responses: + '200': + description: OK + /sys/wrapping/rewrap: + description: Rotates a response-wrapped token. + post: + summary: Rotates a response-wrapped token. + operationId: postSysWrappingRewrap + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + responses: + '200': + description: OK + /sys/wrapping/unwrap: + description: Unwraps a response-wrapped token. + post: + summary: Unwraps a response-wrapped token. + operationId: postSysWrappingUnwrap + tags: + - system + requestBody: + content: + application/json: + schema: + type: object + properties: + token: + type: string + responses: + '200': + description: OK + /sys/wrapping/wrap: + description: Response-wraps an arbitrary JSON object. + post: + summary: Response-wraps an arbitrary JSON object. + operationId: postSysWrappingWrap + tags: + - system + responses: + '200': + description: OK diff --git a/examples/github.com/hashicorp/vault/clone.sh b/examples/github.com/hashicorp/vault/clone.sh new file mode 100644 index 0000000..0aefd14 --- /dev/null +++ b/examples/github.com/hashicorp/vault/clone.sh @@ -0,0 +1,13 @@ +#!/bin/bash -eu + +# HEAD on 2021-11-19T12:53:24Z +# 56db32d7cbfd6858002b64a03af74ea8863537b9 +# git@github.com:hashicorp/vault.git +curl -#fSLo code.zip https://github.com/hashicorp/vault/archive/56db32d7cbfd6858002b64a03af74ea8863537b9.zip +unzip code.zip +rm code.zip +ls -lha . +make dev + +# From https://www.vaultproject.io/api/system/internal-specs-openapi +curl -#fSLo vault.json http://127.0.0.1:8200/v1/sys/internal/specs/openapi diff --git a/examples/github.com/hashicorp/vault/fuzzymonkey.star b/examples/github.com/hashicorp/vault/fuzzymonkey.star new file mode 100644 index 0000000..b45b2bd --- /dev/null +++ b/examples/github.com/hashicorp/vault/fuzzymonkey.star @@ -0,0 +1,19 @@ +monkey.openapi3( + name = "hashicorp_vault", + file = "openapi.json", +) + +HOST = "http://127.0.0.1:8200" +TOKEN = "root" + +monkey.shell( + name = "vault_dev", + provides = ["hashicorp_vault"], + start = """ + ./vault/bin/vault server -dev -dev-root-token-id='{TOKEN}' -address='{HOST}' -exit-on-core-shutdown #& + """, + + stop = """ + kill $(ps aux | grep vault |head -n1 |awk '{print $2}') + """, +) From 02ffeafc84d2740bf91ebe2a25f4c3041abbd4da Mon Sep 17 00:00:00 2001 From: Pierre Fenoll Date: Mon, 10 Jun 2024 20:38:21 +0200 Subject: [PATCH 2/2] wip Signed-off-by: Pierre Fenoll --- .../bug1_modified/check.sh | 2 +- .../bug2_invalid/check.sh | 2 +- .../bug3_crashes/check.sh | 2 +- .../bugfree/check.sh | 2 +- .../github.com/hashicorp/vault/.gitignore | 3 +- .../github.com/hashicorp/vault/Dockerfile | 22 ++++++--- examples/github.com/hashicorp/vault/clone.sh | 46 ++++++++++++++----- .../hashicorp/vault/fuzzymonkey.star | 41 +++++++++++++++-- 8 files changed, 93 insertions(+), 27 deletions(-) mode change 100644 => 100755 examples/github.com/hashicorp/vault/clone.sh diff --git a/examples/demo_erlang_cowboy_simpleREST/bug1_modified/check.sh b/examples/demo_erlang_cowboy_simpleREST/bug1_modified/check.sh index bcc4d7b..a9f74b9 100755 --- a/examples/demo_erlang_cowboy_simpleREST/bug1_modified/check.sh +++ b/examples/demo_erlang_cowboy_simpleREST/bug1_modified/check.sh @@ -66,7 +66,7 @@ error() { info "$MONKEY" --version $MONKEY --version -rebar3 clean --all +# rebar3 clean --all rebar3 as prod release check() { diff --git a/examples/demo_erlang_cowboy_simpleREST/bug2_invalid/check.sh b/examples/demo_erlang_cowboy_simpleREST/bug2_invalid/check.sh index bcc4d7b..a9f74b9 100755 --- a/examples/demo_erlang_cowboy_simpleREST/bug2_invalid/check.sh +++ b/examples/demo_erlang_cowboy_simpleREST/bug2_invalid/check.sh @@ -66,7 +66,7 @@ error() { info "$MONKEY" --version $MONKEY --version -rebar3 clean --all +# rebar3 clean --all rebar3 as prod release check() { diff --git a/examples/demo_erlang_cowboy_simpleREST/bug3_crashes/check.sh b/examples/demo_erlang_cowboy_simpleREST/bug3_crashes/check.sh index 67e6ffb..2d8b988 100755 --- a/examples/demo_erlang_cowboy_simpleREST/bug3_crashes/check.sh +++ b/examples/demo_erlang_cowboy_simpleREST/bug3_crashes/check.sh @@ -66,7 +66,7 @@ error() { info "$MONKEY" --version $MONKEY --version -rebar3 clean --all +# rebar3 clean --all rebar3 as prod release check() { diff --git a/examples/demo_erlang_cowboy_simpleREST/bugfree/check.sh b/examples/demo_erlang_cowboy_simpleREST/bugfree/check.sh index 61f7059..72d8d6b 100755 --- a/examples/demo_erlang_cowboy_simpleREST/bugfree/check.sh +++ b/examples/demo_erlang_cowboy_simpleREST/bugfree/check.sh @@ -66,7 +66,7 @@ error() { info "$MONKEY" --version $MONKEY --version -rebar3 clean --all +# rebar3 clean --all rebar3 as prod release check() { diff --git a/examples/github.com/hashicorp/vault/.gitignore b/examples/github.com/hashicorp/vault/.gitignore index c0fab2a..6f773b2 100644 --- a/examples/github.com/hashicorp/vault/.gitignore +++ b/examples/github.com/hashicorp/vault/.gitignore @@ -1 +1,2 @@ -/vault-*/ +/vault/ +/openapi.json diff --git a/examples/github.com/hashicorp/vault/Dockerfile b/examples/github.com/hashicorp/vault/Dockerfile index 00951c9..6d9122b 100644 --- a/examples/github.com/hashicorp/vault/Dockerfile +++ b/examples/github.com/hashicorp/vault/Dockerfile @@ -1,6 +1,16 @@ -FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99 AS distroless -COPY /vault --chown=nonroot /vault -RUN ls -lha . /vault /vault/vault wefwefw -ARG HOST -ARG TOKEN -ENTRYPOINT ["./vault/bin/vault", "server", "-dev", "-dev-root-token-id=root", "-address=http://127.0.0.1:8200", "-exit-on-core-shutdown"] +# FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99 AS distroless +# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb AS distroless +FROM docker.io/library/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300 AS alpine + +COPY --chown=nonroot /vault /vault +# RUN ls -lha . /vault /vault/vault wefwefw +# ARG HOST +# ARG TOKEN +EXPOSE 8200/tcp +# ENTRYPOINT ["/vault/bin/vault", "server", "-dev", "-dev-root-token-id=root", "-address=http://127.0.0.1:8200", "-exit-on-core-shutdown"] +# ENTRYPOINT ["/vault/bin/vault", "server", "-dev", "-dev-root-token-id=root", "-address=http://0.0.0.0:8200", "-exit-on-core-shutdown"] +RUN echo '{ "listener": { "tcp":{ "address": "0.0.0.0:8200", "tls_disable": 1 } } }' >/vault_config.json +ENV VAULT_API_ADDR=http://0.0.0.0:8200, + +# ENTRYPOINT ["/vault/bin/vault", "server", "-dev", "-dev-root-token-id=root", "-config=/vault_config.json", "-exit-on-core-shutdown"] +ENTRYPOINT ["/vault/bin/vault", "server", "-dev", "-dev-root-token-id=root","-config=/vault_config.json", "-address=http://127.0.0.1:8200", "-exit-on-core-shutdown"] diff --git a/examples/github.com/hashicorp/vault/clone.sh b/examples/github.com/hashicorp/vault/clone.sh old mode 100644 new mode 100755 index 0aefd14..7ce8ebe --- a/examples/github.com/hashicorp/vault/clone.sh +++ b/examples/github.com/hashicorp/vault/clone.sh @@ -1,13 +1,37 @@ #!