mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-25 00:21:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/api-docs/auth/scep.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

210 lines
4.9 KiB
Plaintext
Raw Permalink Blame History

---
layout: api
page_title: SCEP - Auth Methods - HTTP API
description: |-
This is the API documentation for the Vault SCEP authentication
method.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# SCEP auth method (API)
Use the SCEP authentication plugin API to interact with a mounted plugin
instance. For general information about the usage and operation of the
SCEP method, refer to the [Vault SCEP method documentation](/vault/docs/auth/scep).
## Create SCEP role
Creates or updates a named SCEP role.
| Method | Path |
|:-------|:------------------------|
| `POST` | `/auth/{mount_path}/role/:name` |
### Parameters
- `name` `(string: <required>)` - The name of the SCEP role.
- `display_name` `(string: "<name>")` - The `display_name` value for tokens
issued when authenticating against the role. Defaults to `name`.
- `auth_type` `(enum: <required>)` - Required authentication type for the SCEP
role. Must be one of: `static-challenge`, `intune`.
- `challenge` `(string: "")` - The authentication challenge to use when
`auth_type` is `static-challenge`.
@include 'tokenfields.mdx'
### Sample payload
```json
{
"auth_type": "static-challenge",
"challenge": "super-secret-challenge",
"display_name": "test",
"token_policies": ["access-scep"],
"token_type": "batch"
}
```
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json
http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```
### Sample response
```json
{
"request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"auth_type": "static-challenge",
"display_name": "test",
"name": "static-challenge-1",
"token_bound_cidrs": [],
"token_explicit_max_ttl": 0,
"token_max_ttl": 0,
"token_no_default_policy": false,
"token_num_uses": 0,
"token_period": 0,
"token_policies": [
"access-scep"
],
"token_ttl": 0,
"token_type": "batch"
},
"wrap_info": null,
"warnings": null,
"auth": null,
"mount_type": "scep"
}
```
## Read SCEP role
Get information associated with the named role.
| Method | Path |
|:-------|:------------------------|
| `GET` | `/auth/{mount_path}/role/:name` |
### Parameters
- `name` `(string: <required>)` - The name of the SCEP role.
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```
### Sample response
```json
{
"request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"auth_type": "static-challenge",
"display_name": "static-challenge-1",
"name": "static-challenge-1",
"token_bound_cidrs": [],
"token_explicit_max_ttl": 0,
"token_max_ttl": 0,
"token_no_default_policy": false,
"token_num_uses": 0,
"token_period": 0,
"token_policies": [
"access-scep"
],
"token_ttl": 0,
"token_type": "batch"
},
"wrap_info": null,
"warnings": null,
"auth": null,
"mount_type": "scep"
}
```
## List SCEP roles
List all currently configured SCEP role names.
| Method | Path |
| :----- | :----------------- |
| `LIST` | `/auth/{mount_path}/role` |
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/scep/role
```
### Sample response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": ["static-challenge-1", "intune-1"]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Delete SCEP role
Delete the named role.
| Method | Path |
|:---------|:------------------------|
| `DELETE` | `/auth/{mount_path}/role/:name` |
### Parameters
- `name` `(string: <required>)` - The name of the SCEP role.
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```
## Login
SCEP authentication endpoint for delegated authentication from a PKI mount.
| Method | Path |
|:-------|:-------------------|
| `POST` | `/auth/{mount_path}/login` |
### Parameters
- `name` `(string: "")` - The SCEP role associated with the PKI mount. Leaving
`name` unset tells Vault to try all SCEP roles and return the first one that
matches.
Reference in New Issue View Git Blame Copy Permalink