From 34365a93cdf322b36b78ee83227c95b99109b3d7 Mon Sep 17 00:00:00 2001 From: C0ffeeCode Date: Wed, 10 Apr 2024 17:41:15 +0200 Subject: [PATCH] Update basic layout --- .gitignore | 2 +- Cargo.lock | 579 +- Cargo.toml | 9 +- crates/{rvault-api => auth-token}/Cargo.toml | 4 +- crates/auth-token/src/lib.rs | 14 + crates/backend-kv/Cargo.toml | 9 + crates/backend-kv/src/lib.rs | 14 + crates/base/Cargo.toml | 8 + crates/base/src/lib.rs | 14 + crates/rvault-api/src/main.rs | 3 - crates/server/Cargo.toml | 12 + crates/server/src/main.rs | 19 + crates/storage-sled/Cargo.toml | 11 + crates/storage-sled/src/lib.rs | 14 + openapi.json | 50539 +++++++++++++++++ 15 files changed, 51146 insertions(+), 105 deletions(-) rename crates/{rvault-api => auth-token}/Cargo.toml (75%) create mode 100644 crates/auth-token/src/lib.rs create mode 100644 crates/backend-kv/Cargo.toml create mode 100644 crates/backend-kv/src/lib.rs create mode 100644 crates/base/Cargo.toml create mode 100644 crates/base/src/lib.rs delete mode 100644 crates/rvault-api/src/main.rs create mode 100644 crates/server/Cargo.toml create mode 100644 crates/server/src/main.rs create mode 100644 crates/storage-sled/Cargo.toml create mode 100644 crates/storage-sled/src/lib.rs create mode 100644 openapi.json diff --git a/.gitignore b/.gitignore index 0a8a943..6d98420 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,4 @@ .idea/ *.pdf -.target/ +target/ diff --git a/Cargo.lock b/Cargo.lock index a160e56..2aa06bc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -18,27 +18,88 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] -name = "async-trait" -version = "0.1.78" +name = "aho-corasick" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "461abc97219de0eaaf81fe3ef974a540158f3d079c2ab200f891f1a2ef201e85" +checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916" dependencies = [ - "proc-macro2", - "quote", - "syn", + "memchr", ] [[package]] -name = "autocfg" -version = "1.1.0" +name = "anstream" +version = "0.6.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +checksum = "d96bd03f33fe50a863e394ee9718a706f988b9079b20c3784fb726e7678b62fb" +dependencies = [ + "anstyle", + "anstyle-parse", + "anstyle-query", + "anstyle-wincon", + "colorchoice", + "utf8parse", +] + +[[package]] +name = "anstyle" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc" + +[[package]] +name = "anstyle-parse" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c" +dependencies = [ + "utf8parse", +] + +[[package]] +name = "anstyle-query" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648" +dependencies = [ + "windows-sys 0.52.0", +] + +[[package]] +name = "anstyle-wincon" +version = "3.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7" +dependencies = [ + "anstyle", + "windows-sys 0.52.0", +] + +[[package]] +name = "async-trait" +version = "0.1.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a507401cad91ec6a857ed5513a2073c82a9b9048762b885bb98655b306964681" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.58", +] + +[[package]] +name = "auth-token" +version = "0.1.0" + +[[package]] +name = "autocfg" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "axum" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1236b4b292f6c4d6dc34604bb5120d85c3fe1d1aa596bd5cc52ca054d13e7b9e" +checksum = "3a6c9af12842a67734c9a2e355436e5d03b22383ed60cf13cd0c18fbfe3dcbcf" dependencies = [ "async-trait", "axum-core", @@ -60,7 +121,7 @@ dependencies = [ "serde_json", "serde_path_to_error", "serde_urlencoded", - "sync_wrapper", + "sync_wrapper 1.0.1", "tokio", "tower", "tower-layer", @@ -83,17 +144,24 @@ dependencies = [ "mime", "pin-project-lite", "rustversion", - "sync_wrapper", + "sync_wrapper 0.1.2", "tower-layer", "tower-service", "tracing", ] +[[package]] +name = "backend-kv" +version = "0.1.0" +dependencies = [ + "base", +] + [[package]] name = "backtrace" -version = "0.3.69" +version = "0.3.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837" +checksum = "26b05800d2e817c8b3b4b54abd461726265fa9789ae34330622f2db9ee696f9d" dependencies = [ "addr2line", "cc", @@ -105,16 +173,32 @@ dependencies = [ ] [[package]] -name = "bytes" +name = "base" +version = "0.1.0" + +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + +[[package]] +name = "byteorder" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" + +[[package]] +name = "bytes" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "514de17de45fdb8dc022b1a7975556c53c86f9f0aa5f534b98977b171857c2c9" [[package]] name = "cc" -version = "1.0.90" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" +checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41" [[package]] name = "cfg-if" @@ -122,6 +206,59 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +[[package]] +name = "colorchoice" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" + +[[package]] +name = "crc32fast" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "crossbeam-epoch" +version = "0.9.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-utils" +version = "0.8.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345" + +[[package]] +name = "env_filter" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a009aa4810eb158359dda09d0c87378e4bbb89b5a801f016885a4707ba24f7ea" +dependencies = [ + "log", + "regex", +] + +[[package]] +name = "env_logger" +version = "0.11.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38b35839ba51819680ba087cd351788c9a3c476841207e0b8cee0b04722343b9" +dependencies = [ + "anstream", + "anstyle", + "env_filter", + "humantime", + "log", +] + [[package]] name = "equivalent" version = "1.0.1" @@ -143,6 +280,16 @@ dependencies = [ "percent-encoding", ] +[[package]] +name = "fs2" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9564fc758e15025b46aa6643b1b77d047d1a56a1aea6e01002ac0c7026876213" +dependencies = [ + "libc", + "winapi", +] + [[package]] name = "futures-channel" version = "0.3.30" @@ -158,12 +305,6 @@ version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" -[[package]] -name = "futures-sink" -version = "0.3.30" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5" - [[package]] name = "futures-task" version = "0.3.30" @@ -182,37 +323,33 @@ dependencies = [ "pin-utils", ] +[[package]] +name = "fxhash" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c31b6d751ae2c7f11320402d34e41349dd1016f8d5d45e48c4312bc8625af50c" +dependencies = [ + "byteorder", +] + [[package]] name = "gimli" version = "0.28.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" -[[package]] -name = "h2" -version = "0.4.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51ee2dd2e4f378392eeff5d51618cd9a63166a2513846bbc55f21cfacd9199d4" -dependencies = [ - "bytes", - "fnv", - "futures-core", - "futures-sink", - "futures-util", - "http", - "indexmap", - "slab", - "tokio", - "tokio-util", - "tracing", -] - [[package]] name = "hashbrown" version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" +[[package]] +name = "hermit-abi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" + [[package]] name = "http" version = "1.1.0" @@ -259,6 +396,12 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" +[[package]] +name = "humantime" +version = "2.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" + [[package]] name = "hyper" version = "1.2.0" @@ -268,7 +411,6 @@ dependencies = [ "bytes", "futures-channel", "futures-util", - "h2", "http", "http-body", "httparse", @@ -297,19 +439,29 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.2.5" +version = "2.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b0b929d511467233429c45a44ac1dcaa21ba0f5ba11e4879e6ed28ddb4f9df4" +checksum = "168fb715dda47215e360912c096649d23d58bf392ac62f73919e831745e40f26" dependencies = [ "equivalent", "hashbrown", + "serde", +] + +[[package]] +name = "instant" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +dependencies = [ + "cfg-if", ] [[package]] name = "itoa" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" [[package]] name = "libc" @@ -317,6 +469,16 @@ version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +[[package]] +name = "lock_api" +version = "0.4.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +dependencies = [ + "autocfg", + "scopeguard", +] + [[package]] name = "log" version = "0.4.21" @@ -331,9 +493,9 @@ checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" [[package]] name = "memchr" -version = "2.7.1" +version = "2.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" +checksum = "6c8640c5d730cb13ebd907d8d04b52f55ac9a2eec55b440c8892f40d56c76c1d" [[package]] name = "mime" @@ -361,6 +523,16 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "num_cpus" +version = "1.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" +dependencies = [ + "hermit-abi", + "libc", +] + [[package]] name = "object" version = "0.32.2" @@ -376,6 +548,54 @@ version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +[[package]] +name = "parking_lot" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99" +dependencies = [ + "instant", + "lock_api", + "parking_lot_core 0.8.6", +] + +[[package]] +name = "parking_lot" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +dependencies = [ + "lock_api", + "parking_lot_core 0.9.9", +] + +[[package]] +name = "parking_lot_core" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "60a2cfe6f0ad2bfc16aefa463b497d5c7a5ecd44a23efa72aa342d90177356dc" +dependencies = [ + "cfg-if", + "instant", + "libc", + "redox_syscall 0.2.16", + "smallvec", + "winapi", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall 0.4.1", + "smallvec", + "windows-targets 0.48.5", +] + [[package]] name = "percent-encoding" version = "2.3.1" @@ -399,14 +619,14 @@ checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" dependencies = [ "proc-macro2", "quote", - "syn", + "syn 2.0.58", ] [[package]] name = "pin-project-lite" -version = "0.2.13" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58" +checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" [[package]] name = "pin-utils" @@ -414,6 +634,30 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "proc-macro-error" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c" +dependencies = [ + "proc-macro-error-attr", + "proc-macro2", + "quote", + "syn 1.0.109", + "version_check", +] + +[[package]] +name = "proc-macro-error-attr" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869" +dependencies = [ + "proc-macro2", + "quote", + "version_check", +] + [[package]] name = "proc-macro2" version = "1.0.79" @@ -425,13 +669,60 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.35" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] +[[package]] +name = "redox_syscall" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" +dependencies = [ + "bitflags", +] + +[[package]] +name = "redox_syscall" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +dependencies = [ + "bitflags", +] + +[[package]] +name = "regex" +version = "1.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c117dbdfde9c8308975b6a18d71f3f385c89461f7b3fb054288ecf2a2058ba4c" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "86b83b8b9847f9bf95ef68afb0b8e6cdb80f498442f5179a29fad448fcc1eaea" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "adad44e29e4c806119491a7f06f03de4d1af22c3a680dd47f1e6e179439d1f56" + [[package]] name = "rustc-demangle" version = "0.1.23" @@ -440,17 +731,9 @@ checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" [[package]] name = "rustversion" -version = "1.0.14" +version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" - -[[package]] -name = "rvault-api" -version = "0.1.0" -dependencies = [ - "axum", - "tokio", -] +checksum = "80af6f9131f277a45a3fba6ce8e2258037bb0477a67e610d3c1fe046ab31de47" [[package]] name = "ryu" @@ -458,6 +741,12 @@ version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" +[[package]] +name = "scopeguard" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" + [[package]] name = "serde" version = "1.0.197" @@ -475,14 +764,14 @@ checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b" dependencies = [ "proc-macro2", "quote", - "syn", + "syn 2.0.58", ] [[package]] name = "serde_json" -version = "1.0.114" +version = "1.0.115" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0" +checksum = "12dc5c46daa8e9fdf4f5e71b6cf9a53f2487da0e86e55808e2d35539666497dd" dependencies = [ "itoa", "ryu", @@ -512,19 +801,45 @@ dependencies = [ ] [[package]] -name = "slab" -version = "0.4.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67" +name = "server" +version = "0.1.0" dependencies = [ - "autocfg", + "axum", + "env_logger", + "tokio", + "utoipa", +] + +[[package]] +name = "signal-hook-registry" +version = "1.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1" +dependencies = [ + "libc", +] + +[[package]] +name = "sled" +version = "0.34.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f96b4737c2ce5987354855aed3797279def4ebf734436c6aa4552cf8e169935" +dependencies = [ + "crc32fast", + "crossbeam-epoch", + "crossbeam-utils", + "fs2", + "fxhash", + "libc", + "log", + "parking_lot 0.11.2", ] [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" @@ -536,11 +851,29 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "storage-sled" +version = "0.1.0" +dependencies = [ + "base", + "sled", +] + [[package]] name = "syn" -version = "2.0.53" +version = "1.0.109" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7383cd0e49fff4b6b90ca5670bfd3e9d6a733b3f90c686605aa7eec8c4996032" +checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +dependencies = [ + "proc-macro2", + "unicode-ident", +] + +[[package]] +name = "syn" +version = "2.0.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" dependencies = [ "proc-macro2", "quote", @@ -554,16 +887,25 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" [[package]] -name = "tokio" -version = "1.36.0" +name = "sync_wrapper" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931" +checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394" + +[[package]] +name = "tokio" +version = "1.37.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1adbebffeca75fcfd058afa480fb6c0b81e165a0323f9c9d39c9697e37c46787" dependencies = [ "backtrace", "bytes", "libc", "mio", + "num_cpus", + "parking_lot 0.12.1", "pin-project-lite", + "signal-hook-registry", "socket2", "tokio-macros", "windows-sys 0.48.0", @@ -577,21 +919,7 @@ checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" dependencies = [ "proc-macro2", "quote", - "syn", -] - -[[package]] -name = "tokio-util" -version = "0.7.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15" -dependencies = [ - "bytes", - "futures-core", - "futures-sink", - "pin-project-lite", - "tokio", - "tracing", + "syn 2.0.58", ] [[package]] @@ -648,12 +976,71 @@ version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" +[[package]] +name = "utf8parse" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" + +[[package]] +name = "utoipa" +version = "4.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "272ebdfbc99111033031d2f10e018836056e4d2c8e2acda76450ec7974269fa7" +dependencies = [ + "indexmap", + "serde", + "serde_json", + "utoipa-gen", +] + +[[package]] +name = "utoipa-gen" +version = "4.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3c9f4d08338c1bfa70dde39412a040a884c6f318b3d09aaaf3437a1e52027fc" +dependencies = [ + "proc-macro-error", + "proc-macro2", + "quote", + "regex", + "syn 2.0.58", +] + +[[package]] +name = "version_check" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" + [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + [[package]] name = "windows-sys" version = "0.48.0" diff --git a/Cargo.toml b/Cargo.toml index 29cd6f8..db1aa65 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,10 @@ [workspace] - members = ["crates/*"] -default-members = ["crates/rvault-api"] +default-members = ["crates/server"] + +[workspace.dependencies] +log = "0.4.21" +env_logger = "0.11.3" +tokio = "1.37.0" +axum = "0.7.5" diff --git a/crates/rvault-api/Cargo.toml b/crates/auth-token/Cargo.toml similarity index 75% rename from crates/rvault-api/Cargo.toml rename to crates/auth-token/Cargo.toml index 21b67aa..425dcb1 100644 --- a/crates/rvault-api/Cargo.toml +++ b/crates/auth-token/Cargo.toml @@ -1,10 +1,8 @@ [package] -name = "rvault-api" +name = "auth-token" version = "0.1.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -axum = "0.7.4" -tokio = "1.36.0" diff --git a/crates/auth-token/src/lib.rs b/crates/auth-token/src/lib.rs new file mode 100644 index 0000000..7d12d9a --- /dev/null +++ b/crates/auth-token/src/lib.rs @@ -0,0 +1,14 @@ +pub fn add(left: usize, right: usize) -> usize { + left + right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn it_works() { + let result = add(2, 2); + assert_eq!(result, 4); + } +} diff --git a/crates/backend-kv/Cargo.toml b/crates/backend-kv/Cargo.toml new file mode 100644 index 0000000..28c0864 --- /dev/null +++ b/crates/backend-kv/Cargo.toml @@ -0,0 +1,9 @@ +[package] +name = "backend-kv" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +base = { path = "../base" } diff --git a/crates/backend-kv/src/lib.rs b/crates/backend-kv/src/lib.rs new file mode 100644 index 0000000..7d12d9a --- /dev/null +++ b/crates/backend-kv/src/lib.rs @@ -0,0 +1,14 @@ +pub fn add(left: usize, right: usize) -> usize { + left + right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn it_works() { + let result = add(2, 2); + assert_eq!(result, 4); + } +} diff --git a/crates/base/Cargo.toml b/crates/base/Cargo.toml new file mode 100644 index 0000000..6916ddc --- /dev/null +++ b/crates/base/Cargo.toml @@ -0,0 +1,8 @@ +[package] +name = "base" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] diff --git a/crates/base/src/lib.rs b/crates/base/src/lib.rs new file mode 100644 index 0000000..7d12d9a --- /dev/null +++ b/crates/base/src/lib.rs @@ -0,0 +1,14 @@ +pub fn add(left: usize, right: usize) -> usize { + left + right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn it_works() { + let result = add(2, 2); + assert_eq!(result, 4); + } +} diff --git a/crates/rvault-api/src/main.rs b/crates/rvault-api/src/main.rs deleted file mode 100644 index e7a11a9..0000000 --- a/crates/rvault-api/src/main.rs +++ /dev/null @@ -1,3 +0,0 @@ -fn main() { - println!("Hello, world!"); -} diff --git a/crates/server/Cargo.toml b/crates/server/Cargo.toml new file mode 100644 index 0000000..c4f4be1 --- /dev/null +++ b/crates/server/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "server" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +env_logger = { workspace = true } +tokio = { workspace = true, features=["full"] } +axum = { workspace = true } +utoipa = { version = "4", features = ["axum_extras"] } diff --git a/crates/server/src/main.rs b/crates/server/src/main.rs new file mode 100644 index 0000000..126575b --- /dev/null +++ b/crates/server/src/main.rs @@ -0,0 +1,19 @@ +use axum::{routing::get, Router}; + +#[tokio::main] +async fn main() { + env_logger::init(); + + // build our application with a route + let app = Router::new() + .route("/", get(root)); + + // run our app with hyper, listening globally on port 3000 + let listener = tokio::net::TcpListener::bind("[::1]:3000").await.unwrap(); + axum::serve(listener, app).await.unwrap(); +} + +// basic handler that responds with a static string +async fn root() -> &'static str { + "Hello, World!" +} diff --git a/crates/storage-sled/Cargo.toml b/crates/storage-sled/Cargo.toml new file mode 100644 index 0000000..325169a --- /dev/null +++ b/crates/storage-sled/Cargo.toml @@ -0,0 +1,11 @@ +[package] +name = "storage-sled" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +base = { path = "../base" } + +sled = "0.34.7" diff --git a/crates/storage-sled/src/lib.rs b/crates/storage-sled/src/lib.rs new file mode 100644 index 0000000..7d12d9a --- /dev/null +++ b/crates/storage-sled/src/lib.rs @@ -0,0 +1,14 @@ +pub fn add(left: usize, right: usize) -> usize { + left + right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn it_works() { + let result = add(2, 2); + assert_eq!(result, 4); + } +} diff --git a/openapi.json b/openapi.json new file mode 100644 index 0000000..accc85f --- /dev/null +++ b/openapi.json @@ -0,0 +1,50539 @@ +{ + "openapi": "3.0.2", + "info": { + "title": "HashiCorp Vault API", + "description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.", + "version": "1.15.0", + "license": { + "name": "Mozilla Public License 2.0", + "url": "https://www.mozilla.org/en-US/MPL/2.0" + } + }, + "paths": { + "/auth/token/accessors/": { + "description": "List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'.", + "x-vault-sudo": true, + "get": { + "summary": "List token accessors, which can then be\nbe used to iterate and discover their properties\nor revoke them. Because this can be used to\ncause a denial of service, this endpoint\nrequires 'sudo' capability in addition to\n'list'.", + "operationId": "token-list-accessors", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/token/create": { + "description": "The token create path is used to create new tokens.", + "post": { + "summary": "The token create path is used to create new tokens.", + "operationId": "token-create", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenCreateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/create-orphan": { + "description": "The token create path is used to create new orphan tokens.", + "post": { + "summary": "The token create path is used to create new orphan tokens.", + "operationId": "token-create-orphan", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenCreateOrphanRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/create/{role_name}": { + "description": "This token create path is used to create new tokens adhering to the given role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "This token create path is used to create new tokens adhering to the given role.", + "operationId": "token-create-against-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenCreateAgainstRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/lookup": { + "description": "This endpoint will lookup a token and its properties.", + "get": { + "operationId": "token-look-up-2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "token", + "description": "Token to lookup", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "token-look-up", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenLookUpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/lookup-accessor": { + "description": "This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.", + "post": { + "summary": "This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.", + "operationId": "token-look-up-accessor", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenLookUpAccessorRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/lookup-self": { + "description": "This endpoint will lookup a token and its properties.", + "get": { + "operationId": "token-look-up-self", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "token-look-up-self2", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenLookUpSelf2Request" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/renew": { + "description": "This endpoint will renew the given token and prevent expiration.", + "post": { + "summary": "This endpoint will renew the given token and prevent expiration.", + "operationId": "token-renew", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRenewRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/renew-accessor": { + "description": "This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.", + "post": { + "summary": "This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID.", + "operationId": "token-renew-accessor", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRenewAccessorRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/renew-self": { + "description": "This endpoint will renew the token used to call it and prevent expiration.", + "post": { + "summary": "This endpoint will renew the token used to call it and prevent expiration.", + "operationId": "token-renew-self", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRenewSelfRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/revoke": { + "description": "This endpoint will delete the given token and all of its child tokens.", + "post": { + "summary": "This endpoint will delete the given token and all of its child tokens.", + "operationId": "token-revoke", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRevokeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/revoke-accessor": { + "description": "This endpoint will delete the token associated with the accessor and all of its child tokens.", + "post": { + "summary": "This endpoint will delete the token associated with the accessor and all of its child tokens.", + "operationId": "token-revoke-accessor", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRevokeAccessorRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/revoke-orphan": { + "description": "This endpoint will delete the token and orphan its child tokens.", + "x-vault-sudo": true, + "post": { + "summary": "This endpoint will delete the token and orphan its child tokens.", + "operationId": "token-revoke-orphan", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenRevokeOrphanRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/revoke-self": { + "description": "This endpoint will delete the token used to call it and all of its child tokens.", + "post": { + "summary": "This endpoint will delete the token used to call it and all of its child tokens.", + "operationId": "token-revoke-self", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/token/roles/": { + "description": "This endpoint lists configured roles.", + "get": { + "summary": "This endpoint lists configured roles.", + "operationId": "token-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/token/roles/{role_name}": { + "parameters": [ + { + "name": "role_name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "token-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "token-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TokenWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "token-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/token/tidy": { + "description": "This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.", + "post": { + "summary": "This endpoint performs cleanup tasks that can be run if certain error\nconditions have occurred.", + "operationId": "token-tidy", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{alicloud_mount_path}/login": { + "description": "Authenticates an RAM entity with Vault.", + "parameters": [ + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Authenticates an RAM entity with Vault.", + "operationId": "ali-cloud-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliCloudLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{alicloud_mount_path}/role/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles that are registered with Vault.", + "operationId": "ali-cloud-list-auth-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{alicloud_mount_path}/role/{role}": { + "description": "Create a role and associate policies to it.", + "parameters": [ + { + "name": "role", + "description": "The name of the role as it should appear in Vault.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Create a role and associate policies to it.", + "operationId": "ali-cloud-read-auth-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Create a role and associate policies to it.", + "operationId": "ali-cloud-write-auth-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliCloudWriteAuthRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Create a role and associate policies to it.", + "operationId": "ali-cloud-delete-auth-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{alicloud_mount_path}/roles/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles that are registered with Vault.", + "operationId": "ali-cloud-list-auth-roles2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/login": { + "description": "Issue a token based on the credentials supplied", + "parameters": [ + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "app-role-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{approle_mount_path}/role/": { + "description": "Lists all the roles registered with the backend.", + "parameters": [ + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}": { + "description": "Register an role with the backend.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "app-role-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadRoleResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "app-role-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/bind-secret-id": { + "description": "Impose secret_id to be presented during login using this role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-bind-secret-id", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadBindSecretIdResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-bind-secret-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteBindSecretIdRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-bind-secret-id", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/bound-cidr-list": { + "description": "Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-bound-cidr-list", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadBoundCidrListResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-bound-cidr-list", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteBoundCidrListRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-bound-cidr-list", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/custom-secret-id": { + "description": "Assign a SecretID of choice against the role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-write-custom-secret-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteCustomSecretIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteCustomSecretIdResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/local-secret-ids": { + "description": "Enables cluster local secret IDs", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-local-secret-ids", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadLocalSecretIdsResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/period": { + "description": "Updates the value of 'period' on the role", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-period", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadPeriodResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-period", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWritePeriodRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-period", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/policies": { + "description": "Policies of the role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-policies", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadPoliciesResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-policies", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWritePoliciesRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-policies", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/role-id": { + "description": "Returns the 'role_id' of the role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-role-id", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadRoleIdResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-role-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteRoleIdRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id": { + "description": "Generate a SecretID against this role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-write-secret-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteSecretIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteSecretIdResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id-accessor/destroy": { + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-destroy-secret-id-by-accessor", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleDestroySecretIdByAccessorRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-destroy-secret-id-by-accessor2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "secret_id_accessor", + "description": "Accessor of the SecretID", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id-accessor/lookup": { + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-look-up-secret-id-by-accessor", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleLookUpSecretIdByAccessorRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleLookUpSecretIdByAccessorResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id-bound-cidrs": { + "description": "Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-secret-id-bound-cidrs", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadSecretIdBoundCidrsResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-secret-id-bound-cidrs", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteSecretIdBoundCidrsRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-secret-id-bound-cidrs", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id-num-uses": { + "description": "Use limit of the SecretID generated against the role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-secret-id-num-uses", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadSecretIdNumUsesResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-secret-id-num-uses", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteSecretIdNumUsesRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-secret-id-num-uses", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id-ttl": { + "description": "Duration in seconds of the SecretID generated against the role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-secret-id-ttl", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadSecretIdTtlResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-secret-id-ttl", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteSecretIdTtlRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-secret-id-ttl", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id/": { + "description": "Generate a SecretID against this role.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-list-secret-ids", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id/destroy": { + "description": "Invalidate an issued secret_id", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-destroy-secret-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleDestroySecretIdRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-destroy-secret-id2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "secret_id", + "description": "SecretID attached to the role.", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/secret-id/lookup": { + "description": "Read the properties of an issued secret_id", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-look-up-secret-id", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleLookUpSecretIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleLookUpSecretIdResponse" + } + } + } + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/token-bound-cidrs": { + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-token-bound-cidrs", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadTokenBoundCidrsResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-token-bound-cidrs", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteTokenBoundCidrsRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-token-bound-cidrs", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/token-max-ttl": { + "description": "Duration in seconds, the maximum lifetime of the tokens issued by using the SecretIDs that were generated against this role, after which the tokens are not allowed to be renewed.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-token-max-ttl", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadTokenMaxTtlResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-token-max-ttl", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteTokenMaxTtlRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-token-max-ttl", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/token-num-uses": { + "description": "Number of times issued tokens can be used", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-token-num-uses", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadTokenNumUsesResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-token-num-uses", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteTokenNumUsesRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-token-num-uses", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/role/{role_name}/token-ttl": { + "description": "Duration in seconds, the lifetime of the token issued by using the SecretID that is generated against this role, before which the token needs to be renewed.", + "parameters": [ + { + "name": "role_name", + "description": "Name of the role. Must be less than 4096 bytes.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "get": { + "operationId": "app-role-read-token-ttl", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleReadTokenTtlResponse" + } + } + } + } + } + }, + "post": { + "operationId": "app-role-write-token-ttl", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AppRoleWriteTokenTtlRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "app-role-delete-token-ttl", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/auth/{approle_mount_path}/tidy/secret-id": { + "description": "Trigger the clean-up of expired SecretID entries.", + "parameters": [ + { + "name": "approle_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "approle" + }, + "required": true + } + ], + "post": { + "operationId": "app-role-tidy-secret-id", + "tags": [ + "auth" + ], + "responses": { + "202": { + "description": "Accepted" + } + } + } + }, + "/auth/{aws_mount_path}/config/certificate/{cert_name}": { + "description": "Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identity document.", + "parameters": [ + { + "name": "cert_name", + "description": "Name of the certificate.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-certificate-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-certificate", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureCertificateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-certificate-configuration", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/certificates/": { + "description": "Lists all the AWS public certificates that are registered with the backend.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-certificate-configurations", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/config/client": { + "description": "Configure AWS IAM credentials that are used to query instance and role details from the AWS API.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-client-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-client", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureClientRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-client-configuration", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/identity": { + "description": "Configure the way the AWS auth method interacts with the identity store", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-identity-integration-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-identity-integration", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureIdentityIntegrationRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/config/rotate-root": { + "description": "Request to rotate the AWS credentials used by Vault", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-rotate-root-credentials", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/config/sts/": { + "description": "List all the AWS account/STS role relationships registered with Vault.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-sts-role-relationships", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/config/sts/{account_id}": { + "description": "Specify STS roles to be assumed for certain AWS accounts.", + "parameters": [ + { + "name": "account_id", + "description": "AWS account ID to be associated with STS role. If set, Vault will use assumed credentials to verify any login attempts from EC2 instances in this account.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-sts-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-write-sts-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteStsRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-sts-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/tidy/identity-accesslist": { + "description": "Configures the periodic tidying operation of the access list identity entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-identity-access-list-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-identity-access-list-tidy-operation", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureIdentityAccessListTidyOperationRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-identity-access-list-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/tidy/identity-whitelist": { + "description": "Configures the periodic tidying operation of the access list identity entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-identity-whitelist-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-identity-whitelist-tidy-operation", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureIdentityWhitelistTidyOperationRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-identity-whitelist-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/tidy/roletag-blacklist": { + "description": "Configures the periodic tidying operation of the deny listed role tag entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-role-tag-blacklist-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-role-tag-blacklist-tidy-operation", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureRoleTagBlacklistTidyOperationRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-role-tag-blacklist-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/config/tidy/roletag-denylist": { + "description": "Configures the periodic tidying operation of the deny listed role tag entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-role-tag-deny-list-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-role-tag-deny-list-tidy-operation", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureRoleTagDenyListTidyOperationRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-role-tag-deny-list-tidy-settings", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/identity-accesslist/": { + "description": "Lists the items present in the identity access list.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-identity-access-list", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/identity-accesslist/{instance_id}": { + "description": "Read or delete entries in the identity access list.", + "parameters": [ + { + "name": "instance_id", + "description": "EC2 instance ID. A successful login operation from an EC2 instance gets cached in this accesslist, keyed off of instance ID.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-identity-access-list", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-identity-access-list", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/identity-whitelist/": { + "description": "Lists the items present in the identity access list.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-identity-whitelist", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/identity-whitelist/{instance_id}": { + "description": "Read or delete entries in the identity access list.", + "parameters": [ + { + "name": "instance_id", + "description": "EC2 instance ID. A successful login operation from an EC2 instance gets cached in this accesslist, keyed off of instance ID.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-identity-whitelist", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-identity-whitelist", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/login": { + "description": "Authenticates an EC2 instance with Vault.