/bin/bash -eu -# HEAD on 2021-11-19T12:53:24Z -# 56db32d7cbfd6858002b64a03af74ea8863537b9 -# git@github.com:hashicorp/vault.git -curl -#fSLo code.zip https://github.com/hashicorp/vault/archive/56db32d7cbfd6858002b64a03af74ea8863537b9.zip -unzip code.zip -rm code.zip -ls -lha . -make dev - -# From https://www.vaultproject.io/api/system/internal-specs-openapi -curl -#fSLo vault.json http://127.0.0.1:8200/v1/sys/internal/specs/openapi +commit=56db32d7cbfd6858002b64a03af74ea8863537b9 # HEAD on 2021-11-19T12:53:24Z + +if ! [[ -d vault ]]; then + curl -#fSLo code.zip https://github.com/hashicorp/vault/archive/"$commit".zip + unzip code.zip + rm code.zip + mv vault-"$commit"/ vault + + make -C vault dev +fi + +if ! [[ -f openapi.json ]]; then + host=http://127.0.0.1:8200 + token=root + ./vault/bin/vault server -dev -dev-root-token-id="$token" -address="$host" -exit-on-core-shutdown & + pid=$! + + sleep 1 + + # From https://www.vaultproject.io/api/system/internal-specs-openapi + curl -#fSLo openapi.json -H "X-Vault-Token: $token" "$host"/v1/sys/internal/specs/openapi + + kill "$pid" +fi + +# # ./vault/bin/vault server -address=http://127.0.0.1:8200 -tls-skip-verify -exit-on-core-shutdown +# # ./vault/bin/vault server -dev -dev-root-token-id="root" -address=http://127.0.0.1:8200 -tls-skip-verify -exit-on-core-shutdown +# # -dev-listen-address=127.0.0.1:8200 +# # ./vault/bin/vault server -dev -dev-root-token-id="root" -address=http://127.0.0.1:8200 -exit-on-core-shutdown + +# # # From https://www.vaultproject.io/api/system/internal-specs-openapi +# # curl -#fSLo openapi.json http://127.0.0.1:8200/v1/sys/internal/specs/openapi +# curl -#fSLo openapi.json -H 'X-Vault-Token: root' http://127.0.0.1:8200/v1/sys/internal/specs/openapi + +# 0 1s vault main ❯ kill $(ps aux | \grep vault |head -n1 |awk '{print $2}') diff --git a/examples/github.com/hashicorp/vault/fuzzymonkey.star b/examples/github.com/hashicorp/vault/fuzzymonkey.star index b45b2bd..2fc7ded 100644 --- a/examples/github.com/hashicorp/vault/fuzzymonkey.star +++ b/examples/github.com/hashicorp/vault/fuzzymonkey.star @@ -3,17 +3,48 @@ monkey.openapi3( file = "openapi.json", ) -HOST = "http://127.0.0.1:8200" -TOKEN = "root" +TOKEN, HOST = "root", "http://127.0.0.1:8200" + +# https://github.com/hashicorp/vault/issues/13225 +# https://www.vaultproject.io/docs/concepts/dev-server +# https://www.vaultproject.io/api-docs monkey.shell( name = "vault_dev", provides = ["hashicorp_vault"], start = """ - ./vault/bin/vault server -dev -dev-root-token-id='{TOKEN}' -address='{HOST}' -exit-on-core-shutdown #& - """, + ./vault/bin/vault server -dev -dev-root-token-id='{token}' -address='{host}' -exit-on-core-shutdown & + # export vault_pid=$! + vault_pid=$! + # Wait until server is up + until curl --output /dev/null --silent --fail -H 'X-Vault-Token: root' {host}/v1/sys/internal/specs/openapi; do + sleep .1 + done + """.format(token = TOKEN, host = HOST), stop = """ - kill $(ps aux | grep vault |head -n1 |awk '{print $2}') + # kill $(ps aux | grep vault |head -n1 |awk '{print $2}') + kill $vault_pid """, ) + +# shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} +# fixes https://github.com/FuzzyMonkeyCo/monkey/issues/60 + +# # │ $ export VAULT_ADDR='http://127.0.0.1:8200' │ + +# monkey.shell( +# name = "vault_dev", +# provides = ["hashicorp_vault"], +# start = """ +# docker build --tag vault-image . +# # docker run --rm --detach --publish {PORT}:{PORT} --name vault-container vault-image +# docker run --rm --publish {PORT}:{PORT} --name vault-container vault-image +# # until curl --output /dev/null --silent --fail --head -H 'X-Vault-Token: root' http://vault-container:{PORT}/v1/sys/internal/specs/openapi; do +# # sleep .1 +# # done +# """.format(PORT = PORT), +# stop = """ +# docker stop --time 1 vault-container +# """, +# )