mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-18 12:37:02 +02:00
259cfbf618
* Add missing delegated_auth_accessors config field to /sys/mounts/<path> response - The field hadn't been properly populated in the JSON struct being returned through the API response, but had been properly set in the stored structs in the backend. - Add missing update to the command tune docs for the -delegated-auth-accessors option that existed - Add -delegated-auth-accessors to the secret enable vault command along with a docs update * Add cl * Fix documentation, using a comma separated list does not work * Apply suggestions from code review Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Drop plural on doc update --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
103 lines
4.4 KiB
Plaintext
103 lines
4.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: secrets tune - Command
|
|
description: |-
|
|
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
|
|
---
|
|
|
|
# secrets tune
|
|
|
|
The `secrets tune` command tunes the configuration options for the secrets
|
|
engine at the given PATH. The argument corresponds to the PATH where the secrets
|
|
engine is enabled, not the type.
|
|
|
|
## Examples
|
|
|
|
Before tuning the secret mount, view the current configuration of the
|
|
mount enabled at "pki/":
|
|
|
|
```shell-session
|
|
$ vault read sys/mounts/pki/tune
|
|
Key Value
|
|
--- -----
|
|
default_lease_ttl 12h
|
|
description Example PKI mount
|
|
force_no_cache false
|
|
max_lease_ttl 24h
|
|
```
|
|
|
|
Tune the default lease, exclude `common_name` and `serial_number` from being HMAC'd in the audit log for the PKI secrets engine:
|
|
|
|
```shell-session
|
|
$ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/
|
|
Success! Tuned the secrets engine at: pki/
|
|
|
|
$ vault read sys/mounts/pki/tune
|
|
Key Value
|
|
--- -----
|
|
audit_non_hmac_request_keys [common_name]
|
|
audit_non_hmac_response_keys [serial_number]
|
|
default_lease_ttl 18h
|
|
description Example PKI mount
|
|
force_no_cache false
|
|
max_lease_ttl 24h
|
|
```
|
|
|
|
Specify multiple audit non-hmac request keys:
|
|
|
|
```shell-session
|
|
$ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
|
|
```
|
|
|
|
## Usage
|
|
|
|
The following flags are available in addition to the [standard set of
|
|
flags](/vault/docs/commands) included on all commands.
|
|
|
|
- `-allowed-response-headers` `(string: "")` - response header values that the
|
|
secrets engine will be allowed to set. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
|
|
by audit devices in the request data object. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-audit-non-hmac-response-keys` `(string: "")` - Key that will not be HMAC'd
|
|
by audit devices in the response data object. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-default-lease-ttl` `(duration: "")` - The default lease TTL for this secrets
|
|
engine. If unspecified, this defaults to the Vault server's globally
|
|
configured default lease TTL, or a previously configured value for the secrets
|
|
engine. Uses [duration format strings](/vault/docs/concepts/duration-format).
|
|
|
|
- `-description` `(string: "")` - Specifies the description of the mount.
|
|
This overrides the current stored value, if any.
|
|
|
|
- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
|
|
mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
|
|
Passing empty string leaves the current setting unchanged.
|
|
|
|
- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
|
|
engine. If unspecified, this defaults to the Vault server's globally
|
|
configured [maximum lease TTL](/vault/docs/configuration#max_lease_ttl), or a
|
|
previously configured value for the secrets engine. This value is allowed to
|
|
override the server's global max TTL; it can be longer or shorter.
|
|
Uses [duration format strings](/vault/docs/concepts/duration-format).
|
|
|
|
- `-passthrough-request-headers` `(string: "")` - request header values that will
|
|
be sent to the secrets engine. Note that multiple keys may be
|
|
specified by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
|
|
in question is allowed to access. Note that multiple keys may be specified
|
|
by providing this option multiple times, each time with 1 key.
|
|
|
|
- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
|
|
backend can delegate authentication to. To allow multiple accessors, provide
|
|
the `delegated-auth-accessors` multiple times, each time with 1 accessor.
|
|
|
|
- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
|
|
to use. The new version will not start running until the mount is
|
|
[reloaded](/vault/docs/commands/plugin/reload).
|