mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/commands/secrets/tune.mdx
Scott Miller 415d260995
Support trimming trailing slashes via a mount tuneable to support CMPv2 (#28752) 
* Support trimming trailing slashes via a mount tuneable to support CMPv2

* changelog/

* Perform trimming in handleLoginRequest too

* Eagerly fetch the mount entry so we only test this once

* Add a mount match function that gets path and entry

* Update vault/request_handling.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* more docs

* Some patches (from ENT) didnt apply

* patch fail

* Update vault/router.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* PR feedback

* dupe

* another dupe

* Add support for enabling trim_request_trailing_slashes on mount creation

* Fix read mount api returning configuration for trim_request_trailing_slashes

* Fix test assertion

* Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag

* Add trim-request-trailing-slashes to the auth enable API and CLI

---------

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2024-10-24 10:47:17 -05:00

107 lines
4.6 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: secrets tune - Command
description: |-
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
---
# secrets tune
The `secrets tune` command tunes the configuration options for the secrets
engine at the given PATH. The argument corresponds to the PATH where the secrets
engine is enabled, not the type.
## Examples
Before tuning the secret mount, view the current configuration of the
mount enabled at "pki/":
```shell-session
$ vault read sys/mounts/pki/tune
Key Value
--- -----
default_lease_ttl 12h
description Example PKI mount
force_no_cache false
max_lease_ttl 24h
```
Tune the default lease, exclude `common_name` and `serial_number` from being HMAC'd in the audit log for the PKI secrets engine:
```shell-session
$ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/
Success! Tuned the secrets engine at: pki/
$ vault read sys/mounts/pki/tune
Key Value
--- -----
audit_non_hmac_request_keys [common_name]
audit_non_hmac_response_keys [serial_number]
default_lease_ttl 18h
description Example PKI mount
force_no_cache false
max_lease_ttl 24h
```
Specify multiple audit non-hmac request keys:
```shell-session
$ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
```
## Usage
The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.
- `-allowed-response-headers` `(string: "")` - response header values that the
secrets engine will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
by audit devices in the request data object. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-audit-non-hmac-response-keys` `(string: "")` - Key that will not be HMAC'd
by audit devices in the response data object. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
engine. If unspecified, this defaults to the Vault server's globally
configured default lease TTL, or a previously configured value for the secrets
engine. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `-description` `(string: "")` - Specifies the description of the mount.
This overrides the current stored value, if any.
- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
Passing empty string leaves the current setting unchanged.
- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
engine. If unspecified, this defaults to the Vault server's globally
configured [maximum lease TTL](/vault/docs/configuration#max_lease_ttl), or a
previously configured value for the secrets engine. This value is allowed to
override the server's global max TTL; it can be longer or shorter.
Uses [duration format strings](/vault/docs/concepts/duration-format).
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the secrets engine. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
by providing this option multiple times, each time with 1 key.
- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
backend can delegate authentication to. To allow multiple accessors, provide
the `delegated-auth-accessors` multiple times, each time with 1 accessor.
- `-trim-request-trailing-slashes` `(bool: false)` - If true, requests to
this mount with trailing slashes will have those slashes trimmed.
Necessary for some standards based APIs handled by Vault.
- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
to use. The new version will not start running until the mount is
[reloaded](/vault/docs/commands/plugin/reload).
Reference in New Issue View Git Blame Copy Permalink