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "aws-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/role/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-auth-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/role/{role}": { + "description": "Create a role and associate policies to it.", + "parameters": [ + { + "name": "role", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "aws-read-auth-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-write-auth-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteAuthRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-auth-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/role/{role}/tag": { + "description": "Create a tag on a role in order to be able to further restrict the capabilities of a role.", + "parameters": [ + { + "name": "role", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-write-role-tag", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteRoleTagRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/roles/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-auth-roles2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/roletag-blacklist/": { + "description": "Lists the deny list role tags.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-role-tag-blacklists", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/roletag-blacklist/{role_tag}": { + "description": "Blacklist a previously created role tag.", + "parameters": [ + { + "name": "role_tag", + "description": "Role tag to be deny listed. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64 encoded.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-role-tag-blacklist", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-write-role-tag-blacklist", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-role-tag-blacklist", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/roletag-denylist/": { + "description": "Lists the deny list role tags.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-list-role-tag-deny-lists", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{aws_mount_path}/roletag-denylist/{role_tag}": { + "description": "Blacklist a previously created role tag.", + "parameters": [ + { + "name": "role_tag", + "description": "Role tag to be deny listed. The tag can be supplied as-is. In order to avoid any encoding problems, it can be base64 encoded.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-role-tag-deny-list", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-write-role-tag-deny-list", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "aws-delete-role-tag-deny-list", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{aws_mount_path}/tidy/identity-accesslist": { + "description": "Clean-up the access list instance identity entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-tidy-identity-access-list", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsTidyIdentityAccessListRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/tidy/identity-whitelist": { + "description": "Clean-up the access list instance identity entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-tidy-identity-whitelist", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsTidyIdentityWhitelistRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/tidy/roletag-blacklist": { + "description": "Clean-up the deny list role tag entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-tidy-role-tag-blacklist", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsTidyRoleTagBlacklistRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{aws_mount_path}/tidy/roletag-denylist": { + "description": "Clean-up the deny list role tag entries.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-tidy-role-tag-deny-list", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsTidyRoleTagDenyListRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{azure_mount_path}/config": { + "description": "Configures the Azure authentication backend.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "azure-read-auth-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "azure-configure-auth", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AzureConfigureAuthRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "azure-delete-auth-configuration", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{azure_mount_path}/login": { + "description": "Authenticates Azure Managed Service Identities with Vault.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "azure-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AzureLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{azure_mount_path}/role/": { + "description": "Lists all the roles registered with the backend.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "get": { + "operationId": "azure-list-auth-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{azure_mount_path}/role/{name}": { + "description": "Register an role with the backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "azure-read-auth-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "azure-write-auth-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AzureWriteAuthRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "azure-delete-auth-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{azure_mount_path}/rotate-root": { + "description": "Attempt to rotate the root credentials used to communicate with Azure.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "post": { + "operationId": "azure-rotate-root-credentials", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{centrify_mount_path}/config": { + "description": "This path allows you to configure the centrify auth provider to interact with the Centrify Identity Services Platform for authenticating users.", + "parameters": [ + { + "name": "centrify_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "centrify" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "centrify-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "centrify-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CentrifyConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{centrify_mount_path}/login": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "centrify_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "centrify" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "centrify-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CentrifyLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{cert_mount_path}/certs/": { + "description": "Manage trusted certificates used for authentication.", + "parameters": [ + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "Certificate" + }, + "get": { + "summary": "Manage trusted certificates used for authentication.", + "operationId": "cert-list-certificates", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{cert_mount_path}/certs/{name}": { + "description": "Manage trusted certificates used for authentication.", + "parameters": [ + { + "name": "name", + "description": "The name of the certificate", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "itemType": "Certificate", + "action": "Create" + }, + "get": { + "summary": "Manage trusted certificates used for authentication.", + "operationId": "cert-read-certificate", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage trusted certificates used for authentication.", + "operationId": "cert-write-certificate", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CertWriteCertificateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage trusted certificates used for authentication.", + "operationId": "cert-delete-certificate", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{cert_mount_path}/config": { + "parameters": [ + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "get": { + "operationId": "cert-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "cert-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CertConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{cert_mount_path}/crls/": { + "description": "Manage Certificate Revocation Lists checked during authentication.", + "parameters": [ + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "get": { + "operationId": "cert-list-crls", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{cert_mount_path}/crls/{name}": { + "description": "Manage Certificate Revocation Lists checked during authentication.", + "parameters": [ + { + "name": "name", + "description": "The name of the certificate", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "get": { + "summary": "Manage Certificate Revocation Lists checked during authentication.", + "operationId": "cert-read-crl", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage Certificate Revocation Lists checked during authentication.", + "operationId": "cert-write-crl", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CertWriteCrlRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage Certificate Revocation Lists checked during authentication.", + "operationId": "cert-delete-crl", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{cert_mount_path}/login": { + "parameters": [ + { + "name": "cert_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cert" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "cert-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CertLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{cf_mount_path}/config": { + "description": "Provide Vault with the CA certificate used to issue all client certificates.", + "parameters": [ + { + "name": "cf_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cf" + }, + "required": true + } + ], + "get": { + "operationId": "cloud-foundry-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "cloud-foundry-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CloudFoundryConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "cloud-foundry-delete-configuration", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{cf_mount_path}/login": { + "description": "Authenticates an entity with Vault.", + "parameters": [ + { + "name": "cf_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cf" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "cloud-foundry-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CloudFoundryLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{cf_mount_path}/roles/": { + "description": "List the existing roles in this backend.", + "parameters": [ + { + "name": "cf_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cf" + }, + "required": true + } + ], + "get": { + "operationId": "cloud-foundry-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{cf_mount_path}/roles/{role}": { + "description": "Read, write and reference policies and roles that tokens can be made for.", + "parameters": [ + { + "name": "role", + "description": "The name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "cf_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "cf" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "cloud-foundry-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "cloud-foundry-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CloudFoundryWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "cloud-foundry-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{gcp_mount_path}/config": { + "description": "Configure credentials used to query the GCP IAM API to verify authenticating service accounts", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-read-auth-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-configure-auth", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudConfigureAuthRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{gcp_mount_path}/login": { + "description": "Authenticates Google Cloud Platform entities with Vault.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "google-cloud-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{gcp_mount_path}/role/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles that are registered with Vault.", + "operationId": "google-cloud-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{gcp_mount_path}/role/{name}": { + "description": "Create a GCP role with associated policies and required attributes.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Create a GCP role with associated policies and required attributes.", + "operationId": "google-cloud-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Create a GCP role with associated policies and required attributes.", + "operationId": "google-cloud-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Create a GCP role with associated policies and required attributes.", + "operationId": "google-cloud-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{gcp_mount_path}/role/{name}/labels": { + "description": "Add or remove labels for an existing 'gce' role", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "summary": "Add or remove labels for an existing 'gce' role", + "operationId": "google-cloud-edit-labels-for-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudEditLabelsForRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{gcp_mount_path}/role/{name}/service-accounts": { + "description": "Add or remove service accounts for an existing `iam` role", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "summary": "Add or remove service accounts for an existing `iam` role", + "operationId": "google-cloud-edit-service-accounts-for-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudEditServiceAccountsForRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{gcp_mount_path}/roles/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles that are registered with Vault.", + "operationId": "google-cloud-list-roles2", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{github_mount_path}/config": { + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "get": { + "operationId": "github-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "github-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GithubConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{github_mount_path}/login": { + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "github-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GithubLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{github_mount_path}/map/teams": { + "description": "Read mappings for teams", + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "get": { + "summary": "Read mappings for teams", + "operationId": "github-list-teams2", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{github_mount_path}/map/teams/": { + "description": "Read mappings for teams", + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "get": { + "summary": "Read mappings for teams", + "operationId": "github-list-teams", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{github_mount_path}/map/teams/{key}": { + "description": "Read/write/delete a single teams mapping", + "parameters": [ + { + "name": "key", + "description": "Key for the teams mapping", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Read/write/delete a single teams mapping", + "operationId": "github-read-team-mapping", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Read/write/delete a single teams mapping", + "operationId": "github-write-team-mapping", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GithubWriteTeamMappingRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Read/write/delete a single teams mapping", + "operationId": "github-delete-team-mapping", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{github_mount_path}/map/users": { + "description": "Read mappings for users", + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "get": { + "summary": "Read mappings for users", + "operationId": "github-list-users2", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{github_mount_path}/map/users/": { + "description": "Read mappings for users", + "parameters": [ + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "get": { + "summary": "Read mappings for users", + "operationId": "github-list-users", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{github_mount_path}/map/users/{key}": { + "description": "Read/write/delete a single users mapping", + "parameters": [ + { + "name": "key", + "description": "Key for the users mapping", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "github_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "github" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Read/write/delete a single users mapping", + "operationId": "github-read-user-mapping", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Read/write/delete a single users mapping", + "operationId": "github-write-user-mapping", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GithubWriteUserMappingRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Read/write/delete a single users mapping", + "operationId": "github-delete-user-mapping", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{jwt_mount_path}/config": { + "description": "Configures the JWT authentication backend.", + "parameters": [ + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "get": { + "summary": "Read the current JWT authentication backend configuration.", + "operationId": "jwt-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Configure the JWT authentication backend.", + "description": "The JWT authentication backend validates JWTs (or OIDC) using the configured\ncredentials. If using OIDC Discovery, the URL must be provided, along\nwith (optionally) the CA cert to use for the connection. If performing JWT\nvalidation locally, a set of public keys must be provided.", + "operationId": "jwt-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/JwtConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{jwt_mount_path}/login": { + "description": "Authenticates to Vault using a JWT (or OIDC) token.", + "parameters": [ + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Authenticates to Vault using a JWT (or OIDC) token.", + "operationId": "jwt-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/JwtLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{jwt_mount_path}/oidc/auth_url": { + "parameters": [ + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Request an authorization URL to start an OIDC login flow.", + "operationId": "jwt-oidc-request-authorization-url", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/JwtOidcRequestAuthorizationUrlRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{jwt_mount_path}/oidc/callback": { + "parameters": [ + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "summary": "Callback endpoint to complete an OIDC login.", + "operationId": "jwt-oidc-callback", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "client_nonce", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "code", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "state", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Callback endpoint to handle form_posts.", + "operationId": "jwt-oidc-callback-form-post", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/JwtOidcCallbackFormPostRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{jwt_mount_path}/role/": { + "description": "Lists all the roles registered with the backend.", + "parameters": [ + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles registered with the backend.", + "description": "The list will contain the names of the roles.", + "operationId": "jwt-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{jwt_mount_path}/role/{name}": { + "description": "Register an role with the backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "jwt_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "jwt" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Read an existing role.", + "operationId": "jwt-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Register an role with the backend.", + "description": "A role is required to authenticate with this backend. The role binds\n\t\tJWT token information with token policies and settings.\n\t\tThe bindings, token polices and token settings can all be configured\n\t\tusing this endpoint", + "operationId": "jwt-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/JwtWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete an existing role.", + "operationId": "jwt-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{kerberos_mount_path}/config": { + "description": "Configures the Kerberos keytab and service account.", + "parameters": [ + { + "name": "kerberos_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kerberos" + }, + "required": true + } + ], + "get": { + "operationId": "kerberos-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kerberos-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KerberosConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{kerberos_mount_path}/config/ldap": { + "description": "Configure the LDAP server to connect to, along with its options.", + "parameters": [ + { + "name": "kerberos_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kerberos" + }, + "required": true + } + ], + "get": { + "operationId": "kerberos-read-ldap-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kerberos-configure-ldap", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KerberosConfigureLdapRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{kerberos_mount_path}/groups/": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "kerberos_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kerberos" + }, + "required": true + } + ], + "get": { + "operationId": "kerberos-list-groups", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{kerberos_mount_path}/groups/{name}": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the LDAP group.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kerberos_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kerberos" + }, + "required": true + } + ], + "get": { + "operationId": "kerberos-read-group", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kerberos-write-group", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KerberosWriteGroupRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "kerberos-delete-group", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{kerberos_mount_path}/login": { + "parameters": [ + { + "name": "kerberos_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kerberos" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "kerberos-login2", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kerberos-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KerberosLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{kubernetes_mount_path}/config": { + "description": "Configures the JWT Public Key and Kubernetes API information.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "get": { + "operationId": "kubernetes-read-auth-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kubernetes-configure-auth", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesConfigureAuthRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{kubernetes_mount_path}/login": { + "description": "Authenticates Kubernetes service accounts with Vault.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Authenticates Kubernetes service accounts with Vault.", + "operationId": "kubernetes-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{kubernetes_mount_path}/role/": { + "description": "Lists all the roles registered with the backend.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "Role" + }, + "get": { + "summary": "Lists all the roles registered with the backend.", + "operationId": "kubernetes-list-auth-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{kubernetes_mount_path}/role/{name}": { + "description": "Register an role with the backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "x-vault-displayAttrs": { + "itemType": "Role", + "action": "Create" + }, + "get": { + "summary": "Register an role with the backend.", + "operationId": "kubernetes-read-auth-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Register an role with the backend.", + "operationId": "kubernetes-write-auth-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesWriteAuthRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Register an role with the backend.", + "operationId": "kubernetes-delete-auth-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{ldap_mount_path}/config": { + "description": "Configure the LDAP server to connect to, along with its options.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "action": "Configure" + }, + "get": { + "operationId": "ldap-read-auth-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ldap-configure-auth", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapConfigureAuthRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{ldap_mount_path}/groups/": { + "description": "Manage additional groups for users allowed to authenticate.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "Group" + }, + "get": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "ldap-list-groups", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{ldap_mount_path}/groups/{name}": { + "description": "Manage additional groups for users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the LDAP group.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "itemType": "Group", + "action": "Create" + }, + "get": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "ldap-read-group", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "ldap-write-group", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapWriteGroupRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "ldap-delete-group", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{ldap_mount_path}/login/{username}": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "username", + "description": "DN (distinguished name) to be used for login.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "ldap-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{ldap_mount_path}/users/": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "User" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "ldap-list-users", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{ldap_mount_path}/users/{name}": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the LDAP user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "itemType": "User", + "action": "Create" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "ldap-read-user", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage users allowed to authenticate.", + "operationId": "ldap-write-user", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapWriteUserRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage users allowed to authenticate.", + "operationId": "ldap-delete-user", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{oci_mount_path}/config": { + "description": "Manages the configuration for the Vault Auth Plugin.", + "parameters": [ + { + "name": "oci_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "oci" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "oci-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oci-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OciConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "oci-delete-configuration", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{oci_mount_path}/login": { + "description": "Determines the role that would be used for login from a valid OCI login request", + "parameters": [ + { + "name": "oci_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "oci" + }, + "required": true + } + ] + }, + "/auth/{oci_mount_path}/login/{role}": { + "description": "Authenticates to Vault using OCI credentials", + "parameters": [ + { + "name": "role", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "oci_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "oci" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Authenticates to Vault using OCI credentials", + "operationId": "oci-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OciLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{oci_mount_path}/role/": { + "description": "Lists all the roles that are registered with Vault.", + "parameters": [ + { + "name": "oci_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "oci" + }, + "required": true + } + ], + "get": { + "summary": "Lists all the roles that are registered with Vault.", + "operationId": "oci-list-roles", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{oci_mount_path}/role/{role}": { + "description": "Create a role and associate policies to it.", + "parameters": [ + { + "name": "role", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "oci_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "oci" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Create a role and associate policies to it.", + "operationId": "oci-read-role", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Create a role and associate policies to it.", + "operationId": "oci-write-role", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OciWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Create a role and associate policies to it.", + "operationId": "oci-delete-role", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{okta_mount_path}/config": { + "description": "This endpoint allows you to configure the Okta and its configuration options. The Okta organization are the characters at the front of the URL for Okta. Example https://ORG.okta.com", + "parameters": [ + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "x-vault-displayAttrs": { + "action": "Configure" + }, + "get": { + "operationId": "okta-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "okta-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OktaConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{okta_mount_path}/groups/": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "Group" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "okta-list-groups", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{okta_mount_path}/groups/{name}": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the Okta group.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "itemType": "Group", + "action": "Create" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "okta-read-group", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage users allowed to authenticate.", + "operationId": "okta-write-group", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OktaWriteGroupRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage users allowed to authenticate.", + "operationId": "okta-delete-group", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{okta_mount_path}/login/{username}": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "username", + "description": "Username to be used for login.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "okta-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OktaLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{okta_mount_path}/users/": { + "description": "Manage additional groups for users allowed to authenticate.", + "parameters": [ + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "User" + }, + "get": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "okta-list-users", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{okta_mount_path}/users/{name}": { + "description": "Manage additional groups for users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "itemType": "User", + "action": "Create" + }, + "get": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "okta-read-user", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "okta-write-user", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OktaWriteUserRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage additional groups for users allowed to authenticate.", + "operationId": "okta-delete-user", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{okta_mount_path}/verify/{nonce}": { + "parameters": [ + { + "name": "nonce", + "description": "Nonce provided during a login request to retrieve the number verification challenge for the matching request.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "okta_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "okta" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "okta-verify", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{radius_mount_path}/config": { + "description": "Configure the RADIUS server to connect to, along with its options.", + "parameters": [ + { + "name": "radius_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "radius" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "x-vault-displayAttrs": { + "action": "Configure" + }, + "get": { + "operationId": "radius-read-configuration", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "radius-configure", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RadiusConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{radius_mount_path}/login": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "radius_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "radius" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "radius-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RadiusLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{radius_mount_path}/login/{urlusername}": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "urlusername", + "description": "Username to be used for login. (URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "radius_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "radius" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "radius-login-with-username", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RadiusLoginWithUsernameRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{radius_mount_path}/users/": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "radius_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "radius" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "User" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "radius-list-users", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{radius_mount_path}/users/{name}": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "name", + "description": "Name of the RADIUS user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "radius_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "radius" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "x-vault-displayAttrs": { + "itemType": "User", + "action": "Create" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "radius-read-user", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage users allowed to authenticate.", + "operationId": "radius-write-user", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RadiusWriteUserRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage users allowed to authenticate.", + "operationId": "radius-delete-user", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{userpass_mount_path}/login/{username}": { + "description": "Log in with a username and password.", + "parameters": [ + { + "name": "username", + "description": "Username of the user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "userpass_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "userpass" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Log in with a username and password.", + "operationId": "userpass-login", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserpassLoginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{userpass_mount_path}/users/": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "userpass_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "userpass" + }, + "required": true + } + ], + "x-vault-displayAttrs": { + "navigation": true, + "itemType": "User" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "userpass-list-users", + "tags": [ + "auth" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/auth/{userpass_mount_path}/users/{username}": { + "description": "Manage users allowed to authenticate.", + "parameters": [ + { + "name": "username", + "description": "Username for this user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "userpass_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "userpass" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "x-vault-displayAttrs": { + "itemType": "User", + "action": "Create" + }, + "get": { + "summary": "Manage users allowed to authenticate.", + "operationId": "userpass-read-user", + "tags": [ + "auth" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage users allowed to authenticate.", + "operationId": "userpass-write-user", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserpassWriteUserRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage users allowed to authenticate.", + "operationId": "userpass-delete-user", + "tags": [ + "auth" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/auth/{userpass_mount_path}/users/{username}/password": { + "description": "Reset user's password.", + "parameters": [ + { + "name": "username", + "description": "Username for this user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "userpass_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "userpass" + }, + "required": true + } + ], + "post": { + "summary": "Reset user's password.", + "operationId": "userpass-reset-password", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserpassResetPasswordRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/auth/{userpass_mount_path}/users/{username}/policies": { + "description": "Update the policies associated with the username.", + "parameters": [ + { + "name": "username", + "description": "Username for this user.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "userpass_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "userpass" + }, + "required": true + } + ], + "post": { + "summary": "Update the policies associated with the username.", + "operationId": "userpass-update-policies", + "tags": [ + "auth" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserpassUpdatePoliciesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/cubbyhole/{path}": { + "description": "Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage.", + "parameters": [ + { + "name": "path", + "description": "Specifies the path of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Retrieve the secret at the specified location.", + "operationId": "cubbyhole-read", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Store a secret at the specified location.", + "operationId": "cubbyhole-write", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "additionalProperties": true + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Deletes the secret at the specified location.", + "operationId": "cubbyhole-delete", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/cubbyhole/{path}/": { + "description": "Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage.", + "parameters": [ + { + "name": "path", + "description": "Specifies the path of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "List secret entries at the specified location.", + "description": "Folders are suffixed with /. The input must be a folder; list on a file will not return a value. The values themselves are not accessible via this command.", + "operationId": "cubbyhole-list", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/alias": { + "description": "Create a new alias.", + "post": { + "summary": "Create a new alias.", + "operationId": "alias-create", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliasCreateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/alias/id/": { + "description": "List all the alias IDs.", + "get": { + "summary": "List all the alias IDs.", + "operationId": "alias-list-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/alias/id/{id}": { + "description": "Update, read or delete an alias ID.", + "parameters": [ + { + "name": "id", + "description": "ID of the alias", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "alias-read-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "alias-update-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliasUpdateByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "alias-delete-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/entity": { + "description": "Create a new entity", + "post": { + "summary": "Create a new entity", + "operationId": "entity-create", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityCreateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/entity-alias": { + "description": "Create a new alias.", + "post": { + "summary": "Create a new alias.", + "operationId": "entity-create-alias", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityCreateAliasRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/entity-alias/id/": { + "description": "List all the alias IDs.", + "get": { + "summary": "List all the alias IDs.", + "operationId": "entity-list-aliases-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/entity-alias/id/{id}": { + "description": "Update, read or delete an alias ID.", + "parameters": [ + { + "name": "id", + "description": "ID of the alias", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "entity-read-alias-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "entity-update-alias-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityUpdateAliasByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "entity-delete-alias-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/entity/batch-delete": { + "description": "Delete all of the entities provided", + "post": { + "summary": "Delete all of the entities provided", + "operationId": "entity-batch-delete", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityBatchDeleteRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/entity/id/": { + "description": "List all the entity IDs", + "get": { + "summary": "List all the entity IDs", + "operationId": "entity-list-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/entity/id/{id}": { + "description": "Update, read or delete an entity using entity ID", + "parameters": [ + { + "name": "id", + "description": "ID of the entity. If set, updates the corresponding existing entity.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "entity-read-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "entity-update-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityUpdateByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "entity-delete-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/entity/merge": { + "description": "Merge two or more entities together", + "post": { + "summary": "Merge two or more entities together", + "operationId": "entity-merge", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityMergeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/entity/name/": { + "description": "List all the entity names", + "get": { + "summary": "List all the entity names", + "operationId": "entity-list-by-name", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/entity/name/{name}": { + "description": "Update, read or delete an entity using entity name", + "parameters": [ + { + "name": "name", + "description": "Name of the entity", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "entity-read-by-name", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "entity-update-by-name", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityUpdateByNameRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "entity-delete-by-name", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/group": { + "description": "Create a new group.", + "post": { + "operationId": "group-create", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupCreateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/group-alias": { + "description": "Creates a new group alias, or updates an existing one.", + "post": { + "summary": "Creates a new group alias, or updates an existing one.", + "operationId": "group-create-alias", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupCreateAliasRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/group-alias/id/": { + "description": "List all the group alias IDs.", + "get": { + "summary": "List all the group alias IDs.", + "operationId": "group-list-aliases-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/group-alias/id/{id}": { + "parameters": [ + { + "name": "id", + "description": "ID of the group alias.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "group-read-alias-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "group-update-alias-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupUpdateAliasByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "group-delete-alias-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/group/id/": { + "description": "List all the group IDs.", + "get": { + "summary": "List all the group IDs.", + "operationId": "group-list-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/group/id/{id}": { + "description": "Update or delete an existing group using its ID.", + "parameters": [ + { + "name": "id", + "description": "ID of the group. If set, updates the corresponding existing group.