mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-13 01:57:03 +02:00
* Create 'Troubleshoot' section * Remove extra spaces * Update redirects.js * Remove extra comma * Change the title * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * Update website/content/docs/troubleshoot/generate-root-token.mdx Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> * edit suggestions (#28047) * Fix the relative path - add missing '/' * Fix a typo --------- Co-authored-by: Brian Shumate <brianshumate@users.noreply.github.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
185 lines
4.8 KiB
Plaintext
185 lines
4.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Create a lease count quota
|
|
description: >-
|
|
Step-by-step instructions for creating lease count quotas for an
|
|
authentication plugin
|
|
---
|
|
|
|
# Create a lease count quota
|
|
|
|
Use lease count quotas to limit the number of leases generated on a per-mount
|
|
basis and control resource consumption for your Vault instance where hard
|
|
limits makes sense.
|
|
|
|
## Before you start
|
|
|
|
- **Confirm you have access to the root or administration namespace for your
|
|
Vault instance**. Modifying lease count quotas is a restricted activity.
|
|
|
|
|
|
## Step 1: Determine the appropriate granularity
|
|
|
|
The granularity of your lease limits can affect the performance of your Vault
|
|
cluster. In particular, if your lease limits cause the number of rejected
|
|
requests to increase dramatically, the increased audit logging may impact Vault
|
|
performance.
|
|
|
|
Review past system behavior to identify whether the quota limits should be
|
|
inheritable or limited to a specific role.
|
|
|
|
## Step 2: Apply the count quota
|
|
|
|
<Tabs>
|
|
|
|
<Tab heading="CLI" group="cli">
|
|
|
|
Use `vault write` and the `sys/quotas/lease-count/{quota-name}` mount path to
|
|
create a new lease count quota:
|
|
|
|
```shell-session
|
|
$ vault write \
|
|
sys/quotas/lease-count/<QUOTA_NAME> \
|
|
name="<QUOTA_NAME>" \
|
|
path="<PLUGIN_MOUNT_PATH>" \
|
|
role="<OPTIONAL_AUTHN_ROLE>" \
|
|
max_leases=<LEASE_LIMIT>
|
|
```
|
|
|
|
For example, to create a targeted quota limit called **webapp-tokens** on the
|
|
`webapp` role for the `approle` plugin at the default mount path:
|
|
|
|
```shell-session
|
|
$ vault write \
|
|
sys/quotas/lease-count/webapp-tokens \
|
|
name="webapp-tokens" \
|
|
path="auth/approle" \
|
|
role="webapp" \
|
|
max_leases=100
|
|
|
|
Success! Data written to: sys/quotas/lease-count/webapp-tokens
|
|
```
|
|
</Tab>
|
|
|
|
<Tab heading="API" group="api">
|
|
|
|
1. Create a payload file with your quota settings.
|
|
|
|
```json
|
|
{
|
|
"name": "<QUOTA_NAME>",
|
|
"path": "<PLUGIN_MOUNT_PATH>",
|
|
"role": "<OPTIONAL_AUTHN_ROLE>",
|
|
"max_leases": <LEASE_LIMIT>,
|
|
}
|
|
```
|
|
|
|
For example, to create a targeted quota limit called **webapp-tokens** on the
|
|
`webapp` role for the `approle` plugin at the default mount path:
|
|
|
|
```json
|
|
{
|
|
"name": "webapp-tokens",
|
|
"path": "auth/approle",
|
|
"role": "webapp",
|
|
"max_leases": 100,
|
|
}
|
|
```
|
|
|
|
1. Call the `/sys/quotas/lease-count/{quota-name}` endpoint to apply the lease
|
|
count quota. For example, to apply the `webapp-tokens` quota:
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--request POST \
|
|
--header "X-Vault-Token: ${VAULT_TOKEN}" \
|
|
--data @payload.json \
|
|
${VAULT_ADDR}/v1/sys/quotas/lease-count/webapp-tokens
|
|
```
|
|
|
|
<Note title="Silent endpoint">
|
|
|
|
The `/sys/quotas/lease-count/{quota-name}` endpoint succeeds silently.
|
|
|
|
</Note>
|
|
|
|
</Tab>
|
|
|
|
</Tabs>
|
|
|
|
## Step 3: Confirm the quota settings
|
|
|
|
<Tabs>
|
|
|
|
<Tab heading="CLI" group="cli">
|
|
|
|
Use `vault read` and the `sys/quotas/lease-count/{quota-name}` mount path to
|
|
display the lease count quota details:
|
|
|
|
```shell-session
|
|
$ vault read sys/quotas/lease-count/<QUOTA_NAME>
|
|
```
|
|
|
|
For example, to read the **webapp-tokens** quota details:
|
|
|
|
```shell-session
|
|
$ vault read sys/quotas/lease-count/webapp-tokens
|
|
|
|
Key Value
|
|
--- -----
|
|
counter 0
|
|
inheritable true
|
|
max_leases 100
|
|
name webapp-tokens
|
|
path auth/approle/
|
|
role webapp
|
|
type lease-count
|
|
```
|
|
|
|
</Tab>
|
|
|
|
<Tab heading="API" group="api">
|
|
|
|
Call the `sys/quotas/lease-count/{quota-name}` endpoint to display the lease
|
|
count quota details. For example, to read the **webapp-tokens** quota details:
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--header "X-Vault-Token: ${VAULT_TOKEN}" \
|
|
--request GET \
|
|
--silent \
|
|
${VAULT_ADDR}/v1/sys/quotas/lease-count/webapp-tokens | jq
|
|
|
|
{
|
|
"request_id": "188e22f1-dc1a-251a-a0a1-005e256fe70f",
|
|
"lease_id": "",
|
|
"renewable": false,
|
|
"lease_duration": 0,
|
|
"data": {
|
|
"counter": 0,
|
|
"inheritable": false,
|
|
"max_leases": 100,
|
|
"name": "webapp-tokens",
|
|
"path": "auth/approle/",
|
|
"role": "webapp",
|
|
"type": "lease-count"
|
|
},
|
|
"wrap_info": null,
|
|
"warnings": null,
|
|
"auth": null
|
|
}
|
|
```
|
|
|
|
</Tab>
|
|
|
|
</Tabs>
|
|
|
|
## Next steps
|
|
|
|
Proactive monitoring and periodic usage analysis can help you identify potential
|
|
problems before they escalate.
|
|
|
|
- Brush up on [general Vault resource quotas](/vault/docs/concepts/resource-quotas) in general.
|
|
- Learn about [lease count quotas for Vault Enterprise](/vault/docs/enterprise/lease-count-quotas).
|
|
- Learn how to [query audit device logs](/vault/tutorials/monitoring/query-audit-device-logs).
|
|
- Review [key Vault metrics for common health checks](/well-architected-framework/reliability/reliability-vault-monitoring-key-metrics). |