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "group-read-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "group-update-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupUpdateByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "group-delete-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/group/name/": { + "get": { + "operationId": "group-list-by-name", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/group/name/{name}": { + "parameters": [ + { + "name": "name", + "description": "Name of the group.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "group-read-by-name", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "group-update-by-name", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupUpdateByNameRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "group-delete-by-name", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/lookup/entity": { + "description": "Query entities based on various properties.", + "post": { + "summary": "Query entities based on various properties.", + "operationId": "entity-look-up", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EntityLookUpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/lookup/group": { + "description": "Query groups based on various properties.", + "post": { + "summary": "Query groups based on various properties.", + "operationId": "group-look-up", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GroupLookUpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/login-enforcement/": { + "get": { + "summary": "List login enforcements", + "operationId": "mfa-list-login-enforcements", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/login-enforcement/{name}": { + "parameters": [ + { + "name": "name", + "description": "Name for this login enforcement configuration", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current login enforcement", + "operationId": "mfa-read-login-enforcement", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Create or update a login enforcement", + "operationId": "mfa-write-login-enforcement", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaWriteLoginEnforcementRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete a login enforcement", + "operationId": "mfa-delete-login-enforcement", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/mfa/method/": { + "get": { + "summary": "List MFA method configurations for all MFA methods", + "operationId": "mfa-list-methods", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/method/duo": { + "post": { + "summary": "Create the given MFA method", + "operationId": "mfa-create-duo-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaCreateDuoMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/duo/": { + "get": { + "summary": "List MFA method configurations for the given MFA method", + "operationId": "mfa-list-duo-methods", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/method/duo/{method_id}": { + "parameters": [ + { + "name": "method_id", + "description": "The unique identifier for this MFA method.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current configuration for the given MFA method", + "operationId": "mfa-read-duo-method", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Update the configuration for the given MFA method", + "operationId": "mfa-update-duo-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaUpdateDuoMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the given MFA method", + "operationId": "mfa-delete-duo-method", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/mfa/method/okta": { + "post": { + "summary": "Create the given MFA method", + "operationId": "mfa-create-okta-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaCreateOktaMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/okta/": { + "get": { + "summary": "List MFA method configurations for the given MFA method", + "operationId": "mfa-list-okta-methods", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/method/okta/{method_id}": { + "parameters": [ + { + "name": "method_id", + "description": "The unique identifier for this MFA method.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current configuration for the given MFA method", + "operationId": "mfa-read-okta-method", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Update the configuration for the given MFA method", + "operationId": "mfa-update-okta-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaUpdateOktaMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the given MFA method", + "operationId": "mfa-delete-okta-method", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/mfa/method/pingid": { + "post": { + "summary": "Create the given MFA method", + "operationId": "mfa-create-ping-id-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaCreatePingIdMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/pingid/": { + "get": { + "summary": "List MFA method configurations for the given MFA method", + "operationId": "mfa-list-ping-id-methods", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/method/pingid/{method_id}": { + "parameters": [ + { + "name": "method_id", + "description": "The unique identifier for this MFA method.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current configuration for the given MFA method", + "operationId": "mfa-read-ping-id-method", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Update the configuration for the given MFA method", + "operationId": "mfa-update-ping-id-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaUpdatePingIdMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the given MFA method", + "operationId": "mfa-delete-ping-id-method", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/mfa/method/totp": { + "post": { + "summary": "Create the given MFA method", + "operationId": "mfa-create-totp-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaCreateTotpMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/totp/": { + "get": { + "summary": "List MFA method configurations for the given MFA method", + "operationId": "mfa-list-totp-methods", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/mfa/method/totp/admin-destroy": { + "post": { + "summary": "Destroys a TOTP secret for the given MFA method ID on the given entity", + "operationId": "mfa-admin-destroy-totp-secret", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaAdminDestroyTotpSecretRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/totp/admin-generate": { + "post": { + "summary": "Update or create TOTP secret for the given method ID on the given entity.", + "operationId": "mfa-admin-generate-totp-secret", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaAdminGenerateTotpSecretRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/totp/generate": { + "post": { + "summary": "Update or create TOTP secret for the given method ID on the given entity.", + "operationId": "mfa-generate-totp-secret", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaGenerateTotpSecretRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/mfa/method/totp/{method_id}": { + "parameters": [ + { + "name": "method_id", + "description": "The unique identifier for this MFA method.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current configuration for the given MFA method", + "operationId": "mfa-read-totp-method", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Update the configuration for the given MFA method", + "operationId": "mfa-update-totp-method", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaUpdateTotpMethodRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the given MFA method", + "operationId": "mfa-delete-totp-method", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/mfa/method/{method_id}": { + "parameters": [ + { + "name": "method_id", + "description": "The unique identifier for this MFA method.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the current configuration for the given ID regardless of the MFA method type", + "operationId": "mfa-read-method", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/.well-known/keys": { + "description": "Retrieve public keys", + "x-vault-unauthenticated": true, + "get": { + "summary": "Retrieve public keys", + "operationId": "oidc-read-public-keys", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/.well-known/openid-configuration": { + "description": "Query OIDC configurations", + "x-vault-unauthenticated": true, + "get": { + "summary": "Query OIDC configurations", + "operationId": "oidc-read-open-id-configuration", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/assignment/": { + "description": "List OIDC assignments", + "get": { + "operationId": "oidc-list-assignments", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/assignment/{name}": { + "description": "CRUD operations for OIDC assignments.", + "parameters": [ + { + "name": "name", + "description": "Name of the assignment", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "oidc-read-assignment", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-write-assignment", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteAssignmentRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "oidc-delete-assignment", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/client/": { + "description": "List OIDC clients", + "get": { + "operationId": "oidc-list-clients", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/client/{name}": { + "description": "CRUD operations for OIDC clients.", + "parameters": [ + { + "name": "name", + "description": "Name of the client.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "oidc-read-client", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-write-client", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteClientRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "oidc-delete-client", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/config": { + "description": "OIDC configuration", + "get": { + "operationId": "oidc-read-configuration", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-configure", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/introspect": { + "description": "Verify the authenticity of an OIDC token", + "post": { + "summary": "Verify the authenticity of an OIDC token", + "operationId": "oidc-introspect", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcIntrospectRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/key/": { + "description": "List OIDC keys", + "get": { + "summary": "List OIDC keys", + "operationId": "oidc-list-keys", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/key/{name}": { + "description": "CRUD operations for OIDC keys.", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "CRUD operations for OIDC keys.", + "operationId": "oidc-read-key", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "CRUD operations for OIDC keys.", + "operationId": "oidc-write-key", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "CRUD operations for OIDC keys.", + "operationId": "oidc-delete-key", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/key/{name}/rotate": { + "description": "Rotate a named OIDC key.", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Rotate a named OIDC key.", + "operationId": "oidc-rotate-key", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcRotateKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/provider/": { + "description": "List OIDC providers", + "get": { + "operationId": "oidc-list-providers", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "allowed_client_id", + "description": "Filters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.", + "in": "query", + "schema": { + "type": "string", + "default": "" + } + }, + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/provider/{name}": { + "description": "CRUD operations for OIDC providers.", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "oidc-read-provider", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-write-provider", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteProviderRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "oidc-delete-provider", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/provider/{name}/.well-known/keys": { + "description": "Retrieve public keys", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "oidc-read-provider-public-keys", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/provider/{name}/.well-known/openid-configuration": { + "description": "Query OIDC configurations", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "oidc-read-provider-open-id-configuration", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/provider/{name}/authorize": { + "description": "Provides the OIDC Authorization Endpoint.", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "oidc-provider-authorize", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "client_id", + "description": "The ID of the requesting client.", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "code_challenge", + "description": "The code challenge derived from the code verifier.", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "code_challenge_method", + "description": "The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.", + "in": "query", + "schema": { + "type": "string", + "default": "plain" + } + }, + { + "name": "max_age", + "description": "The allowable elapsed time in seconds since the last time the end-user was actively authenticated.", + "in": "query", + "schema": { + "type": "integer" + } + }, + { + "name": "nonce", + "description": "The value that will be returned in the ID token nonce claim after a token exchange.", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "redirect_uri", + "description": "The redirection URI to which the response will be sent.", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "response_type", + "description": "The OIDC authentication flow to be used. The following response types are supported: 'code'", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "scope", + "description": "A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "state", + "description": "The value used to maintain state between the authentication request and client.", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-provider-authorize-with-parameters", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcProviderAuthorizeWithParametersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/provider/{name}/token": { + "description": "Provides the OIDC Token Endpoint.", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "oidc-provider-token", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcProviderTokenRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/provider/{name}/userinfo": { + "description": "Provides the OIDC UserInfo Endpoint.", + "parameters": [ + { + "name": "name", + "description": "Name of the provider", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "oidc-provider-user-info", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-provider-user-info2", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/oidc/role/": { + "description": "List configured OIDC roles", + "get": { + "summary": "List configured OIDC roles", + "operationId": "oidc-list-roles", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/role/{name}": { + "description": "CRUD operations on OIDC Roles", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "CRUD operations on OIDC Roles", + "operationId": "oidc-read-role", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "CRUD operations on OIDC Roles", + "operationId": "oidc-write-role", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "CRUD operations on OIDC Roles", + "operationId": "oidc-delete-role", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/scope/": { + "description": "List OIDC scopes", + "get": { + "operationId": "oidc-list-scopes", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/oidc/scope/{name}": { + "description": "CRUD operations for OIDC scopes.", + "parameters": [ + { + "name": "name", + "description": "Name of the scope", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "oidc-read-scope", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "oidc-write-scope", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/OidcWriteScopeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "oidc-delete-scope", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/identity/oidc/token/{name}": { + "description": "Generate an OIDC token", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Generate an OIDC token", + "operationId": "oidc-generate-token", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/persona": { + "description": "Create a new alias.", + "post": { + "summary": "Create a new alias.", + "operationId": "persona-create", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PersonaCreateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/identity/persona/id/": { + "description": "List all the alias IDs.", + "get": { + "summary": "List all the alias IDs.", + "operationId": "persona-list-by-id", + "tags": [ + "identity" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/identity/persona/id/{id}": { + "description": "Update, read or delete an alias ID.", + "parameters": [ + { + "name": "id", + "description": "ID of the persona", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "persona-read-by-id", + "tags": [ + "identity" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "persona-update-by-id", + "tags": [ + "identity" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PersonaUpdateByIdRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "persona-delete-by-id", + "tags": [ + "identity" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/audit": { + "description": "List the currently enabled audit backends.", + "x-vault-sudo": true, + "get": { + "summary": "List the enabled audit devices.", + "operationId": "auditing-list-enabled-devices", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/audit-hash/{path}": { + "description": "The hash of the given string via the given audit backend", + "parameters": [ + { + "name": "path", + "description": "The name of the backend. Cannot be delimited. Example: \"mysql\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "auditing-calculate-hash", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuditingCalculateHashRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuditingCalculateHashResponse" + } + } + } + } + } + } + }, + "/sys/audit/{path}": { + "description": "Enable or disable audit backends.", + "parameters": [ + { + "name": "path", + "description": "The name of the backend. Cannot be delimited. Example: \"mysql\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "summary": "Enable a new audit device at the supplied path.", + "operationId": "auditing-enable-device", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuditingEnableDeviceRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Disable the audit device at the given path.", + "operationId": "auditing-disable-device", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/auth": { + "description": "List the currently enabled credential backends.", + "get": { + "operationId": "auth-list-enabled-methods", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/auth/{path}": { + "description": "Enable a new credential backend with a name.", + "parameters": [ + { + "name": "path", + "description": "The path to mount to. Cannot be delimited. Example: \"user\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Read the configuration of the auth engine at the given path.", + "operationId": "auth-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuthReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Enables a new auth method.", + "description": "After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.\n\nFor example, enable the \"foo\" auth method will make it accessible at /auth/foo.", + "operationId": "auth-enable-method", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuthEnableMethodRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Disable the auth method at the given auth path", + "operationId": "auth-disable-method", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/auth/{path}/tune": { + "description": "Tune the configuration parameters for an auth path.", + "parameters": [ + { + "name": "path", + "description": "Tune the configuration parameters for an auth path.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Reads the given auth path's configuration.", + "description": "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.", + "operationId": "auth-read-tuning-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuthReadTuningInformationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Tune configuration parameters for a given auth path.", + "description": "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.", + "operationId": "auth-tune-configuration-parameters", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuthTuneConfigurationParametersRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/capabilities": { + "description": "Fetches the capabilities of the given token on the given path.", + "post": { + "operationId": "query-token-capabilities", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/QueryTokenCapabilitiesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/capabilities-accessor": { + "description": "Fetches the capabilities of the token associated with the given token, on the given path.", + "post": { + "operationId": "query-token-accessor-capabilities", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/QueryTokenAccessorCapabilitiesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/capabilities-self": { + "description": "Fetches the capabilities of the given token on the given path.", + "post": { + "operationId": "query-token-self-capabilities", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/QueryTokenSelfCapabilitiesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/config/auditing/request-headers": { + "description": "Lists the headers configured to be audited.", + "x-vault-sudo": true, + "get": { + "summary": "List the request headers that are configured to be audited.", + "operationId": "auditing-list-request-headers", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuditingListRequestHeadersResponse" + } + } + } + } + } + } + }, + "/sys/config/auditing/request-headers/{header}": { + "description": "Configures the headers sent to the audit logs.", + "parameters": [ + { + "name": "header", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "List the information for the given request header.", + "operationId": "auditing-read-request-header-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Enable auditing of a header.", + "operationId": "auditing-enable-request-header", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AuditingEnableRequestHeaderRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Disable auditing of the given request header.", + "operationId": "auditing-disable-request-header", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/config/control-group": { + "get": { + "operationId": "enterprise-stub-read-config-control-group", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-config-control-group", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-config-control-group", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/config/cors": { + "description": "This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests.", + "x-vault-sudo": true, + "get": { + "summary": "Return the current CORS settings.", + "operationId": "cors-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CorsReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Configure the CORS settings.", + "operationId": "cors-configure", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CorsConfigureRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Remove any CORS settings.", + "operationId": "cors-delete-configuration", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/config/group-policy-application": { + "get": { + "operationId": "enterprise-stub-read-config-group-policy-application", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-config-group-policy-application", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/config/reload/{subsystem}": { + "parameters": [ + { + "name": "subsystem", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Reload the given subsystem", + "operationId": "reload-subsystem", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/config/state/sanitized": { + "get": { + "summary": "Return a sanitized version of the Vault server configuration.", + "description": "The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.", + "operationId": "read-sanitized-configuration-state", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/config/ui/headers/": { + "description": "This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI.", + "x-vault-sudo": true, + "get": { + "summary": "Return a list of configured UI headers.", + "operationId": "ui-headers-list", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UiHeadersListResponse" + } + } + } + } + } + } + }, + "/sys/config/ui/headers/{header}": { + "description": "This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI.", + "parameters": [ + { + "name": "header", + "description": "The name of the header.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Return the given UI header's configuration", + "operationId": "ui-headers-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UiHeadersReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Configure the values to be returned for the UI header.", + "operationId": "ui-headers-configure", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UiHeadersConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Remove a UI header.", + "operationId": "ui-headers-delete-configuration", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/control-group/authorize": { + "post": { + "operationId": "enterprise-stub-write-control-group-authorize", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/control-group/request": { + "post": { + "operationId": "enterprise-stub-write-control-group-request", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/decode-token": { + "x-vault-unauthenticated": true, + "post": { + "summary": "Decodes the encoded token with the otp.", + "operationId": "decode", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/DecodeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/experiments": { + "description": "Returns information about Vault's experimental features. Should NOT be used in production.", + "get": { + "summary": "Returns the available and enabled experiments", + "operationId": "list-experimental-features", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/generate-root": { + "description": "Reads, generates, or deletes a root token regeneration process.", + "get": { + "summary": "Read the configuration and progress of the current root generation attempt.", + "operationId": "root-token-generation-read-progress2", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationReadProgress2Response" + } + } + } + } + } + }, + "post": { + "summary": "Initializes a new root generation attempt.", + "description": "Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.", + "operationId": "root-token-generation-initialize-2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationInitialize2Request" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationInitialize2Response" + } + } + } + } + } + }, + "delete": { + "summary": "Cancels any in-progress root generation attempt.", + "operationId": "root-token-generation-cancel-2", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/generate-root/attempt": { + "description": "Reads, generates, or deletes a root token regeneration process.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Read the configuration and progress of the current root generation attempt.", + "operationId": "root-token-generation-read-progress", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationReadProgressResponse" + } + } + } + } + } + }, + "post": { + "summary": "Initializes a new root generation attempt.", + "description": "Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.", + "operationId": "root-token-generation-initialize", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationInitializeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationInitializeResponse" + } + } + } + } + } + }, + "delete": { + "summary": "Cancels any in-progress root generation attempt.", + "operationId": "root-token-generation-cancel", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/generate-root/update": { + "description": "Reads, generates, or deletes a root token regeneration process.", + "x-vault-unauthenticated": true, + "post": { + "summary": "Enter a single unseal key share to progress the root generation attempt.", + "description": "If the threshold number of unseal key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.", + "operationId": "root-token-generation-update", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationUpdateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RootTokenGenerationUpdateResponse" + } + } + } + } + } + } + }, + "/sys/ha-status": { + "description": "Provides information about the nodes in an HA cluster.", + "get": { + "summary": "Check the HA status of a Vault cluster", + "operationId": "ha-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/HaStatusResponse" + } + } + } + } + } + } + }, + "/sys/health": { + "description": "Checks the health status of the Vault.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Returns the health status of Vault.", + "operationId": "read-health-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "initialized, unsealed, and active" + }, + "429": { + "description": "unsealed and standby" + }, + "472": { + "description": "data recovery mode replication secondary and active" + }, + "501": { + "description": "not initialized" + }, + "503": { + "description": "sealed" + } + } + } + }, + "/sys/host-info": { + "description": "Information about the host instance that this Vault server is running on.", + "get": { + "summary": "Information about the host instance that this Vault server is running on.", + "description": "Information about the host instance that this Vault server is running on.\n\t\tThe information that gets collected includes host hardware information, and CPU,\n\t\tdisk, and memory utilization", + "operationId": "collect-host-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CollectHostInformationResponse" + } + } + } + } + } + } + }, + "/sys/in-flight-req": { + "get": { + "summary": "reports in-flight requests", + "description": "This path responds to the following HTTP methods.\n\t\tGET /\n\t\t\tReturns a map of in-flight requests.", + "operationId": "collect-in-flight-request-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/init": { + "description": "Initializes or returns the initialization status of the Vault.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Returns the initialization status of Vault.", + "operationId": "read-initialization-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Initialize a new Vault.", + "description": "The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.", + "operationId": "initialize", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InitializeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/counters/activity": { + "description": "Query the historical count of clients.", + "get": { + "summary": "Report the client count metrics, for this namespace and all child namespaces.", + "operationId": "internal-client-activity-report-counts", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/counters/activity/export": { + "description": "Export the historical activity of clients.", + "get": { + "summary": "Report the client count metrics, for this namespace and all child namespaces.", + "operationId": "internal-client-activity-export", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/counters/activity/monthly": { + "description": "Count of active clients so far this month.", + "get": { + "summary": "Report the number of clients for this month, for this namespace and all child namespaces.", + "operationId": "internal-client-activity-report-counts-this-month", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/counters/config": { + "description": "Control the collection and reporting of client counts.", + "get": { + "summary": "Read the client count tracking configuration.", + "operationId": "internal-client-activity-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Enable or disable collection of client count, set retention period, or set default reporting period.", + "operationId": "internal-client-activity-configure", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalClientActivityConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/counters/entities": { + "description": "Count of active entities in this Vault cluster.", + "get": { + "summary": "Backwards compatibility is not guaranteed for this API", + "operationId": "internal-count-entities", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalCountEntitiesResponse" + } + } + } + } + } + } + }, + "/sys/internal/counters/requests": { + "description": "Currently unsupported. Previously, count of requests seen by this Vault cluster over time.", + "get": { + "summary": "Backwards compatibility is not guaranteed for this API", + "operationId": "internal-count-requests", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + }, + "deprecated": true + } + }, + "/sys/internal/counters/tokens": { + "description": "Count of active tokens in this Vault cluster.", + "get": { + "summary": "Backwards compatibility is not guaranteed for this API", + "operationId": "internal-count-tokens", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalCountTokensResponse" + } + } + } + } + } + } + }, + "/sys/internal/inspect/router/{tag}": { + "description": "Information on the entries in each of the trees in the router. Inspectable trees are uuid, accessor, storage, and root.", + "parameters": [ + { + "name": "tag", + "description": "Name of subtree being observed", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Expose the route entry and mount entry tables present in the router", + "operationId": "internal-inspect-router", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/specs/openapi": { + "description": "Generate an OpenAPI 3 document of all mounted paths.", + "x-vault-unauthenticated": true, + "get": { + "operationId": "internal-generate-open-api-document", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "context", + "description": "Context string appended to every operationId", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "generic_mount_paths", + "description": "Use generic mount paths", + "in": "query", + "schema": { + "type": "boolean", + "default": false + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "internal-generate-open-api-document-with-parameters", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalGenerateOpenApiDocumentWithParametersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/internal/ui/feature-flags": { + "description": "Enabled feature flags. Internal API; its location, inputs, and outputs may change.", + "get": { + "summary": "Lists enabled feature flags.", + "operationId": "internal-ui-list-enabled-feature-flags", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalUiListEnabledFeatureFlagsResponse" + } + } + } + } + } + } + }, + "/sys/internal/ui/mounts": { + "description": "Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Lists all enabled and visible auth and secrets mounts.", + "operationId": "internal-ui-list-enabled-visible-mounts", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalUiListEnabledVisibleMountsResponse" + } + } + } + } + } + } + }, + "/sys/internal/ui/mounts/{path}": { + "description": "Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change.", + "parameters": [ + { + "name": "path", + "description": "The path of the mount.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "summary": "Return information about the given mount.", + "operationId": "internal-ui-read-mount-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalUiReadMountInformationResponse" + } + } + } + } + } + } + }, + "/sys/internal/ui/namespaces": { + "description": "Information about visible child namespaces. Internal API; its location, inputs, and outputs may change.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Backwards compatibility is not guaranteed for this API", + "operationId": "internal-ui-list-namespaces", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalUiListNamespacesResponse" + } + } + } + } + } + } + }, + "/sys/internal/ui/resultant-acl": { + "description": "Information about a token's resultant ACL. Internal API; its location, inputs, and outputs may change.", + "get": { + "summary": "Backwards compatibility is not guaranteed for this API", + "operationId": "internal-ui-read-resultant-acl", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/InternalUiReadResultantAclResponse" + } + } + } + }, + "204": { + "description": "empty response returned if no client token" + } + } + } + }, + "/sys/key-status": { + "description": "Provides information about the backend encryption key.", + "get": { + "summary": "Provides information about the backend encryption key.", + "operationId": "encryption-key-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/leader": { + "description": "Check the high availability status and current leader of Vault", + "x-vault-unauthenticated": true, + "get": { + "summary": "Returns the high availability status and current leader instance of Vault.", + "operationId": "leader-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeaderStatusResponse" + } + } + } + } + } + } + }, + "/sys/leases": { + "description": "List leases associated with this Vault cluster", + "x-vault-sudo": true, + "get": { + "operationId": "leases-list", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesListResponse" + } + } + } + } + } + } + }, + "/sys/leases/count": { + "description": "Count of leases associated with this Vault cluster", + "get": { + "operationId": "leases-count", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesCountResponse" + } + } + } + } + } + } + }, + "/sys/leases/lookup": { + "description": "View or list lease metadata.", + "post": { + "operationId": "leases-read-lease", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesReadLeaseRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesReadLeaseResponse" + } + } + } + } + } + } + }, + "/sys/leases/lookup/{prefix}/": { + "description": "View or list lease metadata.", + "parameters": [ + { + "name": "prefix", + "description": "The path to list leases under. Example: \"aws/creds/deploy\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "operationId": "leases-look-up", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesLookUpResponse" + } + } + } + } + } + } + }, + "/sys/leases/renew": { + "description": "Renew a lease on a secret", + "post": { + "summary": "Renews a lease, requesting to extend the lease.", + "operationId": "leases-renew-lease", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRenewLeaseRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/renew/{url_lease_id}": { + "description": "Renew a lease on a secret", + "parameters": [ + { + "name": "url_lease_id", + "description": "The lease identifier to renew. This is included with a lease.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Renews a lease, requesting to extend the lease.", + "operationId": "leases-renew-lease-with-id", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRenewLeaseWithIdRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/revoke": { + "description": "Revoke a leased secret immediately", + "post": { + "summary": "Revokes a lease immediately.", + "operationId": "leases-revoke-lease", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLeaseRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/revoke-force/{prefix}": { + "description": "Revoke all secrets generated in a given prefix, ignoring errors.", + "parameters": [ + { + "name": "prefix", + "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "summary": "Revokes all secrets or tokens generated under a given prefix immediately", + "description": "Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.\n\nBy ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.", + "operationId": "leases-force-revoke-lease-with-prefix", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/revoke-prefix/{prefix}": { + "description": "Revoke all secrets generated in a given prefix", + "parameters": [ + { + "name": "prefix", + "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "summary": "Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.", + "operationId": "leases-revoke-lease-with-prefix", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLeaseWithPrefixRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/revoke/{url_lease_id}": { + "description": "Revoke a leased secret immediately", + "parameters": [ + { + "name": "url_lease_id", + "description": "The lease identifier to renew. This is included with a lease.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Revokes a lease immediately.", + "operationId": "leases-revoke-lease-with-id", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLeaseWithIdRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/leases/tidy": { + "description": "This endpoint performs cleanup tasks that can be run if certain error conditions have occurred.", + "post": { + "operationId": "leases-tidy", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/license/status": { + "get": { + "operationId": "enterprise-stub-read-license-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/locked-users": { + "description": "Report the locked user count metrics", + "get": { + "summary": "Report the locked user count metrics, for this namespace and all child namespaces.", + "operationId": "locked-users-list", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/locked-users/{mount_accessor}/unlock/{alias_identifier}": { + "description": "Unlock the locked user with given mount_accessor and alias_identifier.", + "parameters": [ + { + "name": "alias_identifier", + "description": "It is the name of the alias (user). For example, if the alias belongs to userpass backend, the name should be a valid username within userpass auth method. If the alias belongs to an approle auth method, the name should be a valid RoleID", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "mount_accessor", + "description": "MountAccessor is the identifier of the mount entry to which the user belongs", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Unlocks the user with given mount_accessor and alias_identifier", + "operationId": "locked-users-unlock", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/loggers": { + "get": { + "summary": "Read the log level for all existing loggers.", + "operationId": "loggers-read-verbosity-level", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Modify the log level for all existing loggers.", + "operationId": "loggers-update-verbosity-level", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LoggersUpdateVerbosityLevelRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Revert the all loggers to use log level provided in config.", + "operationId": "loggers-revert-verbosity-level", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/loggers/{name}": { + "parameters": [ + { + "name": "name", + "description": "The name of the logger to be modified.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the log level for a single logger.", + "operationId": "loggers-read-verbosity-level-for", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Modify the log level of a single logger.", + "operationId": "loggers-update-verbosity-level-for", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LoggersUpdateVerbosityLevelForRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Revert a single logger to use log level provided in config.", + "operationId": "loggers-revert-verbosity-level-for", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/managed-keys/{type}/": { + "parameters": [ + { + "name": "type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-list-managed-keys-type", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/managed-keys/{type}/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "enterprise-stub-read-managed-keys-type-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-managed-keys-type-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-managed-keys-type-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/managed-keys/{type}/{name}/test/sign": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "post": { + "operationId": "enterprise-stub-write-managed-keys-type-name-test-sign", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/metrics": { + "description": "Export the metrics aggregated for telemetry purpose.", + "get": { + "operationId": "metrics", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "format", + "description": "Format to export metrics into. Currently accepts only \"prometheus\".", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mfa/method/": { + "get": { + "operationId": "enterprise-stub-list-mfa-method", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/mfa/method/duo/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-mfa-method-duo-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-mfa-method-duo-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-mfa-method-duo-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/mfa/method/okta/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-mfa-method-okta-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-mfa-method-okta-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-mfa-method-okta-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/mfa/method/pingid/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-mfa-method-pingid-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-mfa-method-pingid-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-mfa-method-pingid-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/mfa/method/totp/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-mfa-method-totp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-mfa-method-totp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-mfa-method-totp-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/mfa/method/totp/{name}/admin-destroy": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "enterprise-stub-write-mfa-method-totp-name-admin-destroy", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mfa/method/totp/{name}/admin-generate": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "enterprise-stub-write-mfa-method-totp-name-admin-generate", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mfa/method/totp/{name}/generate": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-mfa-method-totp-name-generate", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mfa/validate": { + "x-vault-unauthenticated": true, + "post": { + "summary": "Validates the login for the given MFA methods. Upon successful validation, it returns an auth response containing the client token", + "operationId": "mfa-validate", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MfaValidateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/monitor": { + "get": { + "operationId": "monitor", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "log_format", + "description": "Output format of logs. Supported values are \"standard\" and \"json\". The default is \"standard\".", + "in": "query", + "schema": { + "type": "string", + "default": "standard" + } + }, + { + "name": "log_level", + "description": "Log level to view system logs at. Currently supported values are \"trace\", \"debug\", \"info\", \"warn\", \"error\".", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mounts": { + "description": "List the currently mounted backends.", + "get": { + "operationId": "mounts-list-secrets-engines", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mounts/{path}": { + "description": "Mount a new backend at a new path.", + "parameters": [ + { + "name": "path", + "description": "The path to mount to. Example: \"aws/east\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Read the configuration of the secret engine at the given path.", + "operationId": "mounts-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MountsReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Enable a new secrets engine at the given path.", + "operationId": "mounts-enable-secrets-engine", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MountsEnableSecretsEngineRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Disable the mount point specified at the given path.", + "operationId": "mounts-disable-secrets-engine", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/mounts/{path}/tune": { + "description": "Tune backend configuration parameters for this mount.", + "parameters": [ + { + "name": "path", + "description": "The path to mount to. Example: \"aws/east\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "mounts-read-tuning-information", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MountsReadTuningInformationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "mounts-tune-configuration-parameters", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MountsTuneConfigurationParametersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/namespaces/": { + "get": { + "operationId": "enterprise-stub-list-namespaces", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/namespaces/api-lock/lock": { + "post": { + "operationId": "enterprise-stub-write-namespaces-api-lock-lock", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/namespaces/api-lock/lock/{path}": { + "parameters": [ + { + "name": "path", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "enterprise-stub-write-namespaces-api-lock-lock-path", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/namespaces/api-lock/unlock": { + "post": { + "operationId": "enterprise-stub-write-namespaces-api-lock-unlock", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/namespaces/api-lock/unlock/{path}": { + "parameters": [ + { + "name": "path", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "enterprise-stub-write-namespaces-api-lock-unlock-path", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/namespaces/{path}": { + "parameters": [ + { + "name": "path", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-namespaces-path", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-namespaces-path", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-namespaces-path", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/plugins/catalog": { + "description": "Lists all the plugins known to Vault", + "get": { + "operationId": "plugins-catalog-list-plugins", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogListPluginsResponse" + } + } + } + } + } + } + }, + "/sys/plugins/catalog/{name}": { + "description": "Configures the plugins known to Vault", + "parameters": [ + { + "name": "name", + "description": "The name of the plugin", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Return the configuration data for the plugin with the given name.", + "operationId": "plugins-catalog-read-plugin-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogReadPluginConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Register a new plugin, or updates an existing one with the supplied name.", + "operationId": "plugins-catalog-register-plugin", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogRegisterPluginRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Remove the plugin with the given name.", + "operationId": "plugins-catalog-remove-plugin", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/plugins/catalog/{type}/": { + "description": "Configures the plugins known to Vault", + "parameters": [ + { + "name": "type", + "description": "The type of the plugin, may be auth, secret, or database", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "List the plugins in the catalog.", + "operationId": "plugins-catalog-list-plugins-with-type", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogListPluginsWithTypeResponse" + } + } + } + } + } + } + }, + "/sys/plugins/catalog/{type}/{name}": { + "description": "Configures the plugins known to Vault", + "parameters": [ + { + "name": "name", + "description": "The name of the plugin", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "description": "The type of the plugin, may be auth, secret, or database", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Return the configuration data for the plugin with the given name.", + "operationId": "plugins-catalog-read-plugin-configuration-with-type", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogReadPluginConfigurationWithTypeResponse" + } + } + } + } + } + }, + "post": { + "summary": "Register a new plugin, or updates an existing one with the supplied name.", + "operationId": "plugins-catalog-register-plugin-with-type", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsCatalogRegisterPluginWithTypeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Remove the plugin with the given name.", + "operationId": "plugins-catalog-remove-plugin-with-type", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/plugins/reload/backend": { + "description": "Reload mounts that use a particular backend plugin.", + "post": { + "summary": "Reload mounted plugin backends.", + "description": "Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally.", + "operationId": "plugins-reload-backends", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsReloadBackendsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsReloadBackendsResponse" + } + } + } + }, + "202": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsReloadBackendsResponse" + } + } + } + } + } + } + }, + "/sys/plugins/reload/backend/status": { + "get": { + "operationId": "enterprise-stub-read-plugins-reload-backend-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/plugins/runtimes/catalog/": { + "description": "List all plugin runtimes in the catalog as a map of type to names.", + "x-vault-sudo": true, + "get": { + "operationId": "plugins-runtimes-catalog-list-plugins-runtimes", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsRuntimesCatalogListPluginsRuntimesResponse" + } + } + } + } + } + } + }, + "/sys/plugins/runtimes/catalog/{type}/{name}": { + "description": "Configures plugin runtimes", + "parameters": [ + { + "name": "name", + "description": "The name of the plugin runtime", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "description": "The type of the plugin runtime", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Return the configuration data for the plugin runtime with the given name.", + "operationId": "plugins-runtimes-catalog-read-plugin-runtime-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Register a new plugin runtime, or updates an existing one with the supplied name.", + "operationId": "plugins-runtimes-catalog-register-plugin-runtime", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PluginsRuntimesCatalogRegisterPluginRuntimeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Remove the plugin runtime with the given name.", + "operationId": "plugins-runtimes-catalog-remove-plugin-runtime", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/policies/acl/": { + "description": "List the configured access control policies.", + "get": { + "operationId": "policies-list-acl-policies", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesListAclPoliciesResponse" + } + } + } + } + } + } + }, + "/sys/policies/acl/{name}": { + "description": "Read, Modify, or Delete an access control policy.", + "parameters": [ + { + "name": "name", + "description": "The name of the policy. Example: \"ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Retrieve information about the named ACL policy.", + "operationId": "policies-read-acl-policy", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesReadAclPolicyResponse" + } + } + } + } + } + }, + "post": { + "summary": "Add a new or update an existing ACL policy.", + "operationId": "policies-write-acl-policy", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesWriteAclPolicyRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the ACL policy with the given name.", + "operationId": "policies-delete-acl-policy", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/policies/egp/": { + "get": { + "operationId": "enterprise-stub-list-policies-egp", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/policies/egp/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-policies-egp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-policies-egp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-policies-egp-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/policies/password/": { + "get": { + "summary": "List the existing password policies.", + "operationId": "policies-list-password-policies", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/policies/password/{name}": { + "description": "Read, Modify, or Delete a password policy.", + "parameters": [ + { + "name": "name", + "description": "The name of the password policy.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Retrieve an existing password policy.", + "operationId": "policies-read-password-policy", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesReadPasswordPolicyResponse" + } + } + } + } + } + }, + "post": { + "summary": "Add a new or update an existing password policy.", + "operationId": "policies-write-password-policy", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesWritePasswordPolicyRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete a password policy.", + "operationId": "policies-delete-password-policy", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/policies/password/{name}/generate": { + "description": "Generate a password from an existing password policy.", + "parameters": [ + { + "name": "name", + "description": "The name of the password policy.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Generate a password from an existing password policy.", + "operationId": "policies-generate-password-from-password-policy", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesGeneratePasswordFromPasswordPolicyResponse" + } + } + } + } + } + } + }, + "/sys/policies/rgp/": { + "get": { + "operationId": "enterprise-stub-list-policies-rgp", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/policies/rgp/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-policies-rgp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-policies-rgp-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-policies-rgp-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/policy": { + "description": "List the configured access control policies.", + "get": { + "operationId": "policies-list-acl-policies2", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesListAclPolicies2Response" + } + } + } + } + } + } + }, + "/sys/policy/": { + "description": "List the configured access control policies.", + "get": { + "operationId": "policies-list-acl-policies3", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesListAclPolicies3Response" + } + } + } + } + } + } + }, + "/sys/policy/{name}": { + "description": "Read, Modify, or Delete an access control policy.", + "parameters": [ + { + "name": "name", + "description": "The name of the policy. Example: \"ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Retrieve the policy body for the named policy.", + "operationId": "policies-read-acl-policy2", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesReadAclPolicy2Response" + } + } + } + } + } + }, + "post": { + "summary": "Add a new or update an existing policy.", + "operationId": "policies-write-acl-policy2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PoliciesWriteAclPolicy2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the policy with the given name.", + "operationId": "policies-delete-acl-policy2", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/pprof": { + "get": { + "summary": "Returns an HTML page listing the available profiles.", + "description": "Returns an HTML page listing the available \nprofiles. This should be mainly accessed via browsers or applications that can \nrender pages.", + "operationId": "pprof-index", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/allocs": { + "get": { + "summary": "Returns a sampling of all past memory allocations.", + "description": "Returns a sampling of all past memory allocations.", + "operationId": "pprof-memory-allocations", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/block": { + "get": { + "summary": "Returns stack traces that led to blocking on synchronization primitives", + "description": "Returns stack traces that led to blocking on synchronization primitives", + "operationId": "pprof-blocking", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/cmdline": { + "get": { + "summary": "Returns the running program's command line.", + "description": "Returns the running program's command line, with arguments separated by NUL bytes.", + "operationId": "pprof-command-line", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/goroutine": { + "get": { + "summary": "Returns stack traces of all current goroutines.", + "description": "Returns stack traces of all current goroutines.", + "operationId": "pprof-goroutines", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/heap": { + "get": { + "summary": "Returns a sampling of memory allocations of live object.", + "description": "Returns a sampling of memory allocations of live object.", + "operationId": "pprof-memory-allocations-live", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/mutex": { + "get": { + "summary": "Returns stack traces of holders of contended mutexes", + "description": "Returns stack traces of holders of contended mutexes", + "operationId": "pprof-mutexes", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/profile": { + "get": { + "summary": "Returns a pprof-formatted cpu profile payload.", + "description": "Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.", + "operationId": "pprof-cpu-profile", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/symbol": { + "get": { + "summary": "Returns the program counters listed in the request.", + "description": "Returns the program counters listed in the request.", + "operationId": "pprof-symbols", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/threadcreate": { + "get": { + "summary": "Returns stack traces that led to the creation of new OS threads", + "description": "Returns stack traces that led to the creation of new OS threads", + "operationId": "pprof-thread-creations", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/pprof/trace": { + "get": { + "summary": "Returns the execution trace in binary form.", + "description": "Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.", + "operationId": "pprof-execution-trace", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/quotas/config": { + "description": "Create, update and read the quota configuration.", + "get": { + "operationId": "rate-limit-quotas-read-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RateLimitQuotasReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "rate-limit-quotas-configure", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RateLimitQuotasConfigureRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/quotas/lease-count/": { + "get": { + "operationId": "enterprise-stub-list-quotas-lease-count", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/quotas/lease-count/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-quotas-lease-count-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-quotas-lease-count-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-quotas-lease-count-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/quotas/rate-limit/": { + "description": "Lists the names of all the rate limit quotas.", + "get": { + "operationId": "rate-limit-quotas-list", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/quotas/rate-limit/{name}": { + "description": "Get, create or update rate limit resource quota for an optional namespace or mount.", + "parameters": [ + { + "name": "name", + "description": "Name of the quota rule.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "rate-limit-quotas-read", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RateLimitQuotasReadResponse" + } + } + } + } + } + }, + "post": { + "operationId": "rate-limit-quotas-write", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RateLimitQuotasWriteRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "rate-limit-quotas-delete", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/raw/{path}": { + "description": "Write, Read, and Delete data directly in the Storage backend.", + "parameters": [ + { + "name": "path", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "x-vault-createSupported": true, + "get": { + "summary": "Read the value of the key at the given path.", + "operationId": "raw-read", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RawReadResponse" + } + } + } + } + } + }, + "post": { + "summary": "Update the value of the key at the given path.", + "operationId": "raw-write", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RawWriteRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete the key with given path.", + "operationId": "raw-delete", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/raw/{path}/": { + "description": "Write, Read, and Delete data directly in the Storage backend.", + "parameters": [ + { + "name": "path", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "summary": "Return a list keys for a given path prefix.", + "operationId": "raw-list", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/rekey/backup": { + "description": "Allows fetching or deleting the backup of the rotated unseal keys.", + "get": { + "summary": "Return the backup copy of PGP-encrypted unseal keys.", + "operationId": "rekey-read-backup-key", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyReadBackupKeyResponse" + } + } + } + } + } + }, + "delete": { + "summary": "Delete the backup copy of PGP-encrypted unseal keys.", + "operationId": "rekey-delete-backup-key", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/rekey/init": { + "x-vault-unauthenticated": true, + "get": { + "summary": "Reads the configuration and progress of the current rekey attempt.", + "operationId": "rekey-attempt-read-progress", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyAttemptReadProgressResponse" + } + } + } + } + } + }, + "post": { + "summary": "Initializes a new rekey attempt.", + "description": "Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.", + "operationId": "rekey-attempt-initialize", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyAttemptInitializeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyAttemptInitializeResponse" + } + } + } + } + } + }, + "delete": { + "summary": "Cancels any in-progress rekey.", + "description": "This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.", + "operationId": "rekey-attempt-cancel", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/rekey/recovery-key-backup": { + "description": "Allows fetching or deleting the backup of the rotated unseal keys.", + "get": { + "operationId": "rekey-read-backup-recovery-key", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyReadBackupRecoveryKeyResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "rekey-delete-backup-recovery-key", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/rekey/update": { + "x-vault-unauthenticated": true, + "post": { + "summary": "Enter a single unseal key share to progress the rekey of the Vault.", + "operationId": "rekey-attempt-update", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyAttemptUpdateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyAttemptUpdateResponse" + } + } + } + } + } + } + }, + "/sys/rekey/verify": { + "x-vault-unauthenticated": true, + "get": { + "summary": "Read the configuration and progress of the current rekey verification attempt.", + "operationId": "rekey-verification-read-progress", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyVerificationReadProgressResponse" + } + } + } + } + } + }, + "post": { + "summary": "Enter a single new key share to progress the rekey verification operation.", + "operationId": "rekey-verification-update", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyVerificationUpdateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyVerificationUpdateResponse" + } + } + } + } + } + }, + "delete": { + "summary": "Cancel any in-progress rekey verification operation.", + "description": "This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt.", + "operationId": "rekey-verification-cancel", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RekeyVerificationCancelResponse" + } + } + } + } + } + } + }, + "/sys/remount": { + "description": "Move the mount point of an already-mounted backend, within or across namespaces", + "x-vault-sudo": true, + "post": { + "summary": "Initiate a mount migration", + "operationId": "remount", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RemountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RemountResponse" + } + } + } + } + } + } + }, + "/sys/remount/status/{migration_id}": { + "description": "Check the status of a mount move operation", + "parameters": [ + { + "name": "migration_id", + "description": "The ID of the migration operation", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "summary": "Check status of a mount migration", + "operationId": "remount-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RemountStatusResponse" + } + } + } + } + } + } + }, + "/sys/renew": { + "description": "Renew a lease on a secret", + "post": { + "summary": "Renews a lease, requesting to extend the lease.", + "operationId": "leases-renew-lease2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRenewLease2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/renew/{url_lease_id}": { + "description": "Renew a lease on a secret", + "parameters": [ + { + "name": "url_lease_id", + "description": "The lease identifier to renew. This is included with a lease.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Renews a lease, requesting to extend the lease.", + "operationId": "leases-renew-lease-with-id2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRenewLeaseWithId2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/primary/demote": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-primary-demote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/primary/disable": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-primary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/primary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-primary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/primary/revoke-secondary": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-primary-revoke-secondary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/primary/secondary-token": { + "x-vault-sudo": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-primary-secondary-token", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/config/reload/{subsystem}": { + "parameters": [ + { + "name": "subsystem", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-config-reload-subsystem", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/disable": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/generate-public-key": { + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-generate-public-key", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/license/status": { + "x-vault-unauthenticated": true, + "get": { + "operationId": "enterprise-stub-read-replication-dr-secondary-license-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/operation-token/delete": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-operation-token-delete", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/promote": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-promote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/recover": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-recover", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/reindex": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-reindex", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/secondary/update-primary": { + "x-vault-unauthenticated": true, + "post": { + "operationId": "enterprise-stub-write-replication-dr-secondary-update-primary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/dr/status": { + "x-vault-unauthenticated": true, + "get": { + "operationId": "enterprise-stub-read-replication-dr-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/demote": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-demote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/disable": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/dynamic-filter/{id}": { + "parameters": [ + { + "name": "id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-replication-performance-primary-dynamic-filter-id", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/paths-filter/{id}": { + "parameters": [ + { + "name": "id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-replication-performance-primary-paths-filter-id", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-paths-filter-id", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-replication-performance-primary-paths-filter-id", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/replication/performance/primary/revoke-secondary": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-revoke-secondary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/primary/secondary-token": { + "x-vault-sudo": true, + "post": { + "operationId": "enterprise-stub-write-replication-performance-primary-secondary-token", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/disable": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-secondary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/dynamic-filter/{id}": { + "parameters": [ + { + "name": "id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-replication-performance-secondary-dynamic-filter-id", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-secondary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/generate-public-key": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-secondary-generate-public-key", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/promote": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-secondary-promote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/secondary/update-primary": { + "post": { + "operationId": "enterprise-stub-write-replication-performance-secondary-update-primary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/performance/status": { + "x-vault-unauthenticated": true, + "get": { + "operationId": "enterprise-stub-read-replication-performance-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/primary/demote": { + "post": { + "operationId": "enterprise-stub-write-replication-primary-demote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/primary/disable": { + "post": { + "operationId": "enterprise-stub-write-replication-primary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/primary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-primary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/primary/revoke-secondary": { + "post": { + "operationId": "enterprise-stub-write-replication-primary-revoke-secondary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/primary/secondary-token": { + "x-vault-sudo": true, + "post": { + "operationId": "enterprise-stub-write-replication-primary-secondary-token", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/recover": { + "post": { + "operationId": "enterprise-stub-write-replication-recover", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/reindex": { + "x-vault-sudo": true, + "post": { + "operationId": "enterprise-stub-write-replication-reindex", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/secondary/disable": { + "post": { + "operationId": "enterprise-stub-write-replication-secondary-disable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/secondary/enable": { + "post": { + "operationId": "enterprise-stub-write-replication-secondary-enable", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/secondary/promote": { + "post": { + "operationId": "enterprise-stub-write-replication-secondary-promote", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/secondary/update-primary": { + "post": { + "operationId": "enterprise-stub-write-replication-secondary-update-primary", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/replication/status": { + "x-vault-unauthenticated": true, + "get": { + "operationId": "read-replication-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/revoke": { + "description": "Revoke a leased secret immediately", + "post": { + "summary": "Revokes a lease immediately.", + "operationId": "leases-revoke-lease2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLease2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/revoke-force/{prefix}": { + "description": "Revoke all secrets generated in a given prefix, ignoring errors.", + "parameters": [ + { + "name": "prefix", + "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "summary": "Revokes all secrets or tokens generated under a given prefix immediately", + "description": "Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.\n\nBy ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.", + "operationId": "leases-force-revoke-lease-with-prefix2", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/revoke-prefix/{prefix}": { + "description": "Revoke all secrets generated in a given prefix", + "parameters": [ + { + "name": "prefix", + "description": "The path to revoke keys under. Example: \"prod/aws/ops\"", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "summary": "Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.", + "operationId": "leases-revoke-lease-with-prefix2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLeaseWithPrefix2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/revoke/{url_lease_id}": { + "description": "Revoke a leased secret immediately", + "parameters": [ + { + "name": "url_lease_id", + "description": "The lease identifier to renew. This is included with a lease.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "summary": "Revokes a lease immediately.", + "operationId": "leases-revoke-lease-with-id2", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LeasesRevokeLeaseWithId2Request" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/rotate": { + "description": "Rotates the backend encryption key used to persist data.", + "x-vault-sudo": true, + "post": { + "operationId": "encryption-key-rotate", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/rotate/config": { + "description": "Configures settings related to the backend encryption key management.", + "get": { + "operationId": "encryption-key-read-rotation-configuration", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EncryptionKeyReadRotationConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "encryption-key-configure-rotation", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/EncryptionKeyConfigureRotationRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/seal": { + "description": "Seals the Vault.", + "x-vault-sudo": true, + "post": { + "summary": "Seal the Vault.", + "operationId": "seal", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "OK" + } + } + } + }, + "/sys/seal-status": { + "description": "Returns the seal status of the Vault.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Check the seal status of a Vault.", + "operationId": "seal-status", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SealStatusResponse" + } + } + } + } + } + } + }, + "/sys/sealwrap/rewrap": { + "get": { + "operationId": "enterprise-stub-read-sealwrap-rewrap", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-sealwrap-rewrap", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/step-down": { + "x-vault-sudo": true, + "post": { + "summary": "Cause the node to give up active status.", + "description": "This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.", + "operationId": "step-down-leader", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/storage/raft/snapshot-auto/config/": { + "x-vault-sudo": true, + "get": { + "operationId": "enterprise-stub-list-storage-raft-snapshot-auto-config", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/sys/storage/raft/snapshot-auto/config/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "x-vault-sudo": true, + "get": { + "operationId": "enterprise-stub-read-storage-raft-snapshot-auto-config-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "enterprise-stub-write-storage-raft-snapshot-auto-config-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "enterprise-stub-delete-storage-raft-snapshot-auto-config-name", + "tags": [ + "system" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/sys/storage/raft/snapshot-auto/status/{name}": { + "parameters": [ + { + "name": "name", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "get": { + "operationId": "enterprise-stub-read-storage-raft-snapshot-auto-status-name", + "tags": [ + "system" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/tools/hash": { + "description": "Generate a hash sum for input data", + "post": { + "operationId": "generate-hash", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateHashRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateHashResponse" + } + } + } + } + } + } + }, + "/sys/tools/hash/{urlalgorithm}": { + "description": "Generate a hash sum for input data", + "parameters": [ + { + "name": "urlalgorithm", + "description": "Algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "generate-hash-with-algorithm", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateHashWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateHashWithAlgorithmResponse" + } + } + } + } + } + } + }, + "/sys/tools/random": { + "description": "Generate random bytes", + "post": { + "operationId": "generate-random", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomResponse" + } + } + } + } + } + } + }, + "/sys/tools/random/{source}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + } + ], + "post": { + "operationId": "generate-random-with-source", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithSourceRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithSourceResponse" + } + } + } + } + } + } + }, + "/sys/tools/random/{source}/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + }, + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "generate-random-with-source-and-bytes", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithSourceAndBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithSourceAndBytesResponse" + } + } + } + } + } + } + }, + "/sys/tools/random/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + } + ], + "post": { + "operationId": "generate-random-with-bytes", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GenerateRandomWithBytesResponse" + } + } + } + } + } + } + }, + "/sys/unseal": { + "description": "Unseals the Vault.", + "x-vault-unauthenticated": true, + "post": { + "summary": "Unseal the Vault.", + "operationId": "unseal", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UnsealRequest" + } + } + } + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UnsealResponse" + } + } + } + } + } + } + }, + "/sys/version-history/": { + "description": "List historical version changes sorted by installation time in ascending order.", + "get": { + "summary": "Returns map of historical version change entries", + "operationId": "version-history", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/VersionHistoryResponse" + } + } + } + } + } + } + }, + "/sys/wrapping/lookup": { + "description": "Looks up the properties of a response-wrapped token.", + "x-vault-unauthenticated": true, + "get": { + "summary": "Look up wrapping properties for the requester's token.", + "operationId": "read-wrapping-properties2", + "tags": [ + "system" + ], + "parameters": [ + { + "name": "token", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ReadWrappingProperties2Response" + } + } + } + } + } + }, + "post": { + "summary": "Look up wrapping properties for the given token.", + "operationId": "read-wrapping-properties", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ReadWrappingPropertiesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ReadWrappingPropertiesResponse" + } + } + } + } + } + } + }, + "/sys/wrapping/rewrap": { + "description": "Rotates a response-wrapped token.", + "post": { + "operationId": "rewrap", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RewrapRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/sys/wrapping/unwrap": { + "description": "Unwraps a response-wrapped token.", + "post": { + "operationId": "unwrap", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UnwrapRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No content" + } + } + } + }, + "/sys/wrapping/wrap": { + "description": "Response-wraps an arbitrary JSON object.", + "post": { + "operationId": "wrap", + "tags": [ + "system" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "additionalProperties": true + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{alicloud_mount_path}/config": { + "description": "Configure the access key and secret to use for RAM and STS calls.", + "parameters": [ + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "get": { + "operationId": "ali-cloud-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ali-cloud-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliCloudConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ali-cloud-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{alicloud_mount_path}/creds/{name}": { + "description": "Generate an API key or STS credential using the given role's configuration.'", + "parameters": [ + { + "name": "name", + "description": "The name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "get": { + "summary": "Generate an API key or STS credential using the given role's configuration.'", + "operationId": "ali-cloud-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{alicloud_mount_path}/role/": { + "description": "List the existing roles in this backend.", + "parameters": [ + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "get": { + "summary": "List the existing roles in this backend.", + "operationId": "ali-cloud-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{alicloud_mount_path}/role/{name}": { + "description": "Read, write and reference policies and roles that API keys or STS credentials can be made for.", + "parameters": [ + { + "name": "name", + "description": "The name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "alicloud_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "alicloud" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Read, write and reference policies and roles that API keys or STS credentials can be made for.", + "operationId": "ali-cloud-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Read, write and reference policies and roles that API keys or STS credentials can be made for.", + "operationId": "ali-cloud-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AliCloudWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Read, write and reference policies and roles that API keys or STS credentials can be made for.", + "operationId": "ali-cloud-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{aws_mount_path}/config/lease": { + "description": "Configure the default lease information for generated credentials.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-lease-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-lease", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureLeaseRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{aws_mount_path}/config/root": { + "description": "Configure the root credentials that are used to manage IAM.", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-root-iam-credentials-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-configure-root-iam-credentials", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsConfigureRootIamCredentialsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{aws_mount_path}/config/rotate-root": { + "description": "Request to rotate the AWS credentials used by Vault", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "post": { + "operationId": "aws-rotate-root-iam-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{aws_mount_path}/creds/{name}": { + "description": "Generate AWS credentials from a specific Vault role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-generate-credentials", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "role_arn", + "description": "ARN of role to assume when credential_type is assumed_role", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "role_session_name", + "description": "Session name to use when assuming role. Max chars: 64", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "ttl", + "description": "Lifetime of the returned credentials in seconds", + "in": "query", + "schema": { + "type": "string", + "default": 3600 + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-generate-credentials-with-parameters", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsGenerateCredentialsWithParametersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{aws_mount_path}/roles/": { + "description": "List the existing roles in this backend", + "parameters": [ + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "summary": "List the existing roles in this backend", + "operationId": "aws-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{aws_mount_path}/roles/{name}": { + "description": "Read, write and reference IAM policies that access keys can be made for.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string", + "x-vault-displayAttrs": { + "name": "Role Name" + } + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "summary": "Read, write and reference IAM policies that access keys can be made for.", + "operationId": "aws-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Read, write and reference IAM policies that access keys can be made for.", + "operationId": "aws-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Read, write and reference IAM policies that access keys can be made for.", + "operationId": "aws-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{aws_mount_path}/static-creds/{name}": { + "description": "Retrieve static credentials from the named role.", + "parameters": [ + { + "name": "name", + "description": "The name of this role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-static-creds-name", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsReadStaticCredsNameResponse" + } + } + } + } + } + } + }, + "/{aws_mount_path}/static-roles/{name}": { + "description": "Manage static roles for AWS.", + "parameters": [ + { + "name": "name", + "description": "The name of this role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-read-static-roles-name", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsReadStaticRolesNameResponse" + } + } + } + } + } + }, + "post": { + "operationId": "aws-write-static-roles-name", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteStaticRolesNameRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsWriteStaticRolesNameResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "aws-delete-static-roles-name", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{aws_mount_path}/sts/{name}": { + "description": "Generate AWS credentials from a specific Vault role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "aws_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "aws" + }, + "required": true + } + ], + "get": { + "operationId": "aws-generate-sts-credentials", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "role_arn", + "description": "ARN of role to assume when credential_type is assumed_role", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "role_session_name", + "description": "Session name to use when assuming role. Max chars: 64", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "ttl", + "description": "Lifetime of the returned credentials in seconds", + "in": "query", + "schema": { + "type": "string", + "default": 3600 + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "aws-generate-sts-credentials-with-parameters", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AwsGenerateStsCredentialsWithParametersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{azure_mount_path}/config": { + "description": "Configure the Azure Secret backend.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "azure-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "azure-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AzureConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "azure-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{azure_mount_path}/creds/{role}": { + "description": "Request Service Principal credentials for a given Vault role.", + "parameters": [ + { + "name": "role", + "description": "Name of the Vault role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "get": { + "operationId": "azure-request-service-principal-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{azure_mount_path}/roles/": { + "description": "List existing roles.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "get": { + "summary": "List existing roles.", + "operationId": "azure-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{azure_mount_path}/roles/{name}": { + "description": "Manage the Vault roles used to generate Azure credentials.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Manage the Vault roles used to generate Azure credentials.", + "operationId": "azure-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the Vault roles used to generate Azure credentials.", + "operationId": "azure-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/AzureWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the Vault roles used to generate Azure credentials.", + "operationId": "azure-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{azure_mount_path}/rotate-root": { + "description": "Attempt to rotate the root credentials used to communicate with Azure.", + "parameters": [ + { + "name": "azure_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "azure" + }, + "required": true + } + ], + "post": { + "operationId": "azure-rotate-root", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{consul_mount_path}/config/access": { + "parameters": [ + { + "name": "consul_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "consul" + }, + "required": true + } + ], + "get": { + "operationId": "consul-read-access-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "consul-configure-access", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ConsulConfigureAccessRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{consul_mount_path}/creds/{role}": { + "parameters": [ + { + "name": "role", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "consul_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "consul" + }, + "required": true + } + ], + "get": { + "operationId": "consul-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{consul_mount_path}/roles/": { + "parameters": [ + { + "name": "consul_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "consul" + }, + "required": true + } + ], + "get": { + "operationId": "consul-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{consul_mount_path}/roles/{name}": { + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "consul_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "consul" + }, + "required": true + } + ], + "get": { + "operationId": "consul-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "consul-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ConsulWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "consul-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{database_mount_path}/config/": { + "description": "Configure connection details to a database plugin.", + "parameters": [ + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "get": { + "summary": "Configure connection details to a database plugin.", + "operationId": "database-list-connections", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{database_mount_path}/config/{name}": { + "description": "Configure connection details to a database plugin.", + "parameters": [ + { + "name": "name", + "description": "Name of this database connection", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "database-read-connection-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "database-configure-connection", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/DatabaseConfigureConnectionRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "database-delete-connection-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{database_mount_path}/creds/{name}": { + "description": "Request database credentials for a certain role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "get": { + "summary": "Request database credentials for a certain role.", + "operationId": "database-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{database_mount_path}/reset/{name}": { + "description": "Resets a database plugin.", + "parameters": [ + { + "name": "name", + "description": "Name of this database connection", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "post": { + "summary": "Resets a database plugin.", + "operationId": "database-reset-connection", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{database_mount_path}/roles/": { + "description": "Manage the roles that can be created with this backend.", + "parameters": [ + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "get": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "database-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{database_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "database-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "database-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/DatabaseWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "database-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{database_mount_path}/rotate-role/{name}": { + "description": "Request to rotate the credentials for a static user account.", + "parameters": [ + { + "name": "name", + "description": "Name of the static role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "post": { + "operationId": "database-rotate-static-role-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{database_mount_path}/rotate-root/{name}": { + "description": "Request to rotate the root credentials for a certain database connection.", + "parameters": [ + { + "name": "name", + "description": "Name of this database connection", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "post": { + "operationId": "database-rotate-root-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{database_mount_path}/static-creds/{name}": { + "description": "Request database credentials for a certain static role. These credentials are rotated periodically.", + "parameters": [ + { + "name": "name", + "description": "Name of the static role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "get": { + "summary": "Request database credentials for a certain static role. These credentials are\nrotated periodically.", + "operationId": "database-read-static-role-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{database_mount_path}/static-roles/": { + "description": "Manage the static roles that can be created with this backend.", + "parameters": [ + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "get": { + "summary": "Manage the static roles that can be created with this backend.", + "operationId": "database-list-static-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{database_mount_path}/static-roles/{name}": { + "description": "Manage the static roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "database_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "database" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Manage the static roles that can be created with this backend.", + "operationId": "database-read-static-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the static roles that can be created with this backend.", + "operationId": "database-write-static-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/DatabaseWriteStaticRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the static roles that can be created with this backend.", + "operationId": "database-delete-static-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcp_mount_path}/config": { + "description": "Configure the GCP backend.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/config/rotate-root": { + "description": "Request to rotate the GCP credentials used by Vault", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "operationId": "google-cloud-rotate-root-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/impersonated-account/": { + "description": "List created impersonated accounts.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-impersonated-accounts", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/impersonated-account/{name}": { + "description": "Register and manage a GCP service account to generate credentials under", + "parameters": [ + { + "name": "name", + "description": "Required. Name to refer to this impersonated account in Vault. Cannot be updated.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "google-cloud-read-impersonated-account", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-write-impersonated-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudWriteImpersonatedAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-delete-impersonated-account", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcp_mount_path}/impersonated-account/{name}/token": { + "description": "Generate an OAuth2 access token secret.", + "parameters": [ + { + "name": "name", + "description": "Required. Name of the impersonated account.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-impersonated-account-access-token", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-impersonated-account-access-token2", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/impersonated-accounts/": { + "description": "List created impersonated accounts.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-impersonated-accounts2", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/key/{roleset}": { + "description": "Generate a service account private key secret.", + "parameters": [ + { + "name": "roleset", + "description": "Required. Name of the role set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-roleset-key4", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "key_algorithm", + "description": "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\"", + "in": "query", + "schema": { + "type": "string", + "default": "KEY_ALG_RSA_2048" + } + }, + { + "name": "key_type", + "description": "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"", + "in": "query", + "schema": { + "type": "string", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + } + }, + { + "name": "ttl", + "description": "Lifetime of the service account key", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-roleset-key3", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudGenerateRolesetKey3Request" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/roleset/": { + "description": "List existing rolesets.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-rolesets", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/roleset/{name}": { + "description": "Read/write sets of IAM roles to be given to generated credentials for specified GCP resources.", + "parameters": [ + { + "name": "name", + "description": "Required. Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "google-cloud-read-roleset", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-write-roleset", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudWriteRolesetRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-delete-roleset", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcp_mount_path}/roleset/{name}/rotate": { + "description": "Rotates or recreates the service account bound to a roleset.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "operationId": "google-cloud-rotate-roleset", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/roleset/{name}/rotate-key": { + "description": "Rotate the service account key used to generate access tokens for a roleset.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "operationId": "google-cloud-rotate-roleset-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/roleset/{roleset}/key": { + "description": "Generate a service account private key secret.", + "parameters": [ + { + "name": "roleset", + "description": "Required. Name of the role set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-roleset-key2", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "key_algorithm", + "description": "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\"", + "in": "query", + "schema": { + "type": "string", + "default": "KEY_ALG_RSA_2048" + } + }, + { + "name": "key_type", + "description": "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"", + "in": "query", + "schema": { + "type": "string", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + } + }, + { + "name": "ttl", + "description": "Lifetime of the service account key", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-roleset-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudGenerateRolesetKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/roleset/{roleset}/token": { + "description": "Generate an OAuth2 access token secret.", + "parameters": [ + { + "name": "roleset", + "description": "Required. Name of the role set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-roleset-access-token2", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-roleset-access-token", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/rolesets/": { + "description": "List existing rolesets.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-rolesets2", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/static-account/": { + "description": "List created static accounts.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-static-accounts", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/static-account/{name}": { + "description": "Register and manage a GCP service account to generate credentials under", + "parameters": [ + { + "name": "name", + "description": "Required. Name to refer to this static account in Vault. Cannot be updated.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "google-cloud-read-static-account", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-write-static-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudWriteStaticAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-delete-static-account", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcp_mount_path}/static-account/{name}/key": { + "description": "Generate a service account private key secret.", + "parameters": [ + { + "name": "name", + "description": "Required. Name of the static account.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-static-account-key2", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "key_algorithm", + "description": "Private key algorithm for service account key. Defaults to KEY_ALG_RSA_2048.\"", + "in": "query", + "schema": { + "type": "string", + "default": "KEY_ALG_RSA_2048" + } + }, + { + "name": "key_type", + "description": "Private key type for service account key. Defaults to TYPE_GOOGLE_CREDENTIALS_FILE.\"", + "in": "query", + "schema": { + "type": "string", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + } + }, + { + "name": "ttl", + "description": "Lifetime of the service account key", + "in": "query", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-static-account-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudGenerateStaticAccountKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/static-account/{name}/rotate-key": { + "description": "Rotate the key used to generate access tokens for a static account", + "parameters": [ + { + "name": "name", + "description": "Name of the account.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "post": { + "operationId": "google-cloud-rotate-static-account-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/static-account/{name}/token": { + "description": "Generate an OAuth2 access token secret.", + "parameters": [ + { + "name": "name", + "description": "Required. Name of the static account.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-static-account-access-token2", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-static-account-access-token", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcp_mount_path}/static-accounts/": { + "description": "List created static accounts.", + "parameters": [ + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-list-static-accounts2", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcp_mount_path}/token/{roleset}": { + "description": "Generate an OAuth2 access token secret.", + "parameters": [ + { + "name": "roleset", + "description": "Required. Name of the role set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcp" + }, + "required": true + } + ], + "get": { + "operationId": "google-cloud-generate-roleset-access-token4", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-generate-roleset-access-token3", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/config": { + "description": "Configure the GCP KMS secrets engine", + "parameters": [ + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "google-cloud-kms-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-kms-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-kms-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcpkms_mount_path}/decrypt/{key}": { + "description": "Decrypt a ciphertext value using a named key", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault to use for decryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Decrypt a ciphertext value using a named key", + "operationId": "google-cloud-kms-decrypt", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsDecryptRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/encrypt/{key}": { + "description": "Encrypt a plaintext value using a named key", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault to use for encryption. This key must already exist in Vault and must map back to a Google Cloud KMS key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Encrypt a plaintext value using a named key", + "operationId": "google-cloud-kms-encrypt", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsEncryptRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/keys/": { + "description": "List named keys", + "parameters": [ + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "get": { + "summary": "List named keys", + "operationId": "google-cloud-kms-list-keys", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{gcpkms_mount_path}/keys/config/{key}": { + "description": "Configure the key in Vault", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "google-cloud-kms-read-key-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "google-cloud-kms-configure-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsConfigureKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/keys/deregister/{key}": { + "description": "Deregister an existing key in Vault", + "parameters": [ + { + "name": "key", + "description": "Name of the key to deregister in Vault. If the key exists in Google Cloud KMS, it will be left untouched.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "operationId": "google-cloud-kms-deregister-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-kms-deregister-key2", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcpkms_mount_path}/keys/register/{key}": { + "description": "Register an existing crypto key in Google Cloud KMS", + "parameters": [ + { + "name": "key", + "description": "Name of the key to register in Vault. This will be the named used to refer to the underlying crypto key when encrypting or decrypting data.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Register an existing crypto key in Google Cloud KMS", + "operationId": "google-cloud-kms-register-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsRegisterKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/keys/rotate/{key}": { + "description": "Rotate a crypto key to a new primary version", + "parameters": [ + { + "name": "key", + "description": "Name of the key to rotate. This key must already be registered with Vault and point to a valid Google Cloud KMS crypto key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Rotate a crypto key to a new primary version", + "operationId": "google-cloud-kms-rotate-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/keys/trim/{key}": { + "description": "Delete old crypto key versions from Google Cloud KMS", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "post": { + "operationId": "google-cloud-kms-trim-key-versions", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "google-cloud-kms-trim-key-versions2", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcpkms_mount_path}/keys/{key}": { + "description": "Interact with crypto keys in Vault and Google Cloud KMS", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Interact with crypto keys in Vault and Google Cloud KMS", + "operationId": "google-cloud-kms-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Interact with crypto keys in Vault and Google Cloud KMS", + "operationId": "google-cloud-kms-write-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsWriteKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Interact with crypto keys in Vault and Google Cloud KMS", + "operationId": "google-cloud-kms-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{gcpkms_mount_path}/pubkey/{key}": { + "description": "Retrieve the public key associated with the named key", + "parameters": [ + { + "name": "key", + "description": "Name of the key for which to get the public key. This key must already exist in Vault and Google Cloud KMS.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "get": { + "summary": "Retrieve the public key associated with the named key", + "operationId": "google-cloud-kms-retrieve-public-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/reencrypt/{key}": { + "description": "Re-encrypt existing ciphertext data to a new version", + "parameters": [ + { + "name": "key", + "description": "Name of the key to use for encryption. This key must already exist in Vault and Google Cloud KMS.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Re-encrypt existing ciphertext data to a new version", + "operationId": "google-cloud-kms-reencrypt", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsReencryptRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/sign/{key}": { + "description": "Signs a message or digest using a named key", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault to use for signing. This key must already exist in Vault and must map back to a Google Cloud KMS key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Signs a message or digest using a named key", + "operationId": "google-cloud-kms-sign", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsSignRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{gcpkms_mount_path}/verify/{key}": { + "description": "Verify a signature using a named key", + "parameters": [ + { + "name": "key", + "description": "Name of the key in Vault to use for verification. This key must already exist in Vault and must map back to a Google Cloud KMS key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "gcpkms_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "gcpkms" + }, + "required": true + } + ], + "post": { + "summary": "Verify a signature using a named key", + "operationId": "google-cloud-kms-verify", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GoogleCloudKmsVerifyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{kubernetes_mount_path}/check": { + "description": "Checks the Kubernetes configuration is valid.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "get": { + "operationId": "kubernetes-check-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{kubernetes_mount_path}/config": { + "description": "Configure the Kubernetes secret engine plugin.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "get": { + "operationId": "kubernetes-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kubernetes-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "kubernetes-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{kubernetes_mount_path}/creds/{name}": { + "description": "Request Kubernetes service account credentials for a given Vault role.", + "parameters": [ + { + "name": "name", + "description": "Name of the Vault role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "post": { + "operationId": "kubernetes-generate-credentials", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesGenerateCredentialsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{kubernetes_mount_path}/roles/": { + "description": "List the existing roles in this secrets engine.", + "parameters": [ + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "get": { + "operationId": "kubernetes-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{kubernetes_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this secrets engine.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kubernetes_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kubernetes" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "kubernetes-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kubernetes-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KubernetesWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "kubernetes-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{kv_v1_mount_path}/{path}": { + "description": "Pass-through secret storage to the storage backend, allowing you to read/write arbitrary data into secret storage.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v1_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v1" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "kv-v1-read", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "kv-v1-write", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "additionalProperties": true + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "kv-v1-delete", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v1_mount_path}/{path}/": { + "description": "Pass-through secret storage to the storage backend, allowing you to read/write arbitrary data into secret storage.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v1_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v1" + }, + "required": true + } + ], + "get": { + "operationId": "kv-v1-list", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{kv_v2_mount_path}/^.*$": { + "parameters": [ + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ] + }, + "/{kv_v2_mount_path}/config": { + "description": "Configures settings for the KV store", + "parameters": [ + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "get": { + "summary": "Read the backend level settings.", + "operationId": "kv-v2-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2ReadConfigurationResponse" + } + } + } + } + } + }, + "post": { + "summary": "Configure backend level settings that are applied to every key in the key-value store.", + "operationId": "kv-v2-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2ConfigureRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v2_mount_path}/data/{path}": { + "description": "Write, Patch, Read, and Delete data in the Key-Value Store.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "kv-v2-read", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2ReadResponse" + } + } + } + } + } + }, + "post": { + "operationId": "kv-v2-write", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2WriteRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2WriteResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "kv-v2-delete", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v2_mount_path}/delete/{path}": { + "description": "Marks one or more versions as deleted in the KV store.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "post": { + "operationId": "kv-v2-delete-versions", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2DeleteVersionsRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v2_mount_path}/destroy/{path}": { + "description": "Permanently removes one or more versions in the KV store", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "post": { + "operationId": "kv-v2-destroy-versions", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2DestroyVersionsRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v2_mount_path}/metadata/{path}": { + "description": "Configures settings for the KV store", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "kv-v2-read-metadata", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2ReadMetadataResponse" + } + } + } + } + } + }, + "post": { + "operationId": "kv-v2-write-metadata", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2WriteMetadataRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + }, + "delete": { + "operationId": "kv-v2-delete-metadata-and-all-versions", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{kv_v2_mount_path}/metadata/{path}/": { + "description": "Configures settings for the KV store", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "get": { + "operationId": "kv-v2-list", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{kv_v2_mount_path}/subkeys/{path}": { + "description": "Read the structure of a secret entry from the Key-Value store with the values removed.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "get": { + "operationId": "kv-v2-read-subkeys", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2ReadSubkeysResponse" + } + } + } + } + } + } + }, + "/{kv_v2_mount_path}/undelete/{path}": { + "description": "Undeletes one or more versions from the KV store.", + "parameters": [ + { + "name": "path", + "description": "Location of the secret.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kv_v2_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "kv-v2" + }, + "required": true + } + ], + "post": { + "operationId": "kv-v2-undelete-versions", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/KvV2UndeleteVersionsRequest" + } + } + } + }, + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{ldap_mount_path}/config": { + "description": "Configure the LDAP secrets engine plugin.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "ldap-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ldap-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ldap-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ldap_mount_path}/creds/{name}": { + "description": "Request LDAP credentials for a dynamic role. These credentials are created within the LDAP system when querying this endpoint.", + "parameters": [ + { + "name": "name", + "description": "Name of the dynamic role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "operationId": "ldap-request-dynamic-role-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/library/": { + "description": "List the name of each set of service accounts currently stored.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "operationId": "ldap-library-list", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{ldap_mount_path}/library/manage/{name}/check-in": { + "description": "Force checking service accounts in to the library.", + "parameters": [ + { + "name": "name", + "description": "Name of the set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "post": { + "summary": "Check service accounts in to the library.", + "operationId": "ldap-library-force-check-in", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapLibraryForceCheckInRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/library/{name}": { + "description": "Build a library of service accounts that can be checked out.", + "parameters": [ + { + "name": "name", + "description": "Name of the set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "summary": "Read a library set.", + "operationId": "ldap-library-read", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Update a library set.", + "operationId": "ldap-library-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapLibraryConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Delete a library set.", + "operationId": "ldap-library-delete", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ldap_mount_path}/library/{name}/check-in": { + "description": "Check service accounts in to the library.", + "parameters": [ + { + "name": "name", + "description": "Name of the set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "post": { + "summary": "Check service accounts in to the library.", + "operationId": "ldap-library-check-in", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapLibraryCheckInRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/library/{name}/check-out": { + "description": "Check a service account out from the library.", + "parameters": [ + { + "name": "name", + "description": "Name of the set", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "post": { + "summary": "Check a service account out from the library.", + "operationId": "ldap-library-check-out", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapLibraryCheckOutRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/library/{name}/status": { + "description": "Check the status of the service accounts in a library.", + "parameters": [ + { + "name": "name", + "description": "Name of the set.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "summary": "Check the status of the service accounts in a library set.", + "operationId": "ldap-library-check-status", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/role/": { + "description": "List all the dynamic roles Vault is currently managing in LDAP.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "operationId": "ldap-list-dynamic-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{ldap_mount_path}/role/{name}": { + "description": "Manage the static roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role (lowercase)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "ldap-read-dynamic-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ldap-write-dynamic-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapWriteDynamicRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ldap-delete-dynamic-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ldap_mount_path}/rotate-role/{name}": { + "description": "Request to rotate the credentials for a static user account.", + "parameters": [ + { + "name": "name", + "description": "Name of the static role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "post": { + "operationId": "ldap-rotate-static-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/rotate-root": { + "description": "Request to rotate the root credentials Vault uses for the LDAP administrator account.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "post": { + "operationId": "ldap-rotate-root-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/static-cred/{name}": { + "description": "Request LDAP credentials for a certain static role. These credentials are rotated periodically.", + "parameters": [ + { + "name": "name", + "description": "Name of the static role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "operationId": "ldap-request-static-role-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ldap_mount_path}/static-role/": { + "description": "This path lists all the static roles Vault is currently managing within the LDAP system.", + "parameters": [ + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "get": { + "operationId": "ldap-list-static-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{ldap_mount_path}/static-role/{name}": { + "description": "Manage the static roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ldap_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ldap" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "ldap-read-static-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ldap-write-static-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/LdapWriteStaticRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ldap-delete-static-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{mongodbatlas_mount_path}/config": { + "description": "Configure the credentials that are used to manage Database Users.", + "parameters": [ + { + "name": "mongodbatlas_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "mongodbatlas" + }, + "required": true + } + ], + "get": { + "operationId": "mongo-db-atlas-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "mongo-db-atlas-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MongoDbAtlasConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{mongodbatlas_mount_path}/creds/{name}": { + "description": "Generate MongoDB Atlas Programmatic API from a specific Vault role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "mongodbatlas_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "mongodbatlas" + }, + "required": true + } + ], + "get": { + "operationId": "mongo-db-atlas-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "mongo-db-atlas-generate-credentials2", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{mongodbatlas_mount_path}/roles/": { + "description": "List the existing roles in this backend", + "parameters": [ + { + "name": "mongodbatlas_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "mongodbatlas" + }, + "required": true + } + ], + "get": { + "summary": "List the existing roles in this backend", + "operationId": "mongo-db-atlas-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{mongodbatlas_mount_path}/roles/{name}": { + "description": "Manage the roles used to generate MongoDB Atlas Programmatic API Keys.", + "parameters": [ + { + "name": "name", + "description": "Name of the Roles", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "mongodbatlas_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "mongodbatlas" + }, + "required": true + } + ], + "get": { + "summary": "Manage the roles used to generate MongoDB Atlas Programmatic API Keys.", + "operationId": "mongo-db-atlas-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the roles used to generate MongoDB Atlas Programmatic API Keys.", + "operationId": "mongo-db-atlas-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MongoDbAtlasWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the roles used to generate MongoDB Atlas Programmatic API Keys.", + "operationId": "mongo-db-atlas-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{nomad_mount_path}/config/access": { + "parameters": [ + { + "name": "nomad_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "nomad" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "nomad-read-access-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "nomad-configure-access", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/NomadConfigureAccessRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "nomad-delete-access-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{nomad_mount_path}/config/lease": { + "description": "Configure the lease parameters for generated tokens", + "parameters": [ + { + "name": "nomad_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "nomad" + }, + "required": true + } + ], + "get": { + "operationId": "nomad-read-lease-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "nomad-configure-lease", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/NomadConfigureLeaseRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "nomad-delete-lease-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{nomad_mount_path}/creds/{name}": { + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "nomad_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "nomad" + }, + "required": true + } + ], + "get": { + "operationId": "nomad-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{nomad_mount_path}/role/": { + "parameters": [ + { + "name": "nomad_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "nomad" + }, + "required": true + } + ], + "get": { + "operationId": "nomad-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{nomad_mount_path}/role/{name}": { + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "nomad_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "nomad" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "nomad-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "nomad-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/NomadWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "nomad-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{pki_mount_path}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-account-kid", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeAccountKidRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-authorization-auth_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeAuthorizationAuth_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-challenge-auth_id-challenge_type", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeChallengeAuth_idChallenge_typeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-acme-directory", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-new-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeNewAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-eab-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateEabKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-acme-new-nonce", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-new-order", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeNewOrderRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-order-order_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-order-order_id-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-order-order_id-finalize", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idFinalizeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-orders", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrdersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-revoke-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeRevokeCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/ca": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-ca-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCaDerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/ca/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-ca-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCaPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/ca_chain": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-ca-chain-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCaChainPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/ca_chain": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-ca-chain", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertCaChainResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-crl", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/delta-crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-delta-crl", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertDeltaCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/{serial}": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/{serial}/raw": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-raw-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertRawDerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/cert/{serial}/raw/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-raw-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertRawPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/certs/": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-list-certs", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/certs/revoked/": { + "description": "List all revoked serial numbers within the local cluster", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-list-revoked-certs", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/acme": { + "description": "Configuration of ACME Endpoints", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-acme-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "pki-configure-acme", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureAcmeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/config/auto-tidy": { + "description": "Modifies the current configuration for automatic tidy execution.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-auto-tidy-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadAutoTidyConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-auto-tidy", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureAutoTidyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureAutoTidyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/ca": { + "description": "Set the CA certificate and private key used for generated credentials.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-configure-ca", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCaRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCaResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/cluster": { + "description": "Set cluster-local configuration, including address to this PR cluster.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-cluster-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadClusterConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-cluster", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureClusterRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureClusterResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/crl": { + "description": "Configure the CRL expiration.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-crl-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-crl", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCrlRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/issuers": { + "description": "Read and set the default issuer certificate for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-issuers-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuersConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-issuers", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureIssuersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureIssuersResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/keys": { + "description": "Read and set the default key used for signing", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-keys-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadKeysConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-keys", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureKeysRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureKeysResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/config/urls": { + "description": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-urls-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadUrlsConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-urls", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureUrlsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureUrlsResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-crl-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl/delta": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-crl-delta", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDeltaResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl/delta/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-crl-delta-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDeltaPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-crl-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl/rotate": { + "description": "Force a rebuild of the CRL.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-rotate-crl", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRotateCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/crl/rotate-delta": { + "description": "Force a rebuild of the delta CRL.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-rotate-delta-crl", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRotateDeltaCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/eab/": { + "description": "list external account bindings to be used for ACME", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-list-eab-keys", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiListEabKeysResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/eab/{key_id}": { + "description": "Delete an external account binding id prior to its use within an ACME account", + "parameters": [ + { + "name": "key_id", + "description": "EAB key identifier", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "delete": { + "operationId": "pki-delete-eab-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{pki_mount_path}/intermediate/cross-sign": { + "description": "Generate a new CSR and private key used for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-cross-sign-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiCrossSignIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiCrossSignIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/intermediate/generate/{exported}": { + "description": "Generate a new CSR and private key used for signing.", + "parameters": [ + { + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/intermediate/set-signed": { + "description": "Provide the signed intermediate CA cert.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-set-signed-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSetSignedIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSetSignedIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", + "parameters": [ + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issue-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssueWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssueWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}": { + "description": "Fetch a single issuer certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-issuer", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuerResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-write-issuer", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-delete-issuer", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-account-kid", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAccountKidRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-authorization-auth_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAuthorizationAuth_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-challenge-auth_id-challenge_type", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeChallengeAuth_idChallenge_typeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-issuer_ref-acme-directory", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-new-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-eab-key-for-issuer", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-issuer_ref-acme-new-nonce", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-new-order", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewOrderRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-finalize", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idFinalizeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-orders", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrdersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-acme-revoke-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeRevokeCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaDerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlDerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/crl/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadCrlPemResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/der": { + "description": "Fetch a single issuer certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-der", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuerDerResponse" + } + } + } + }, + "304": { + "description": "Not Modified" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-issue-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerIssueWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerIssueWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/json": { + "description": "Fetch a single issuer certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-json", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuerJsonResponse" + } + } + } + }, + "304": { + "description": "Not Modified" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/pem": { + "description": "Fetch a single issuer certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuerPemResponse" + } + } + } + }, + "304": { + "description": "Not Modified" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/resign-crls": { + "description": "Combine and sign with the provided issuer different CRLs", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-resign-crls", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerResignCrlsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerResignCrlsResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/revoke": { + "description": "Revoke the specified issuer certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-revoke-issuer", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeIssuerResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-account-kid", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAccountKidRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-authorization-auth_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAuthorizationAuth_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-challenge-auth_id-challenge_type", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-directory", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-eab-key-for-issuer-and-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerAndRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-new-nonce", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-order", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewOrderRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-finalize", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idFinalizeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-orders", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrdersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-revoke-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeRevokeCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign-intermediate": { + "description": "Issue an intermediate CA certificate based on the provided CSR.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign-revocation-list": { + "description": "Generate and sign a CRL based on the provided parameters.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-revocation-list", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignRevocationListRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignRevocationListResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign-self-issued": { + "description": "Re-issue a self-signed certificate based on the provided certificate.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-self-issued", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim": { + "description": "Issue a certificate directly based on the provided CSR.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-verbatim", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignVerbatimRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignVerbatimResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim/{role}": { + "description": "Issue a certificate directly based on the provided CSR.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-verbatim-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/sign/{role}": { + "description": "Request certificates using a certain role with the provided details.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuer-sign-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerSignWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuers/": { + "description": "Fetch a list of CA certificates.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-list-issuers", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiListIssuersResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuers/generate/intermediate/{exported}": { + "description": "Generate a new CSR and private key used for signing.", + "parameters": [ + { + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuers-generate-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuers/generate/root/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", + "parameters": [ + { + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuers-generate-root", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateRootRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateRootResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuers/import/bundle": { + "description": "Import the specified issuing certificates.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuers-import-bundle", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportBundleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportBundleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/issuers/import/cert": { + "description": "Import the specified issuing certificates.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-issuers-import-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportCertResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/key/{key_ref}": { + "description": "Fetch a single issuer key", + "parameters": [ + { + "name": "key_ref", + "description": "Reference to key; either \"default\" for the configured default key, an identifier of a key, or the name assigned to the key.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadKeyResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-write-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteKeyRequest" + } + } + } + }, + "responses": { + "204": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteKeyResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{pki_mount_path}/keys/": { + "description": "Fetch a list of all issuer keys", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-list-keys", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiListKeysResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/keys/generate/exported": { + "description": "Generate a new private key used for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-exported-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateExportedKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateExportedKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/keys/generate/internal": { + "description": "Generate a new private key used for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-internal-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateInternalKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateInternalKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/keys/generate/kms": { + "description": "Generate a new private key used for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-kms-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateKmsKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateKmsKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/keys/import": { + "description": "Import the specified key.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-import-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiImportKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiImportKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/ocsp": { + "description": "Query a certificate's revocation status through OCSP'", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-query-ocsp", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/ocsp/{req}": { + "description": "Query a certificate's revocation status through OCSP'", + "parameters": [ + { + "name": "req", + "description": "base-64 encoded ocsp request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-query-ocsp-with-get-req", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/revoke": { + "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-revoke", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/revoke-with-key": { + "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-revoke-with-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeWithKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeWithKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/roles/": { + "description": "List the existing roles in this backend", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadRoleResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRoleResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-account-kid", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAccountKidRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-authorization-auth_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAuthorizationAuth_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-challenge-auth_id-challenge_type", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-roles-role-acme-directory", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-new-account", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewAccountRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-eab-key-for-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateEabKeyForRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-roles-role-acme-new-nonce", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-new-order", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewOrderRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-order-order_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-order-order_id-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-order-order_id-finalize", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idFinalizeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-orders", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrdersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-revoke-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeRevokeCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/root": { + "description": "Deletes the root CA key to allow a new one to be generated.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-sudo": true, + "delete": { + "operationId": "pki-delete-root", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/root/generate/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", + "parameters": [ + { + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-generate-root", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateRootRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateRootResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/root/replace": { + "description": "Read and set the default issuer certificate for signing.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-replace-root", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReplaceRootRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReplaceRootResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/root/rotate/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", + "parameters": [ + { + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-rotate-root", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRotateRootRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRotateRootResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/root/sign-intermediate": { + "description": "Issue an intermediate CA certificate based on the provided CSR.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-root-sign-intermediate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRootSignIntermediateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRootSignIntermediateResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/root/sign-self-issued": { + "description": "Re-issue a self-signed certificate based on the provided certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-sudo": true, + "post": { + "operationId": "pki-root-sign-self-issued", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRootSignSelfIssuedRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRootSignSelfIssuedResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/sign-verbatim": { + "description": "Issue a certificate directly based on the provided CSR.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-sign-verbatim", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/sign-verbatim/{role}": { + "description": "Issue a certificate directly based on the provided CSR.", + "parameters": [ + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-sign-verbatim-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/sign/{role}": { + "description": "Request certificates using a certain role with the provided details.", + "parameters": [ + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-sign-with-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignWithRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignWithRoleResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/tidy": { + "description": "Tidy up the backend by removing expired certificates, revocation information, or both.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-tidy", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiTidyRequest" + } + } + } + }, + "responses": { + "202": { + "description": "Accepted" + } + } + } + }, + "/{pki_mount_path}/tidy-cancel": { + "description": "Cancels a currently running tidy operation.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "post": { + "operationId": "pki-tidy-cancel", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiTidyCancelResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/tidy-status": { + "description": "Returns the status of the tidy operation.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "get": { + "operationId": "pki-tidy-status", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiTidyStatusResponse" + } + } + } + } + } + } + }, + "/{rabbitmq_mount_path}/config/connection": { + "description": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", + "parameters": [ + { + "name": "rabbitmq_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "rabbitmq" + }, + "required": true + } + ], + "post": { + "summary": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", + "operationId": "rabbit-mq-configure-connection", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RabbitMqConfigureConnectionRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{rabbitmq_mount_path}/config/lease": { + "description": "Configure the lease parameters for generated credentials", + "parameters": [ + { + "name": "rabbitmq_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "rabbitmq" + }, + "required": true + } + ], + "get": { + "operationId": "rabbit-mq-read-lease-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "rabbit-mq-configure-lease", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RabbitMqConfigureLeaseRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{rabbitmq_mount_path}/creds/{name}": { + "description": "Request RabbitMQ credentials for a certain role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "rabbitmq_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "rabbitmq" + }, + "required": true + } + ], + "get": { + "summary": "Request RabbitMQ credentials for a certain role.", + "operationId": "rabbit-mq-request-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{rabbitmq_mount_path}/roles/": { + "description": "Manage the roles that can be created with this backend.", + "parameters": [ + { + "name": "rabbitmq_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "rabbitmq" + }, + "required": true + } + ], + "get": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{rabbitmq_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "rabbitmq_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "rabbitmq" + }, + "required": true + } + ], + "get": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RabbitMqWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/config/ca": { + "description": "Set the SSH private key used for signing certificates.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "get": { + "operationId": "ssh-read-ca-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ssh-configure-ca", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshConfigureCaRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ssh-delete-ca-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/config/zeroaddress": { + "description": "Assign zero address as default CIDR block for select roles.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "get": { + "operationId": "ssh-read-zero-address-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "ssh-configure-zero-address", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshConfigureZeroAddressRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "ssh-delete-zero-address-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/creds/{role}": { + "description": "Creates a credential for establishing SSH connection with the remote host.", + "parameters": [ + { + "name": "role", + "description": "[Required] Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "post": { + "summary": "Creates a credential for establishing SSH connection with the remote host.", + "operationId": "ssh-generate-credentials", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshGenerateCredentialsRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", + "parameters": [ + { + "name": "role", + "description": "The desired role with configuration for this request.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "post": { + "operationId": "ssh-issue-certificate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshIssueCertificateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/lookup": { + "description": "List all the roles associated with the given IP address.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "post": { + "summary": "List all the roles associated with the given IP address.", + "operationId": "ssh-list-roles-by-ip", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshListRolesByIpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/public_key": { + "description": "Retrieve the public key.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "summary": "Retrieve the public key.", + "operationId": "ssh-read-public-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/roles/": { + "description": "Manage the 'roles' that can be created with this backend.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "get": { + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{ssh_mount_path}/roles/{role}": { + "description": "Manage the 'roles' that can be created with this backend.", + "parameters": [ + { + "name": "role", + "description": "[Required for all types] Name of the role being created.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "get": { + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/sign/{role}": { + "description": "Request signing an SSH key using a certain role with the provided details.", + "parameters": [ + { + "name": "role", + "description": "The desired role with configuration for this request.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "post": { + "summary": "Request signing an SSH key using a certain role with the provided details.", + "operationId": "ssh-sign-certificate", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshSignCertificateRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/tidy/dynamic-keys": { + "description": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "delete": { + "summary": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", + "operationId": "ssh-tidy-dynamic-host-keys", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/verify": { + "description": "Validate the OTP provided by Vault SSH Agent.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Validate the OTP provided by Vault SSH Agent.", + "operationId": "ssh-verify-otp", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshVerifyOtpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{terraform_mount_path}/config": { + "description": "Configure the Terraform Cloud / Enterprise backend.", + "parameters": [ + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "terraform-cloud-read-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "terraform-cloud-configure", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TerraformCloudConfigureRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "terraform-cloud-delete-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{terraform_mount_path}/creds/{name}": { + "description": "Generate a Terraform Cloud or Enterprise API token from a specific Vault role.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "get": { + "operationId": "terraform-cloud-generate-credentials", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "terraform-cloud-generate-credentials2", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{terraform_mount_path}/role/": { + "description": "List the existing roles in Terraform Cloud / Enterprise backend", + "parameters": [ + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "get": { + "operationId": "terraform-cloud-list-roles", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{terraform_mount_path}/role/{name}": { + "description": "Manages the Vault role for generating Terraform Cloud / Enterprise tokens.", + "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "get": { + "operationId": "terraform-cloud-read-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "terraform-cloud-write-role", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TerraformCloudWriteRoleRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "terraform-cloud-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{terraform_mount_path}/rotate-role/{name}": { + "description": "Request to rotate the credentials for a team or organization.", + "parameters": [ + { + "name": "name", + "description": "Name of the team or organization role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "post": { + "operationId": "terraform-cloud-rotate-role", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{totp_mount_path}/code/{name}": { + "description": "Request time-based one-time use password or validate a password for a certain key .", + "parameters": [ + { + "name": "name", + "description": "Name of the key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "totp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "totp" + }, + "required": true + } + ], + "get": { + "operationId": "totp-generate-code", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "totp-validate-code", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TotpValidateCodeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{totp_mount_path}/keys/": { + "description": "Manage the keys that can be created with this backend.", + "parameters": [ + { + "name": "totp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "totp" + }, + "required": true + } + ], + "get": { + "summary": "Manage the keys that can be created with this backend.", + "operationId": "totp-list-keys", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{totp_mount_path}/keys/{name}": { + "description": "Manage the keys that can be created with this backend.", + "parameters": [ + { + "name": "name", + "description": "Name of the key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "totp_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "totp" + }, + "required": true + } + ], + "get": { + "operationId": "totp-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "totp-create-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TotpCreateKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "totp-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{transit_mount_path}/backup/{name}": { + "description": "Backup the named key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Backup the named key", + "operationId": "transit-back-up-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/byok-export/{destination}/{source}": { + "description": "Securely export named encryption or signing key", + "parameters": [ + { + "name": "destination", + "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "source", + "description": "Source key to export; could be any present key within Transit.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Securely export named encryption or signing key", + "operationId": "transit-byok-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/byok-export/{destination}/{source}/{version}": { + "description": "Securely export named encryption or signing key", + "parameters": [ + { + "name": "destination", + "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "source", + "description": "Source key to export; could be any present key within Transit.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "version", + "description": "Optional version of the key to export, else all key versions are exported.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Securely export named encryption or signing key", + "operationId": "transit-byok-key-version", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/cache-config": { + "description": "Configure caching strategy", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Returns the size of the active cache", + "operationId": "transit-read-cache-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "summary": "Configures a new cache of the specified size", + "operationId": "transit-configure-cache", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitConfigureCacheRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/config/keys": { + "description": "Configuration common across all keys", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "operationId": "transit-read-keys-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "transit-configure-keys", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitConfigureKeysRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/datakey/{plaintext}/{name}": { + "description": "Generate a data key", + "parameters": [ + { + "name": "name", + "description": "The backend key used for encrypting the data key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "plaintext", + "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a data key", + "operationId": "transit-generate-data-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateDataKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/decrypt/{name}": { + "description": "Decrypt a ciphertext value using a named key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Decrypt a ciphertext value using a named key", + "operationId": "transit-decrypt", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitDecryptRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/encrypt/{name}": { + "description": "Encrypt a plaintext value or a batch of plaintext blocks using a named key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "post": { + "summary": "Encrypt a plaintext value or a batch of plaintext\nblocks using a named key", + "operationId": "transit-encrypt", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitEncryptRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/export/{type}/{name}": { + "description": "Export named encryption or signing key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Export named encryption or signing key", + "operationId": "transit-export-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/export/{type}/{name}/{version}": { + "description": "Export named encryption or signing key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "version", + "description": "Version of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Export named encryption or signing key", + "operationId": "transit-export-key-version", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hash": { + "description": "Generate a hash sum for input data", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a hash sum for input data", + "operationId": "transit-hash", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitHashRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hash/{urlalgorithm}": { + "description": "Generate a hash sum for input data", + "parameters": [ + { + "name": "urlalgorithm", + "description": "Algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a hash sum for input data", + "operationId": "transit-hash-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitHashWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hmac/{name}": { + "description": "Generate an HMAC for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use for the HMAC function", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate an HMAC for input data using the named key", + "operationId": "transit-generate-hmac", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateHmacRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hmac/{name}/{urlalgorithm}": { + "description": "Generate an HMAC for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use for the HMAC function", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "urlalgorithm", + "description": "Algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate an HMAC for input data using the named key", + "operationId": "transit-generate-hmac-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateHmacWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/": { + "description": "Managed named encryption keys", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Managed named encryption keys", + "operationId": "transit-list-keys", + "tags": [ + "secrets" + ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{transit_mount_path}/keys/{name}": { + "description": "Managed named encryption keys", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "operationId": "transit-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "transit-create-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitCreateKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + }, + "delete": { + "operationId": "transit-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/config": { + "description": "Configure a named encryption key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Configure a named encryption key", + "operationId": "transit-configure-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitConfigureKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/csr": { + "description": "Create a CSR from a key in transit", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "operationId": "transit-generate-csr-for-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateCsrForKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/import": { + "description": "Imports an externally-generated key into a new transit key", + "parameters": [ + { + "name": "name", + "description": "The name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Imports an externally-generated key into a new transit key", + "operationId": "transit-import-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitImportKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/import_version": { + "description": "Imports an externally-generated key into an existing imported key", + "parameters": [ + { + "name": "name", + "description": "The name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Imports an externally-generated key into an existing imported key", + "operationId": "transit-import-key-version", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitImportKeyVersionRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/rotate": { + "description": "Rotate named encryption key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Rotate named encryption key", + "operationId": "transit-rotate-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRotateKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/set-certificate": { + "description": "Imports an externally-signed certificate chain into an existing key version", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "operationId": "transit-set-certificate-for-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSetCertificateForKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/trim": { + "description": "Trim key versions of a named key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Trim key versions of a named key", + "operationId": "transit-trim-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitTrimKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{source}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-source", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithSourceRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{source}/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + }, + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-source-and-bytes", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithSourceAndBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-bytes", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/restore": { + "description": "Restore the named key", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Restore the named key", + "operationId": "transit-restore-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRestoreKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/restore/{name}": { + "description": "Restore the named key", + "parameters": [ + { + "name": "name", + "description": "If set, this will be the name of the restored key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Restore the named key", + "operationId": "transit-restore-and-rename-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRestoreAndRenameKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/rewrap/{name}": { + "description": "Rewrap ciphertext", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Rewrap ciphertext", + "operationId": "transit-rewrap", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRewrapRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/sign/{name}": { + "description": "Generate a signature for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a signature for input data using the named key", + "operationId": "transit-sign", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSignRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/sign/{name}/{urlalgorithm}": { + "description": "Generate a signature for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "urlalgorithm", + "description": "Hash algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a signature for input data using the named key", + "operationId": "transit-sign-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSignWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/verify/{name}": { + "description": "Verify a signature or HMAC for input data created using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Verify a signature or HMAC for input data created using the named key", + "operationId": "transit-verify", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitVerifyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/verify/{name}/{urlalgorithm}": { + "description": "Verify a signature or HMAC for input data created using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "urlalgorithm", + "description": "Hash algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Verify a signature or HMAC for input data created using the named key", + "operationId": "transit-verify-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitVerifyWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/wrapping_key": { + "description": "Returns the public key to use for wrapping imported keys", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Returns the public key to use for wrapping imported keys", + "operationId": "transit-read-wrapping-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + } + }, + "components": { + "schemas": { + "AliCloudConfigureRequest": { + "type": "object", + "properties": { + "access_key": { + "type": "string", + "description": "Access key with appropriate permissions." + }, + "secret_key": { + "type": "string", + "description": "Secret key with appropriate permissions." + } + } + }, + "AliCloudLoginRequest": { + "type": "object", + "properties": { + "identity_request_headers": { + "type": "string", + "description": "The request headers. This must include the headers over which AliCloud has included a signature." + }, + "identity_request_url": { + "type": "string", + "description": "Base64-encoded full URL against which to make the AliCloud request." + }, + "role": { + "type": "string", + "description": "Name of the role against which the login is being attempted. If 'role' is not specified, then the login endpoint looks for a role name in the ARN returned by the GetCallerIdentity request. If a matching role is not found, login fails." + } + }, + "required": [ + "role" + ] + }, + "AliCloudWriteAuthRoleRequest": { + "type": "object", + "properties": { + "arn": { + "type": "string", + "description": "ARN of the RAM to bind to this role." + }, + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "AliCloudWriteRoleRequest": { + "type": "object", + "properties": { + "inline_policies": { + "type": "string", + "description": "JSON of policies to be dynamically applied to users of this role." + }, + "max_ttl": { + "type": "string", + "description": "The maximum allowed lifetime of tokens issued using this role.", + "format": "duration" + }, + "remote_policies": { + "type": "array", + "description": "The name and type of each remote policy to be applied. Example: \"name:AliyunRDSReadOnlyAccess,type:System\".", + "items": { + "type": "string" + } + }, + "role_arn": { + "type": "string", + "description": "ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor." + }, + "ttl": { + "type": "string", + "description": "Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.", + "format": "duration" + } + } + }, + "AliasCreateRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "Entity ID to which this alias belongs to" + }, + "entity_id": { + "type": "string", + "description": "Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'." + }, + "id": { + "type": "string", + "description": "ID of the alias" + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this alias belongs to" + }, + "name": { + "type": "string", + "description": "Name of the alias" + } + } + }, + "AliasUpdateByIdRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "Entity ID to which this alias should be tied to" + }, + "entity_id": { + "type": "string", + "description": "Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'." + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this alias belongs to" + }, + "name": { + "type": "string", + "description": "Name of the alias" + } + } + }, + "AppRoleDestroySecretIdByAccessorRequest": { + "type": "object", + "properties": { + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the SecretID" + } + } + }, + "AppRoleDestroySecretIdRequest": { + "type": "object", + "properties": { + "secret_id": { + "type": "string", + "description": "SecretID attached to the role." + } + } + }, + "AppRoleLoginRequest": { + "type": "object", + "properties": { + "role_id": { + "type": "string", + "description": "Unique identifier of the Role. Required to be supplied when the 'bind_secret_id' constraint is set." + }, + "secret_id": { + "type": "string", + "description": "SecretID belong to the App role", + "default": "" + } + } + }, + "AppRoleLoginResponse": { + "type": "object", + "properties": { + "role": { + "type": "string" + } + } + }, + "AppRoleLookUpSecretIdByAccessorRequest": { + "type": "object", + "properties": { + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the SecretID" + } + } + }, + "AppRoleLookUpSecretIdByAccessorResponse": { + "type": "object", + "properties": { + "cidr_list": { + "type": "array", + "description": "List of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", + "items": { + "type": "string" + } + }, + "creation_time": { + "type": "string", + "format": "date-time" + }, + "expiration_time": { + "type": "string", + "format": "date-time" + }, + "last_updated_time": { + "type": "string", + "format": "date-time" + }, + "metadata": { + "type": "object", + "format": "kvpairs" + }, + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the secret ID" + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the secret ID will expire." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID expires.", + "format": "duration" + }, + "token_bound_cidrs": { + "type": "array", + "description": "List of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleLookUpSecretIdRequest": { + "type": "object", + "properties": { + "secret_id": { + "type": "string", + "description": "SecretID attached to the role." + } + } + }, + "AppRoleLookUpSecretIdResponse": { + "type": "object", + "properties": { + "cidr_list": { + "type": "array", + "description": "List of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", + "items": { + "type": "string" + } + }, + "creation_time": { + "type": "string", + "format": "date-time" + }, + "expiration_time": { + "type": "string", + "format": "date-time" + }, + "last_updated_time": { + "type": "string", + "format": "date-time" + }, + "metadata": { + "type": "object", + "format": "kvpairs" + }, + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the secret ID" + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the secret ID will expire." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID expires.", + "format": "duration" + }, + "token_bound_cidrs": { + "type": "array", + "description": "List of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleReadBindSecretIdResponse": { + "type": "object", + "properties": { + "bind_secret_id": { + "type": "boolean", + "description": "Impose secret_id to be presented when logging in using this role. Defaults to 'true'." + } + } + }, + "AppRoleReadBoundCidrListResponse": { + "type": "object", + "properties": { + "bound_cidr_list": { + "type": "array", + "description": "Deprecated: Please use \"secret_id_bound_cidrs\" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + }, + "deprecated": true + } + } + }, + "AppRoleReadLocalSecretIdsResponse": { + "type": "object", + "properties": { + "local_secret_ids": { + "type": "boolean", + "description": "If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later" + } + } + }, + "AppRoleReadPeriodResponse": { + "type": "object", + "properties": { + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration" + } + } + }, + "AppRoleReadPoliciesResponse": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + } + } + } + }, + "AppRoleReadRoleIdResponse": { + "type": "object", + "properties": { + "role_id": { + "type": "string", + "description": "Identifier of the role. Defaults to a UUID." + } + } + }, + "AppRoleReadRoleResponse": { + "type": "object", + "properties": { + "bind_secret_id": { + "type": "boolean", + "description": "Impose secret ID to be presented when logging in using this role." + }, + "local_secret_ids": { + "type": "boolean", + "description": "If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later" + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "secret_id_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + } + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the secret ID will expire." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID expires.", + "format": "duration" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration" + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration" + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens" + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited" + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value.", + "format": "duration" + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration" + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service" + } + } + }, + "AppRoleReadSecretIdBoundCidrsResponse": { + "type": "object", + "properties": { + "secret_id_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleReadSecretIdNumUsesResponse": { + "type": "object", + "properties": { + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the secret ID is of unlimited use." + } + } + }, + "AppRoleReadSecretIdTtlResponse": { + "type": "object", + "properties": { + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID should expire. Defaults to 0, meaning no expiration.", + "format": "duration" + } + } + }, + "AppRoleReadTokenBoundCidrsResponse": { + "type": "object", + "properties": { + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleReadTokenMaxTtlResponse": { + "type": "object", + "properties": { + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration" + } + } + }, + "AppRoleReadTokenNumUsesResponse": { + "type": "object", + "properties": { + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited" + } + } + }, + "AppRoleReadTokenTtlResponse": { + "type": "object", + "properties": { + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration" + } + } + }, + "AppRoleWriteBindSecretIdRequest": { + "type": "object", + "properties": { + "bind_secret_id": { + "type": "boolean", + "description": "Impose secret_id to be presented when logging in using this role.", + "default": true + } + } + }, + "AppRoleWriteBoundCidrListRequest": { + "type": "object", + "properties": { + "bound_cidr_list": { + "type": "array", + "description": "Deprecated: Please use \"secret_id_bound_cidrs\" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleWriteCustomSecretIdRequest": { + "type": "object", + "properties": { + "cidr_list": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", + "items": { + "type": "string" + } + }, + "metadata": { + "type": "string", + "description": "Metadata to be tied to the SecretID. This should be a JSON formatted string containing metadata in key value pairs." + }, + "num_uses": { + "type": "integer", + "description": "Number of times this SecretID can be used, after which the SecretID expires. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses." + }, + "secret_id": { + "type": "string", + "description": "SecretID to be attached to the role." + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "Duration in seconds after which this SecretID expires. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.", + "format": "duration" + } + } + }, + "AppRoleWriteCustomSecretIdResponse": { + "type": "object", + "properties": { + "secret_id": { + "type": "string", + "description": "Secret ID attached to the role." + }, + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the secret ID" + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the secret ID will expire." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID expires.", + "format": "duration" + } + } + }, + "AppRoleWritePeriodRequest": { + "type": "object", + "properties": { + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration" + } + } + }, + "AppRoleWritePoliciesRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + } + } + } + }, + "AppRoleWriteRoleIdRequest": { + "type": "object", + "properties": { + "role_id": { + "type": "string", + "description": "Identifier of the role. Defaults to a UUID." + } + } + }, + "AppRoleWriteRoleRequest": { + "type": "object", + "properties": { + "bind_secret_id": { + "type": "boolean", + "description": "Impose secret_id to be presented when logging in using this role. Defaults to 'true'.", + "default": true + }, + "bound_cidr_list": { + "type": "array", + "description": "Use \"secret_id_bound_cidrs\" instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "local_secret_ids": { + "type": "boolean", + "description": "If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later." + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "role_id": { + "type": "string", + "description": "Identifier of the role. Defaults to a UUID." + }, + "secret_id_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + } + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a SecretID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the the secret_id is of unlimited use." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.", + "format": "duration" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + } + } + }, + "AppRoleWriteSecretIdBoundCidrsRequest": { + "type": "object", + "properties": { + "secret_id_bound_cidrs": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleWriteSecretIdNumUsesRequest": { + "type": "object", + "properties": { + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a SecretID can access the role, after which the SecretID will expire." + } + } + }, + "AppRoleWriteSecretIdRequest": { + "type": "object", + "properties": { + "cidr_list": { + "type": "array", + "description": "Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.", + "items": { + "type": "string" + } + }, + "metadata": { + "type": "string", + "description": "Metadata to be tied to the SecretID. This should be a JSON formatted string containing the metadata in key value pairs." + }, + "num_uses": { + "type": "integer", + "description": "Number of times this SecretID can be used, after which the SecretID expires. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses." + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "Duration in seconds after which this SecretID expires. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.", + "format": "duration" + } + } + }, + "AppRoleWriteSecretIdResponse": { + "type": "object", + "properties": { + "secret_id": { + "type": "string", + "description": "Secret ID attached to the role." + }, + "secret_id_accessor": { + "type": "string", + "description": "Accessor of the secret ID" + }, + "secret_id_num_uses": { + "type": "integer", + "description": "Number of times a secret ID can access the role, after which the secret ID will expire." + }, + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued secret ID expires.", + "format": "duration" + } + } + }, + "AppRoleWriteSecretIdTtlRequest": { + "type": "object", + "properties": { + "secret_id_ttl": { + "type": "string", + "description": "Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.", + "format": "duration" + } + } + }, + "AppRoleWriteTokenBoundCidrsRequest": { + "type": "object", + "properties": { + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + } + } + } + }, + "AppRoleWriteTokenMaxTtlRequest": { + "type": "object", + "properties": { + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration" + } + } + }, + "AppRoleWriteTokenNumUsesRequest": { + "type": "object", + "properties": { + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited" + } + } + }, + "AppRoleWriteTokenTtlRequest": { + "type": "object", + "properties": { + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration" + } + } + }, + "AuditingCalculateHashRequest": { + "type": "object", + "properties": { + "input": { + "type": "string" + } + } + }, + "AuditingCalculateHashResponse": { + "type": "object", + "properties": { + "hash": { + "type": "string" + } + } + }, + "AuditingEnableDeviceRequest": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "User-friendly description for this audit backend." + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "Configuration options for the audit backend.", + "format": "kvpairs" + }, + "type": { + "type": "string", + "description": "The type of the backend. Example: \"mysql\"" + } + } + }, + "AuditingEnableRequestHeaderRequest": { + "type": "object", + "properties": { + "hmac": { + "type": "boolean" + } + } + }, + "AuditingListRequestHeadersResponse": { + "type": "object", + "properties": { + "headers": { + "type": "object", + "format": "map" + } + } + }, + "AuthEnableMethodRequest": { + "type": "object", + "properties": { + "config": { + "type": "object", + "description": "Configuration for this mount, such as plugin_name.", + "format": "map" + }, + "description": { + "type": "string", + "description": "User-friendly description for this credential backend." + }, + "external_entropy_access": { + "type": "boolean", + "description": "Whether to give the mount access to Vault's external entropy.", + "default": false + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "plugin_name": { + "type": "string", + "description": "Name of the auth plugin to use based from the name in the plugin catalog." + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "seal_wrap": { + "type": "boolean", + "description": "Whether to turn on seal wrapping for the mount.", + "default": false + }, + "type": { + "type": "string", + "description": "The type of the backend. Example: \"userpass\"" + } + } + }, + "AuthReadConfigurationResponse": { + "type": "object", + "properties": { + "accessor": { + "type": "string" + }, + "config": { + "type": "object", + "format": "map" + }, + "deprecation_status": { + "type": "string" + }, + "description": { + "type": "string" + }, + "external_entropy_access": { + "type": "boolean" + }, + "local": { + "type": "boolean" + }, + "options": { + "type": "object", + "format": "map" + }, + "plugin_version": { + "type": "string" + }, + "running_plugin_version": { + "type": "string" + }, + "running_sha256": { + "type": "string" + }, + "seal_wrap": { + "type": "boolean" + }, + "type": { + "type": "string" + }, + "uuid": { + "type": "string" + } + } + }, + "AuthReadTuningInformationResponse": { + "type": "object", + "properties": { + "allowed_managed_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_response_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "audit_non_hmac_request_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "audit_non_hmac_response_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "default_lease_ttl": { + "type": "integer" + }, + "description": { + "type": "string" + }, + "external_entropy_access": { + "type": "boolean" + }, + "force_no_cache": { + "type": "boolean" + }, + "listing_visibility": { + "type": "string" + }, + "max_lease_ttl": { + "type": "integer" + }, + "options": { + "type": "object", + "format": "map" + }, + "passthrough_request_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "plugin_version": { + "type": "string" + }, + "token_type": { + "type": "string" + }, + "user_lockout_counter_reset_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_disable": { + "type": "boolean" + }, + "user_lockout_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_threshold": { + "type": "integer", + "format": "int64" + } + } + }, + "AuthTuneConfigurationParametersRequest": { + "type": "object", + "properties": { + "allowed_response_headers": { + "type": "array", + "description": "A list of headers to whitelist and allow a plugin to set on responses.", + "items": { + "type": "string" + } + }, + "audit_non_hmac_request_keys": { + "type": "array", + "description": "The list of keys in the request data object that will not be HMAC'ed by audit devices.", + "items": { + "type": "string" + } + }, + "audit_non_hmac_response_keys": { + "type": "array", + "description": "The list of keys in the response data object that will not be HMAC'ed by audit devices.", + "items": { + "type": "string" + } + }, + "default_lease_ttl": { + "type": "string", + "description": "The default lease TTL for this mount." + }, + "description": { + "type": "string", + "description": "User-friendly description for this credential backend." + }, + "listing_visibility": { + "type": "string", + "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'." + }, + "max_lease_ttl": { + "type": "string", + "description": "The max lease TTL for this mount." + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "passthrough_request_headers": { + "type": "array", + "description": "A list of headers to whitelist and pass from the request to the plugin.", + "items": { + "type": "string" + } + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "token_type": { + "type": "string", + "description": "The type of token to issue (service or batch)." + }, + "user_lockout_config": { + "type": "object", + "description": "The user lockout configuration to pass into the backend. Should be a json object with string keys and values.", + "format": "map" + } + } + }, + "AwsConfigureCertificateRequest": { + "type": "object", + "properties": { + "aws_public_cert": { + "type": "string", + "description": "Base64 encoded AWS Public cert required to verify PKCS7 signature of the EC2 instance metadata." + }, + "type": { + "type": "string", + "description": "Takes the value of either \"pkcs7\" or \"identity\", indicating the type of document which can be verified using the given certificate. The reason is that the PKCS#7 document will have a DSA digest and the identity signature will have an RSA signature, and accordingly the public certificates to verify those also vary. Defaults to \"pkcs7\".", + "default": "pkcs7" + } + } + }, + "AwsConfigureClientRequest": { + "type": "object", + "properties": { + "access_key": { + "type": "string", + "description": "AWS Access Key ID for the account used to make AWS API requests.", + "default": "" + }, + "allowed_sts_header_values": { + "type": "array", + "description": "List of additional headers that are allowed to be in AWS STS request headers", + "items": { + "type": "string" + } + }, + "endpoint": { + "type": "string", + "description": "URL to override the default generated endpoint for making AWS EC2 API calls.", + "default": "" + }, + "iam_endpoint": { + "type": "string", + "description": "URL to override the default generated endpoint for making AWS IAM API calls.", + "default": "" + }, + "iam_server_id_header_value": { + "type": "string", + "description": "Value to require in the X-Vault-AWS-IAM-Server-ID request header", + "default": "" + }, + "max_retries": { + "type": "integer", + "description": "Maximum number of retries for recoverable exceptions of AWS APIs", + "default": -1 + }, + "secret_key": { + "type": "string", + "description": "AWS Secret Access Key for the account used to make AWS API requests.", + "default": "" + }, + "sts_endpoint": { + "type": "string", + "description": "URL to override the default generated endpoint for making AWS STS API calls.", + "default": "" + }, + "sts_region": { + "type": "string", + "description": "The region ID for the sts_endpoint, if set.", + "default": "" + }, + "use_sts_region_from_client": { + "type": "boolean", + "description": "Uses the STS region from client requests for making AWS STS API calls.", + "default": false + } + } + }, + "AwsConfigureIdentityAccessListTidyOperationRequest": { + "type": "object", + "properties": { + "disable_periodic_tidy": { + "type": "boolean", + "description": "If set to 'true', disables the periodic tidying of the 'identity-accesslist/' entries.", + "default": false + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsConfigureIdentityIntegrationRequest": { + "type": "object", + "properties": { + "ec2_alias": { + "type": "string", + "description": "Configure how the AWS auth method generates entity alias when using EC2 auth. Valid values are \"role_id\", \"instance_id\", and \"image_id\". Defaults to \"role_id\".", + "default": "instance_id" + }, + "ec2_metadata": { + "type": "array", + "description": "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: account_id, auth_type. These fields are available to add: ami_id, instance_id, region. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.", + "items": { + "type": "string" + }, + "default": [ + "default" + ], + "x-vault-displayAttrs": { + "name": "ec2_metadata", + "value": "field1,field2" + } + }, + "iam_alias": { + "type": "string", + "description": "Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are \"role_id\", \"unique_id\", and \"full_arn\". Defaults to \"role_id\".", + "default": "unique_id" + }, + "iam_metadata": { + "type": "array", + "description": "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: account_id, auth_type. These fields are available to add: canonical_arn, client_arn, client_user_id, inferred_aws_region, inferred_entity_id, inferred_entity_type. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.", + "items": { + "type": "string" + }, + "default": [ + "default" + ], + "x-vault-displayAttrs": { + "name": "iam_metadata", + "value": "field1,field2" + } + } + } + }, + "AwsConfigureIdentityWhitelistTidyOperationRequest": { + "type": "object", + "properties": { + "disable_periodic_tidy": { + "type": "boolean", + "description": "If set to 'true', disables the periodic tidying of the 'identity-accesslist/' entries.", + "default": false + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsConfigureLeaseRequest": { + "type": "object", + "properties": { + "lease": { + "type": "string", + "description": "Default lease for roles." + }, + "lease_max": { + "type": "string", + "description": "Maximum time a credential is valid for." + } + } + }, + "AwsConfigureRoleTagBlacklistTidyOperationRequest": { + "type": "object", + "properties": { + "disable_periodic_tidy": { + "type": "boolean", + "description": "If set to 'true', disables the periodic tidying of deny listed entries.", + "default": false + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 4320h (180 days).", + "format": "duration", + "default": 15552000 + } + } + }, + "AwsConfigureRoleTagDenyListTidyOperationRequest": { + "type": "object", + "properties": { + "disable_periodic_tidy": { + "type": "boolean", + "description": "If set to 'true', disables the periodic tidying of deny listed entries.", + "default": false + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 4320h (180 days).", + "format": "duration", + "default": 15552000 + } + } + }, + "AwsConfigureRootIamCredentialsRequest": { + "type": "object", + "properties": { + "access_key": { + "type": "string", + "description": "Access key with permission to create new keys." + }, + "iam_endpoint": { + "type": "string", + "description": "Endpoint to custom IAM server URL" + }, + "max_retries": { + "type": "integer", + "description": "Maximum number of retries for recoverable exceptions of AWS APIs", + "default": -1 + }, + "region": { + "type": "string", + "description": "Region for API calls." + }, + "secret_key": { + "type": "string", + "description": "Secret key with permission to create new keys." + }, + "sts_endpoint": { + "type": "string", + "description": "Endpoint to custom STS server URL" + }, + "username_template": { + "type": "string", + "description": "Template to generate custom IAM usernames" + } + } + }, + "AwsGenerateCredentialsWithParametersRequest": { + "type": "object", + "properties": { + "role_arn": { + "type": "string", + "description": "ARN of role to assume when credential_type is assumed_role" + }, + "role_session_name": { + "type": "string", + "description": "Session name to use when assuming role. Max chars: 64" + }, + "ttl": { + "type": "string", + "description": "Lifetime of the returned credentials in seconds", + "format": "duration", + "default": 3600 + } + } + }, + "AwsGenerateStsCredentialsWithParametersRequest": { + "type": "object", + "properties": { + "role_arn": { + "type": "string", + "description": "ARN of role to assume when credential_type is assumed_role" + }, + "role_session_name": { + "type": "string", + "description": "Session name to use when assuming role. Max chars: 64" + }, + "ttl": { + "type": "string", + "description": "Lifetime of the returned credentials in seconds", + "format": "duration", + "default": 3600 + } + } + }, + "AwsLoginRequest": { + "type": "object", + "properties": { + "iam_http_request_method": { + "type": "string", + "description": "HTTP method to use for the AWS request when auth_type is iam. This must match what has been signed in the presigned request." + }, + "iam_request_body": { + "type": "string", + "description": "Base64-encoded request body when auth_type is iam. This must match the request body included in the signature." + }, + "iam_request_headers": { + "type": "string", + "description": "Key/value pairs of headers for use in the sts:GetCallerIdentity HTTP requests headers when auth_type is iam. Can be either a Base64-encoded, JSON-serialized string, or a JSON object of key/value pairs. This must at a minimum include the headers over which AWS has included a signature." + }, + "iam_request_url": { + "type": "string", + "description": "Base64-encoded full URL against which to make the AWS request when using iam auth_type." + }, + "identity": { + "type": "string", + "description": "Base64 encoded EC2 instance identity document. This needs to be supplied along with the 'signature' parameter. If using 'curl' for fetching the identity document, consider using the option '-w 0' while piping the output to 'base64' binary." + }, + "nonce": { + "type": "string", + "description": "The nonce to be used for subsequent login requests when auth_type is ec2. If this parameter is not specified at all and if reauthentication is allowed, then the backend will generate a random nonce, attaches it to the instance's identity access list entry and returns the nonce back as part of auth metadata. This value should be used with further login requests, to establish client authenticity. Clients can choose to set a custom nonce if preferred, in which case, it is recommended that clients provide a strong nonce. If a nonce is provided but with an empty value, it indicates intent to disable reauthentication. Note that, when 'disallow_reauthentication' option is enabled on either the role or the role tag, the 'nonce' holds no significance." + }, + "pkcs7": { + "type": "string", + "description": "PKCS7 signature of the identity document when using an auth_type of ec2." + }, + "role": { + "type": "string", + "description": "Name of the role against which the login is being attempted. If 'role' is not specified, then the login endpoint looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login. If a matching role is not found, login fails." + }, + "signature": { + "type": "string", + "description": "Base64 encoded SHA256 RSA signature of the instance identity document. This needs to be supplied along with 'identity' parameter." + } + } + }, + "AwsReadStaticCredsNameResponse": { + "type": "object", + "properties": { + "access_key": { + "type": "string", + "description": "The access key of the AWS Credential" + }, + "secret_key": { + "type": "string", + "description": "The secret key of the AWS Credential" + } + } + }, + "AwsReadStaticRolesNameResponse": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of this role." + }, + "rotation_period": { + "type": "string", + "description": "Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.", + "format": "duration" + }, + "username": { + "type": "string", + "description": "The IAM user to adopt as a static role." + } + } + }, + "AwsTidyIdentityAccessListRequest": { + "type": "object", + "properties": { + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsTidyIdentityWhitelistRequest": { + "type": "object", + "properties": { + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsTidyRoleTagBlacklistRequest": { + "type": "object", + "properties": { + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsTidyRoleTagDenyListRequest": { + "type": "object", + "properties": { + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage.", + "format": "duration", + "default": 259200 + } + } + }, + "AwsWriteAuthRoleRequest": { + "type": "object", + "properties": { + "allow_instance_migration": { + "type": "boolean", + "description": "If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution. This is only checked when auth_type is ec2.", + "default": false + }, + "auth_type": { + "type": "string", + "description": "The auth_type permitted to authenticate to this role. Must be one of iam or ec2 and cannot be changed after role creation." + }, + "bound_account_id": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instances that the account ID in its identity document to match one of the IDs specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "bound_ami_id": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instances that they should be using one of the AMI IDs specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "bound_ec2_instance_id": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instances to have one of the given instance IDs. Can be a list or comma-separated string of EC2 instance IDs. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "If set, defines a constraint on the EC2 instances to have one of the given instance IDs. A list of EC2 instance IDs. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance." + } + }, + "bound_iam_instance_profile_arn": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instances to be associated with an IAM instance profile ARN which has a prefix that matches one of the values specified by this parameter. The value is prefix-matched (as though it were a glob ending in '*'). This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "bound_iam_principal_arn": { + "type": "array", + "description": "ARN of the IAM principals to bind to this role. Only applicable when auth_type is iam.", + "items": { + "type": "string" + } + }, + "bound_iam_role_arn": { + "type": "array", + "description": "If set, defines a constraint on the authenticating EC2 instance that it must match one of the IAM role ARNs specified by this parameter. The value is prefix-matched (as though it were a glob ending in '*'). The configured IAM user or EC2 instance role must be allowed to execute the 'iam:GetInstanceProfile' action if this is specified. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "bound_region": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instances that the region in its identity document match one of the regions specified by this parameter. This is only applicable when auth_type is ec2.", + "items": { + "type": "string" + } + }, + "bound_subnet_id": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instance to be associated with the subnet ID that matches one of the values specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "bound_vpc_id": { + "type": "array", + "description": "If set, defines a constraint on the EC2 instance to be associated with a VPC ID that matches one of the value specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.", + "items": { + "type": "string" + } + }, + "disallow_reauthentication": { + "type": "boolean", + "description": "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in the access list for the instance ID needs to be cleared using 'auth/aws-ec2/identity-accesslist/' endpoint. This is only applicable when auth_type is ec2.", + "default": false + }, + "inferred_aws_region": { + "type": "string", + "description": "When auth_type is iam and inferred_entity_type is set, the region to assume the inferred entity exists in." + }, + "inferred_entity_type": { + "type": "string", + "description": "When auth_type is iam, the AWS entity type to infer from the authenticated principal. The only supported value is ec2_instance, which will extract the EC2 instance ID from the authenticated role and apply the following restrictions specific to EC2 instances: bound_ami_id, bound_account_id, bound_iam_role_arn, bound_iam_instance_profile_arn, bound_vpc_id, bound_subnet_id. The configured EC2 client must be able to find the inferred instance ID in the results, and the instance must be running. If unable to determine the EC2 instance ID or unable to find the EC2 instance ID among running instances, then authentication will fail." + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "resolve_aws_unique_ids": { + "type": "boolean", + "description": "If set, resolve all AWS IAM ARNs into AWS's internal unique IDs. When an IAM entity (e.g., user, role, or instance profile) is deleted, then all references to it within the role will be invalidated, which prevents a new IAM entity from being created with the same name and matching the role's IAM binds. Once set, this cannot be unset.", + "default": true + }, + "role_tag": { + "type": "string", + "description": "If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role//tag' endpoint. Defaults to an empty string, meaning that role tags are disabled. This is only allowed if auth_type is ec2.", + "default": "" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "AwsWriteRoleRequest": { + "type": "object", + "properties": { + "arn": { + "type": "string", + "description": "Use role_arns or policy_arns instead.", + "deprecated": true + }, + "credential_type": { + "type": "string", + "description": "Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token" + }, + "default_sts_ttl": { + "type": "string", + "description": "Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Default STS TTL" + } + }, + "iam_groups": { + "type": "array", + "description": "Names of IAM groups that generated IAM users will be added to. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IAM Groups", + "value": "group1,group2" + } + }, + "iam_tags": { + "type": "object", + "description": "IAM tags to be set for any users created by this role. These must be presented as Key-Value pairs. This can be represented as a map or a list of equal sign delimited key pairs.", + "format": "kvpairs", + "x-vault-displayAttrs": { + "name": "IAM Tags", + "value": "[key1=value1, key2=value2]" + } + }, + "max_sts_ttl": { + "type": "string", + "description": "Max allowed TTL for assumed_role and federation_token credential types", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Max STS TTL" + } + }, + "permissions_boundary_arn": { + "type": "string", + "description": "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user", + "x-vault-displayAttrs": { + "name": "Permissions Boundary ARN" + } + }, + "policy": { + "type": "string", + "description": "Use policy_document instead.", + "deprecated": true + }, + "policy_arns": { + "type": "array", + "description": "ARNs of AWS policies. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the specified policies to the generated IAM user. When credential_type is assumed_role or federation_token, the policies will be passed as the PolicyArns parameter, acting as a filter on permissions available.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Policy ARNs" + } + }, + "policy_document": { + "type": "string", + "description": "JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available." + }, + "role_arns": { + "type": "array", + "description": "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is assumed_role", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Role ARNs" + } + }, + "user_path": { + "type": "string", + "description": "Path for IAM User. Only valid when credential_type is iam_user", + "default": "/", + "x-vault-displayAttrs": { + "name": "User Path", + "value": "/" + } + } + } + }, + "AwsWriteRoleTagRequest": { + "type": "object", + "properties": { + "allow_instance_migration": { + "type": "boolean", + "description": "If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution.", + "default": false + }, + "disallow_reauthentication": { + "type": "boolean", + "description": "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in access list for the instance ID needs to be cleared using the 'auth/aws-ec2/identity-accesslist/' endpoint.", + "default": false + }, + "instance_id": { + "type": "string", + "description": "Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID." + }, + "max_ttl": { + "type": "string", + "description": "If set, specifies the maximum allowed token lifetime.", + "format": "duration", + "default": 0 + }, + "policies": { + "type": "array", + "description": "Policies to be associated with the tag. If set, must be a subset of the role's policies. If set, but set to an empty value, only the 'default' policy will be given to issued tokens.", + "items": { + "type": "string" + } + } + } + }, + "AwsWriteStaticRolesNameRequest": { + "type": "object", + "properties": { + "rotation_period": { + "type": "string", + "description": "Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.", + "format": "duration" + }, + "username": { + "type": "string", + "description": "The IAM user to adopt as a static role." + } + } + }, + "AwsWriteStaticRolesNameResponse": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of this role." + }, + "rotation_period": { + "type": "string", + "description": "Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.", + "format": "duration" + }, + "username": { + "type": "string", + "description": "The IAM user to adopt as a static role." + } + } + }, + "AwsWriteStsRoleRequest": { + "type": "object", + "properties": { + "sts_role": { + "type": "string", + "description": "AWS ARN for STS role to be assumed when interacting with the account specified. The Vault server must have permissions to assume this role." + } + } + }, + "AzureConfigureAuthRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.", + "x-vault-displayAttrs": { + "name": "Client ID" + } + }, + "client_secret": { + "type": "string", + "description": "The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable." + }, + "environment": { + "type": "string", + "description": "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable." + }, + "resource": { + "type": "string", + "description": "The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable." + }, + "root_password_ttl": { + "type": "string", + "description": "The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)", + "format": "duration", + "default": 15768000000000000 + }, + "tenant_id": { + "type": "string", + "description": "The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.", + "x-vault-displayAttrs": { + "name": "Tenant ID" + } + } + } + }, + "AzureConfigureRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable." + }, + "client_secret": { + "type": "string", + "description": "The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable." + }, + "environment": { + "type": "string", + "description": "The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable." + }, + "password_policy": { + "type": "string", + "description": "Name of the password policy to use to generate passwords for dynamic credentials." + }, + "root_password_ttl": { + "type": "string", + "description": "The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)", + "format": "duration", + "default": 15768000000000000 + }, + "subscription_id": { + "type": "string", + "description": "The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable." + }, + "tenant_id": { + "type": "string", + "description": "The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable." + } + } + }, + "AzureLoginRequest": { + "type": "object", + "properties": { + "jwt": { + "type": "string", + "description": "A signed JWT" + }, + "resource_group_name": { + "type": "string", + "description": "The resource group from the instance." + }, + "resource_id": { + "type": "string", + "description": "The fully qualified ID of the resource, includingthe resource name and resource type. Use the format, /subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}. This value is ignored if vm_name or vmss_name is specified." + }, + "role": { + "type": "string", + "description": "The token role." + }, + "subscription_id": { + "type": "string", + "description": "The subscription id for the instance." + }, + "vm_name": { + "type": "string", + "description": "The name of the virtual machine. This value is ignored if vmss_name is specified." + }, + "vmss_name": { + "type": "string", + "description": "The name of the virtual machine scale set the instance is in." + } + } + }, + "AzureWriteAuthRoleRequest": { + "type": "object", + "properties": { + "bound_group_ids": { + "type": "array", + "description": "Comma-separated list of group ids that login is restricted to.", + "items": { + "type": "string" + } + }, + "bound_locations": { + "type": "array", + "description": "Comma-separated list of locations that login is restricted to.", + "items": { + "type": "string" + } + }, + "bound_resource_groups": { + "type": "array", + "description": "Comma-separated list of resource groups that login is restricted to.", + "items": { + "type": "string" + } + }, + "bound_scale_sets": { + "type": "array", + "description": "Comma-separated list of scale sets that login is restricted to.", + "items": { + "type": "string" + } + }, + "bound_service_principal_ids": { + "type": "array", + "description": "Comma-separated list of service principal ids that login is restricted to.", + "items": { + "type": "string" + } + }, + "bound_subscription_ids": { + "type": "array", + "description": "Comma-separated list of subscription ids that login is restricted to.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "num_uses": { + "type": "integer", + "description": "Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "AzureWriteRoleRequest": { + "type": "object", + "properties": { + "application_object_id": { + "type": "string", + "description": "Application Object ID to use for static service principal credentials." + }, + "azure_groups": { + "type": "string", + "description": "JSON list of Azure groups to add the service principal to." + }, + "azure_roles": { + "type": "string", + "description": "JSON list of Azure roles to assign." + }, + "max_ttl": { + "type": "string", + "description": "Maximum time a service principal. If not set or set to 0, will use system default.", + "format": "duration" + }, + "permanently_delete": { + "type": "boolean", + "description": "Indicates whether new application objects should be permanently deleted. If not set, objects will not be permanently deleted.", + "default": false + }, + "persist_app": { + "type": "boolean", + "description": "Persist the app between generated credentials. Useful if the app needs to maintain owner ship of resources it creates", + "default": false + }, + "ttl": { + "type": "string", + "description": "Default lease for generated credentials. If not set or set to 0, will use system default.", + "format": "duration" + } + } + }, + "CentrifyConfigureRequest": { + "type": "object", + "properties": { + "app_id": { + "type": "string", + "description": "OAuth2 App ID", + "default": "vault_io_integration" + }, + "client_id": { + "type": "string", + "description": "OAuth2 Client ID" + }, + "client_secret": { + "type": "string", + "description": "OAuth2 Client Secret" + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "scope": { + "type": "string", + "description": "OAuth2 App Scope", + "default": "vault_io_integration" + }, + "service_url": { + "type": "string", + "description": "Service URL (https://.my.centrify.com)" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + } + } + }, + "CentrifyLoginRequest": { + "type": "object", + "properties": { + "mode": { + "type": "string", + "description": "Auth mode ('ro' for resource owner, 'cc' for credential client).", + "default": "ro" + }, + "password": { + "type": "string", + "description": "Password for this user." + }, + "username": { + "type": "string", + "description": "Username of the user." + } + } + }, + "CertConfigureRequest": { + "type": "object", + "properties": { + "disable_binding": { + "type": "boolean", + "description": "If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.", + "default": false + }, + "enable_identity_alias_metadata": { + "type": "boolean", + "description": "If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias. Defaults to false.", + "default": false + }, + "ocsp_cache_size": { + "type": "integer", + "description": "The size of the in memory OCSP response cache, shared by all configured certs", + "default": 100 + } + } + }, + "CertLoginRequest": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of the certificate role to authenticate against." + } + } + }, + "CertWriteCertificateRequest": { + "type": "object", + "properties": { + "allowed_common_names": { + "type": "array", + "description": "A comma-separated list of names. At least one must exist in the Common Name. Supports globbing.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of names. At least one must exist in the Common Name. Supports globbing.", + "group": "Constraints" + } + }, + "allowed_dns_sans": { + "type": "array", + "description": "A comma-separated list of DNS names. At least one must exist in the SANs. Supports globbing.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Allowed DNS SANs", + "description": "A list of DNS names. At least one must exist in the SANs. Supports globbing.", + "group": "Constraints" + } + }, + "allowed_email_sans": { + "type": "array", + "description": "A comma-separated list of Email Addresses. At least one must exist in the SANs. Supports globbing.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Allowed Email SANs", + "description": "A list of Email Addresses. At least one must exist in the SANs. Supports globbing.", + "group": "Constraints" + } + }, + "allowed_metadata_extensions": { + "type": "array", + "description": "A comma-separated string or array of oid extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of OID extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the OID numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates." + } + }, + "allowed_names": { + "type": "array", + "description": "A comma-separated list of names. At least one must exist in either the Common Name or SANs. Supports globbing. This parameter is deprecated, please use allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of names. At least one must exist in either the Common Name or SANs. Supports globbing. This parameter is deprecated, please use allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans.", + "group": "Constraints" + } + }, + "allowed_organizational_units": { + "type": "array", + "description": "A comma-separated list of Organizational Units names. At least one must exist in the OU field.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of Organizational Units names. At least one must exist in the OU field.", + "group": "Constraints" + } + }, + "allowed_uri_sans": { + "type": "array", + "description": "A comma-separated list of URIs. At least one must exist in the SANs. Supports globbing.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Allowed URI SANs", + "description": "A list of URIs. At least one must exist in the SANs. Supports globbing.", + "group": "Constraints" + } + }, + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "certificate": { + "type": "string", + "description": "The public certificate that should be trusted. Must be x509 PEM encoded.", + "x-vault-displayAttrs": { + "editType": "file" + } + }, + "display_name": { + "type": "string", + "description": "The display name to use for clients using this certificate." + }, + "lease": { + "type": "integer", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "deprecated": true + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "ocsp_ca_certificates": { + "type": "string", + "description": "Any additional CA certificates needed to communicate with OCSP servers", + "x-vault-displayAttrs": { + "editType": "file" + } + }, + "ocsp_enabled": { + "type": "boolean", + "description": "Whether to attempt OCSP verification of certificates at login" + }, + "ocsp_fail_open": { + "type": "boolean", + "description": "If set to true, if an OCSP revocation cannot be made successfully, login will proceed rather than failing. If false, failing to get an OCSP status fails the request.", + "default": false + }, + "ocsp_query_all_servers": { + "type": "boolean", + "description": "If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.", + "default": false + }, + "ocsp_servers_override": { + "type": "array", + "description": "A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected." + } + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "required_extensions": { + "type": "array", + "description": "A comma-separated string or array of extensions formatted as \"oid:value\". Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on \"value\".", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of extensions formatted as 'oid:value'. Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on 'value'." + } + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "CertWriteCrlRequest": { + "type": "object", + "properties": { + "crl": { + "type": "string", + "description": "The public CRL that should be trusted to attest to certificates' validity statuses. May be DER or PEM encoded. Note: the expiration time is ignored; if the CRL is no longer valid, delete it using the same name as specified here." + }, + "url": { + "type": "string", + "description": "The URL of a CRL distribution point. Only one of 'crl' or 'url' parameters should be specified." + } + } + }, + "CloudFoundryConfigureRequest": { + "type": "object", + "properties": { + "cf_api_addr": { + "type": "string", + "description": "CF’s API address.", + "x-vault-displayAttrs": { + "name": "CF API Address", + "value": "https://api.10.244.0.34.xip.io" + } + }, + "cf_api_mutual_tls_certificate": { + "type": "string", + "description": "The PEM-format certificates that are presented for mutual TLS with the CloudFoundry API. If not set, mutual TLS is not used", + "x-vault-displayAttrs": { + "name": "CF API Mutual TLS Certificate", + "value": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" + } + }, + "cf_api_mutual_tls_key": { + "type": "string", + "description": "The PEM-format private key that are used for mutual TLS with the CloudFoundry API. If not set, mutual TLS is not used", + "x-vault-displayAttrs": { + "name": "CF API Mutual TLS Key", + "value": "-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----" + } + }, + "cf_api_trusted_certificates": { + "type": "array", + "description": "The PEM-format CA certificates that are acceptable for the CF API to present.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "CF API Trusted IdentityCACertificates", + "value": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" + } + }, + "cf_client_id": { + "type": "string", + "description": "The client id for CF’s API.", + "x-vault-displayAttrs": { + "name": "CF API Client ID", + "value": "client" + } + }, + "cf_client_secret": { + "type": "string", + "description": "The client secret for CF’s API.", + "x-vault-displayAttrs": { + "name": "CF API Client Secret", + "sensitive": true + } + }, + "cf_password": { + "type": "string", + "description": "The password for CF’s API.", + "x-vault-displayAttrs": { + "name": "CF API Password", + "sensitive": true + } + }, + "cf_username": { + "type": "string", + "description": "The username for CF’s API.", + "x-vault-displayAttrs": { + "name": "CF API Username", + "value": "admin" + } + }, + "identity_ca_certificates": { + "type": "array", + "description": "The PEM-format CA certificates that are required to have issued the instance certificates presented for logging in.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Identity CA Certificates", + "value": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" + } + }, + "login_max_seconds_not_after": { + "type": "integer", + "description": "Duration in seconds for the maximum acceptable length in the future a \"signing_time\" can be. Useful for clock drift. Set low to reduce the opportunity for replay attacks.", + "default": 60, + "x-vault-displayAttrs": { + "name": "Login Max Seconds Ahead", + "value": "60" + } + }, + "login_max_seconds_not_before": { + "type": "string", + "description": "Duration in seconds for the maximum acceptable age of a \"signing_time\". Useful for clock drift. Set low to reduce the opportunity for replay attacks.", + "format": "duration", + "default": 300, + "x-vault-displayAttrs": { + "name": "Login Max Seconds Old", + "value": "300" + } + }, + "pcf_api_addr": { + "type": "string", + "description": "Deprecated. Please use \"cf_api_addr\".", + "deprecated": true, + "x-vault-displayAttrs": { + "name": "CF API Address", + "value": "https://api.10.244.0.34.xip.io" + } + }, + "pcf_api_trusted_certificates": { + "type": "array", + "description": "Deprecated. Please use \"cf_api_trusted_certificates\".", + "items": { + "type": "string" + }, + "deprecated": true, + "x-vault-displayAttrs": { + "name": "CF API Trusted IdentityCACertificates", + "value": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" + } + }, + "pcf_password": { + "type": "string", + "description": "Deprecated. Please use \"cf_password\".", + "deprecated": true, + "x-vault-displayAttrs": { + "name": "CF API Password", + "sensitive": true + } + }, + "pcf_username": { + "type": "string", + "description": "Deprecated. Please use \"cf_username\".", + "deprecated": true, + "x-vault-displayAttrs": { + "name": "CF API Username", + "value": "admin" + } + } + } + }, + "CloudFoundryLoginRequest": { + "type": "object", + "properties": { + "cf_instance_cert": { + "type": "string", + "description": "The full body of the file available at the CF_INSTANCE_CERT path on the CF instance.", + "x-vault-displayAttrs": { + "name": "CF_INSTANCE_CERT Contents" + } + }, + "role": { + "type": "string", + "description": "The name of the role to authenticate against.", + "x-vault-displayAttrs": { + "name": "Role Name", + "value": "internally-defined-role" + } + }, + "signature": { + "type": "string", + "description": "The signature generated by the client certificate's private key.", + "x-vault-displayAttrs": { + "name": "Signature" + } + }, + "signing_time": { + "type": "string", + "description": "The date and time used to construct the signature.", + "x-vault-displayAttrs": { + "name": "Signing Time", + "value": "2006-01-02T15:04:05Z" + } + } + }, + "required": [ + "cf_instance_cert", + "role", + "signature", + "signing_time" + ] + }, + "CloudFoundryWriteRoleRequest": { + "type": "object", + "properties": { + "bound_application_ids": { + "type": "array", + "description": "Require that the client certificate presented has at least one of these app IDs.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Bound Application IDs", + "value": "6b814521-5f08-4b1a-8c4e-fbe7c5f3a169" + } + }, + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "bound_instance_ids": { + "type": "array", + "description": "Require that the client certificate presented has at least one of these instance IDs.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Bound Instance IDs", + "value": "8a886b31-ccf7-480d-54d8-cc28" + } + }, + "bound_organization_ids": { + "type": "array", + "description": "Require that the client certificate presented has at least one of these org IDs.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Bound Organization IDs", + "value": "34a878d0-c2f9-4521-ba73-a9f664e82c7b" + } + }, + "bound_space_ids": { + "type": "array", + "description": "Require that the client certificate presented has at least one of these space IDs.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Bound Space IDs", + "value": "3d2eba6b-ef19-44d5-91dd-1975b0db5cc9" + } + }, + "disable_ip_matching": { + "type": "boolean", + "description": "If set to true, disables the default behavior that logging in must be performed from an acceptable IP address described by the certificate presented.", + "default": false, + "x-vault-displayAttrs": { + "name": "Disable IP Address Matching", + "value": "false" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "CollectHostInformationResponse": { + "type": "object", + "properties": { + "cpu": { + "type": "array", + "items": { + "type": "object" + } + }, + "cpu_times": { + "type": "array", + "items": { + "type": "object" + } + }, + "disk": { + "type": "array", + "items": { + "type": "object" + } + }, + "host": { + "type": "object", + "format": "map" + }, + "memory": { + "type": "object", + "format": "map" + }, + "timestamp": { + "type": "string", + "format": "date-time" + } + } + }, + "ConsulConfigureAccessRequest": { + "type": "object", + "properties": { + "address": { + "type": "string", + "description": "Consul server address" + }, + "ca_cert": { + "type": "string", + "description": "CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded." + }, + "client_cert": { + "type": "string", + "description": "Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key." + }, + "client_key": { + "type": "string", + "description": "Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert." + }, + "scheme": { + "type": "string", + "description": "URI scheme for the Consul address", + "default": "http" + }, + "token": { + "type": "string", + "description": "Token for API calls" + } + } + }, + "ConsulWriteRoleRequest": { + "type": "object", + "properties": { + "consul_namespace": { + "type": "string", + "description": "Indicates which namespace that the token will be created within. Defaults to 'default'. Available in Consul 1.7 and above." + }, + "consul_policies": { + "type": "array", + "description": "List of policies to attach to the token. Either \"consul_policies\" or \"consul_roles\" are required for Consul 1.5 and above, or just \"consul_policies\" if using Consul 1.4.", + "items": { + "type": "string" + } + }, + "consul_roles": { + "type": "array", + "description": "List of Consul roles to attach to the token. Either \"policies\" or \"consul_roles\" are required for Consul 1.5 and above.", + "items": { + "type": "string" + } + }, + "lease": { + "type": "string", + "description": "Use \"ttl\" instead.", + "format": "duration", + "deprecated": true + }, + "local": { + "type": "boolean", + "description": "Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above." + }, + "max_ttl": { + "type": "string", + "description": "Max TTL for the Consul token created from the role.", + "format": "duration" + }, + "node_identities": { + "type": "array", + "description": "List of Node Identities to attach to the token. Available in Consul 1.8.1 or above.", + "items": { + "type": "string" + } + }, + "partition": { + "type": "string", + "description": "Indicates which admin partition that the token will be created within. Defaults to 'default'. Available in Consul 1.11 and above." + }, + "policies": { + "type": "array", + "description": "Use \"consul_policies\" instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "policy": { + "type": "string", + "description": "Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4.", + "deprecated": true + }, + "service_identities": { + "type": "array", + "description": "List of Service Identities to attach to the token, separated by semicolons. Available in Consul 1.5 or above.", + "items": { + "type": "string" + } + }, + "token_type": { + "type": "string", + "description": "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\", \"policies\", and \"consul_roles\" parameters are not required. Defaults to 'client'.", + "default": "client", + "deprecated": true + }, + "ttl": { + "type": "string", + "description": "TTL for the Consul token created from the role.", + "format": "duration" + } + } + }, + "CorsConfigureRequest": { + "type": "object", + "properties": { + "allowed_headers": { + "type": "array", + "description": "A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.", + "items": { + "type": "string" + } + }, + "allowed_origins": { + "type": "array", + "description": "A comma-separated string or array of strings indicating origins that may make cross-origin requests.", + "items": { + "type": "string" + } + }, + "enable": { + "type": "boolean", + "description": "Enables or disables CORS headers on requests." + } + } + }, + "CorsReadConfigurationResponse": { + "type": "object", + "properties": { + "allowed_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_origins": { + "type": "array", + "items": { + "type": "string" + } + }, + "enabled": { + "type": "boolean" + } + } + }, + "DatabaseConfigureConnectionRequest": { + "type": "object", + "properties": { + "allowed_roles": { + "type": "array", + "description": "Comma separated string or array of the role names allowed to get creds from this database connection. If empty no roles are allowed. If \"*\" all roles are allowed.", + "items": { + "type": "string" + } + }, + "password_policy": { + "type": "string", + "description": "Password policy to use when generating passwords." + }, + "plugin_name": { + "type": "string", + "description": "The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type." + }, + "plugin_version": { + "type": "string", + "description": "The version of the plugin to use." + }, + "root_rotation_statements": { + "type": "array", + "description": "Specifies the database statements to be executed to rotate the root user's credentials. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + }, + "verify_connection": { + "type": "boolean", + "description": "If true, the connection details are verified by actually connecting to the database. Defaults to true.", + "default": true + } + } + }, + "DatabaseWriteRoleRequest": { + "type": "object", + "properties": { + "creation_statements": { + "type": "array", + "description": "Specifies the database statements executed to create and configure a user. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + }, + "credential_config": { + "type": "object", + "description": "The configuration for the given credential_type.", + "format": "kvpairs" + }, + "credential_type": { + "type": "string", + "description": "The type of credential to manage. Options include: 'password', 'rsa_private_key'. Defaults to 'password'.", + "default": "password" + }, + "db_name": { + "type": "string", + "description": "Name of the database this role acts on." + }, + "default_ttl": { + "type": "string", + "description": "Default ttl for role.", + "format": "duration" + }, + "max_ttl": { + "type": "string", + "description": "Maximum time a credential is valid for", + "format": "duration" + }, + "renew_statements": { + "type": "array", + "description": "Specifies the database statements to be executed to renew a user. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + }, + "revocation_statements": { + "type": "array", + "description": "Specifies the database statements to be executed to revoke a user. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + }, + "rollback_statements": { + "type": "array", + "description": "Specifies the database statements to be executed rollback a create operation in the event of an error. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + } + } + }, + "DatabaseWriteStaticRoleRequest": { + "type": "object", + "properties": { + "credential_config": { + "type": "object", + "description": "The configuration for the given credential_type.", + "format": "kvpairs" + }, + "credential_type": { + "type": "string", + "description": "The type of credential to manage. Options include: 'password', 'rsa_private_key'. Defaults to 'password'.", + "default": "password" + }, + "db_name": { + "type": "string", + "description": "Name of the database this role acts on." + }, + "rotation_period": { + "type": "string", + "description": "Period for automatic credential rotation of the given username. Not valid unless used with \"username\". Mutually exclusive with \"rotation_schedule.\"", + "format": "duration" + }, + "rotation_schedule": { + "type": "string", + "description": "Schedule for automatic credential rotation of the given username. Mutually exclusive with \"rotation_period.\"" + }, + "rotation_statements": { + "type": "array", + "description": "Specifies the database statements to be executed to rotate the accounts credentials. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.", + "items": { + "type": "string" + } + }, + "rotation_window": { + "type": "string", + "description": "The window of time in which rotations are allowed to occur starting from a given \"rotation_schedule\". Requires \"rotation_schedule\" to be specified", + "format": "duration" + }, + "username": { + "type": "string", + "description": "Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified" + } + } + }, + "DecodeRequest": { + "type": "object", + "properties": { + "encoded_token": { + "type": "string", + "description": "Specifies the encoded token (result from generate-root)." + }, + "otp": { + "type": "string", + "description": "Specifies the otp code for decode." + } + } + }, + "EncryptionKeyConfigureRotationRequest": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether automatic rotation is enabled." + }, + "interval": { + "type": "string", + "description": "How long after installation of an active key term that the key will be automatically rotated.", + "format": "duration" + }, + "max_operations": { + "type": "integer", + "description": "The number of encryption operations performed before the barrier key is automatically rotated.", + "format": "int64" + } + } + }, + "EncryptionKeyReadRotationConfigurationResponse": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "string", + "format": "duration" + }, + "max_operations": { + "type": "integer", + "format": "int64" + } + } + }, + "EntityBatchDeleteRequest": { + "type": "object", + "properties": { + "entity_ids": { + "type": "array", + "description": "Entity IDs to delete", + "items": { + "type": "string" + } + } + } + }, + "EntityCreateAliasRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "Entity ID to which this alias belongs" + }, + "custom_metadata": { + "type": "object", + "description": "User provided key-value pairs", + "format": "kvpairs" + }, + "entity_id": { + "type": "string", + "description": "Entity ID to which this alias belongs. This field is deprecated, use canonical_id." + }, + "id": { + "type": "string", + "description": "ID of the entity alias. If set, updates the corresponding entity alias." + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this alias belongs to; unused for a modify" + }, + "name": { + "type": "string", + "description": "Name of the alias; unused for a modify" + } + } + }, + "EntityCreateRequest": { + "type": "object", + "properties": { + "disabled": { + "type": "boolean", + "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." + }, + "id": { + "type": "string", + "description": "ID of the entity. If set, updates the corresponding existing entity." + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "name": { + "type": "string", + "description": "Name of the entity" + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the entity.", + "items": { + "type": "string" + } + } + } + }, + "EntityLookUpRequest": { + "type": "object", + "properties": { + "alias_id": { + "type": "string", + "description": "ID of the alias." + }, + "alias_mount_accessor": { + "type": "string", + "description": "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'." + }, + "alias_name": { + "type": "string", + "description": "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'." + }, + "id": { + "type": "string", + "description": "ID of the entity." + }, + "name": { + "type": "string", + "description": "Name of the entity." + } + } + }, + "EntityMergeRequest": { + "type": "object", + "properties": { + "conflicting_alias_ids_to_keep": { + "type": "array", + "description": "Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found", + "items": { + "type": "string" + } + }, + "force": { + "type": "boolean", + "description": "Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts." + }, + "from_entity_ids": { + "type": "array", + "description": "Entity IDs which need to get merged", + "items": { + "type": "string" + } + }, + "to_entity_id": { + "type": "string", + "description": "Entity ID into which all the other entities need to get merged" + } + } + }, + "EntityUpdateAliasByIdRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "Entity ID to which this alias should be tied to" + }, + "custom_metadata": { + "type": "object", + "description": "User provided key-value pairs", + "format": "kvpairs" + }, + "entity_id": { + "type": "string", + "description": "Entity ID to which this alias belongs to. This field is deprecated, use canonical_id." + }, + "mount_accessor": { + "type": "string", + "description": "(Unused)" + }, + "name": { + "type": "string", + "description": "(Unused)" + } + } + }, + "EntityUpdateByIdRequest": { + "type": "object", + "properties": { + "disabled": { + "type": "boolean", + "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "name": { + "type": "string", + "description": "Name of the entity" + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the entity.", + "items": { + "type": "string" + } + } + } + }, + "EntityUpdateByNameRequest": { + "type": "object", + "properties": { + "disabled": { + "type": "boolean", + "description": "If set true, tokens tied to this identity will not be able to be used (but will not be revoked)." + }, + "id": { + "type": "string", + "description": "ID of the entity. If set, updates the corresponding existing entity." + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the entity.", + "items": { + "type": "string" + } + } + } + }, + "GenerateHashRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", + "default": "hex" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + } + } + }, + "GenerateHashResponse": { + "type": "object", + "properties": { + "sum": { + "type": "string" + } + } + }, + "GenerateHashWithAlgorithmRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", + "default": "hex" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + } + } + }, + "GenerateHashWithAlgorithmResponse": { + "type": "object", + "properties": { + "sum": { + "type": "string" + } + } + }, + "GenerateRandomRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "GenerateRandomResponse": { + "type": "object", + "properties": { + "random_bytes": { + "type": "string" + } + } + }, + "GenerateRandomWithBytesRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "GenerateRandomWithBytesResponse": { + "type": "object", + "properties": { + "random_bytes": { + "type": "string" + } + } + }, + "GenerateRandomWithSourceAndBytesRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "GenerateRandomWithSourceAndBytesResponse": { + "type": "object", + "properties": { + "random_bytes": { + "type": "string" + } + } + }, + "GenerateRandomWithSourceRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "GenerateRandomWithSourceResponse": { + "type": "object", + "properties": { + "random_bytes": { + "type": "string" + } + } + }, + "GithubConfigureRequest": { + "type": "object", + "properties": { + "base_url": { + "type": "string", + "description": "The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.", + "x-vault-displayAttrs": { + "name": "Base URL", + "group": "GitHub Options" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "organization": { + "type": "string", + "description": "The organization users must be part of" + }, + "organization_id": { + "type": "integer", + "description": "The ID of the organization users must be part of", + "format": "int64" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any policies configured for specific users/groups.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + }, + "required": [ + "organization" + ] + }, + "GithubLoginRequest": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "GitHub personal API token" + } + } + }, + "GithubWriteTeamMappingRequest": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value for teams mapping" + } + } + }, + "GithubWriteUserMappingRequest": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value for users mapping" + } + } + }, + "GoogleCloudConfigureAuthRequest": { + "type": "object", + "properties": { + "credentials": { + "type": "string", + "description": "Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials", + "x-vault-displayAttrs": { + "name": "Credentials" + } + }, + "custom_endpoint": { + "type": "object", + "description": "Specifies overrides for various Google API Service Endpoints used in requests.", + "format": "kvpairs" + }, + "gce_alias": { + "type": "string", + "description": "Indicates what value to use when generating an alias for GCE authentications.", + "default": "role_id" + }, + "gce_metadata": { + "type": "array", + "description": "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: instance_creation_timestamp, instance_id, instance_name, project_id, project_number, role, service_account_id, service_account_email, zone. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.", + "items": { + "type": "string" + }, + "default": [ + "default" + ], + "x-vault-displayAttrs": { + "name": "gce_metadata", + "value": "field1,field2" + } + }, + "google_certs_endpoint": { + "type": "string", + "description": "Deprecated. This field does nothing and be removed in a future release", + "deprecated": true + }, + "iam_alias": { + "type": "string", + "description": "Indicates what value to use when generating an alias for IAM authentications.", + "default": "role_id" + }, + "iam_metadata": { + "type": "array", + "description": "The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: project_id, role, service_account_id, service_account_email. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.", + "items": { + "type": "string" + }, + "default": [ + "default" + ], + "x-vault-displayAttrs": { + "name": "iam_metadata", + "value": "field1,field2" + } + } + } + }, + "GoogleCloudConfigureRequest": { + "type": "object", + "properties": { + "credentials": { + "type": "string", + "description": "GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies" + }, + "max_ttl": { + "type": "string", + "description": "Maximum time a service account key is valid for. If <= 0, will use system default.", + "format": "duration" + }, + "ttl": { + "type": "string", + "description": "Default lease for generated keys. If <= 0, will use system default.", + "format": "duration" + } + } + }, + "GoogleCloudEditLabelsForRoleRequest": { + "type": "object", + "properties": { + "add": { + "type": "array", + "description": "BoundLabels to add (in $key:$value)", + "items": { + "type": "string" + } + }, + "remove": { + "type": "array", + "description": "Label key values to remove", + "items": { + "type": "string" + } + } + } + }, + "GoogleCloudEditServiceAccountsForRoleRequest": { + "type": "object", + "properties": { + "add": { + "type": "array", + "description": "Service-account emails or IDs to add.", + "items": { + "type": "string" + } + }, + "remove": { + "type": "array", + "description": "Service-account emails or IDs to remove.", + "items": { + "type": "string" + } + } + } + }, + "GoogleCloudGenerateRolesetKey3Request": { + "type": "object", + "properties": { + "key_algorithm": { + "type": "string", + "description": "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\"", + "default": "KEY_ALG_RSA_2048" + }, + "key_type": { + "type": "string", + "description": "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + }, + "ttl": { + "type": "string", + "description": "Lifetime of the service account key", + "format": "duration" + } + } + }, + "GoogleCloudGenerateRolesetKeyRequest": { + "type": "object", + "properties": { + "key_algorithm": { + "type": "string", + "description": "Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\"", + "default": "KEY_ALG_RSA_2048" + }, + "key_type": { + "type": "string", + "description": "Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + }, + "ttl": { + "type": "string", + "description": "Lifetime of the service account key", + "format": "duration" + } + } + }, + "GoogleCloudGenerateStaticAccountKeyRequest": { + "type": "object", + "properties": { + "key_algorithm": { + "type": "string", + "description": "Private key algorithm for service account key. Defaults to KEY_ALG_RSA_2048.\"", + "default": "KEY_ALG_RSA_2048" + }, + "key_type": { + "type": "string", + "description": "Private key type for service account key. Defaults to TYPE_GOOGLE_CREDENTIALS_FILE.\"", + "default": "TYPE_GOOGLE_CREDENTIALS_FILE" + }, + "ttl": { + "type": "string", + "description": "Lifetime of the service account key", + "format": "duration" + } + } + }, + "GoogleCloudKmsConfigureKeyRequest": { + "type": "object", + "properties": { + "max_version": { + "type": "integer", + "description": "Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version." + }, + "min_version": { + "type": "integer", + "description": "Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation." + } + } + }, + "GoogleCloudKmsConfigureRequest": { + "type": "object", + "properties": { + "credentials": { + "type": "string", + "description": "The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication." + }, + "scopes": { + "type": "array", + "description": "The list of full-URL scopes to request when authenticating. By default, this requests https://www.googleapis.com/auth/cloudkms.", + "items": { + "type": "string" + } + } + } + }, + "GoogleCloudKmsDecryptRequest": { + "type": "object", + "properties": { + "additional_authenticated_data": { + "type": "string", + "description": "Optional data that was specified during encryption of this payload." + }, + "ciphertext": { + "type": "string", + "description": "Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation." + }, + "key_version": { + "type": "integer", + "description": "Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically." + } + } + }, + "GoogleCloudKmsEncryptRequest": { + "type": "object", + "properties": { + "additional_authenticated_data": { + "type": "string", + "description": "Optional base64-encoded data that, if specified, must also be provided to decrypt this payload." + }, + "key_version": { + "type": "integer", + "description": "Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version." + }, + "plaintext": { + "type": "string", + "description": "Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types." + } + } + }, + "GoogleCloudKmsReencryptRequest": { + "type": "object", + "properties": { + "additional_authenticated_data": { + "type": "string", + "description": "Optional data that, if specified, must also be provided during decryption." + }, + "ciphertext": { + "type": "string", + "description": "Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key." + }, + "key_version": { + "type": "integer", + "description": "Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version." + } + } + }, + "GoogleCloudKmsRegisterKeyRequest": { + "type": "object", + "properties": { + "crypto_key": { + "type": "string", + "description": "Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\"." + }, + "verify": { + "type": "boolean", + "description": "Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time.", + "default": true + } + } + }, + "GoogleCloudKmsSignRequest": { + "type": "object", + "properties": { + "digest": { + "type": "string", + "description": "Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required." + }, + "key_version": { + "type": "integer", + "description": "Integer version of the crypto key version to use for signing. This field is required." + } + } + }, + "GoogleCloudKmsVerifyRequest": { + "type": "object", + "properties": { + "digest": { + "type": "string", + "description": "Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required." + }, + "key_version": { + "type": "integer", + "description": "Integer version of the crypto key version to use for verification. This field is required." + }, + "signature": { + "type": "string", + "description": "Base64-encoded signature to use for verification. This field is required." + } + } + }, + "GoogleCloudKmsWriteKeyRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256" + }, + "crypto_key": { + "type": "string", + "description": "Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified." + }, + "key_ring": { + "type": "string", + "description": "Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation." + }, + "labels": { + "type": "object", + "description": "Arbitrary key=value label to apply to the crypto key. To specify multiple labels, specify this argument multiple times (e.g. labels=\"a=b\" labels=\"c=d\").", + "format": "kvpairs" + }, + "protection_level": { + "type": "string", + "description": "Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation." + }, + "purpose": { + "type": "string", + "description": "Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation." + }, + "rotation_period": { + "type": "string", + "description": "Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".", + "format": "duration" + } + } + }, + "GoogleCloudLoginRequest": { + "type": "object", + "properties": { + "jwt": { + "type": "string", + "description": "A signed JWT. This is either a self-signed service account JWT ('iam' roles only) or a GCE identity metadata token ('iam', 'gce' roles)." + }, + "role": { + "type": "string", + "description": "Name of the role against which the login is being attempted. Required." + } + } + }, + "GoogleCloudWriteImpersonatedAccountRequest": { + "type": "object", + "properties": { + "service_account_email": { + "type": "string", + "description": "Required. Email of the GCP service account to manage. Cannot be updated." + }, + "token_scopes": { + "type": "array", + "description": "List of OAuth scopes to assign to access tokens generated under this account.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "Lifetime of the token for the impersonated account.", + "format": "duration" + } + } + }, + "GoogleCloudWriteRoleRequest": { + "type": "object", + "properties": { + "add_group_aliases": { + "type": "boolean", + "description": "If true, will add group aliases to auth tokens generated under this role. This will add the full list of ancestors (projects, folders, organizations) for the given entity's project. Requires IAM permission `resourcemanager.projects.get` on this project.", + "default": false + }, + "allow_gce_inference": { + "type": "boolean", + "description": "'iam' roles only. If false, Vault will not not allow GCE instances to login in against this role", + "default": true + }, + "bound_instance_group": { + "type": "string", + "description": "Deprecated: use \"bound_instance_groups\" instead." + }, + "bound_instance_groups": { + "type": "array", + "description": "Comma-separated list of permitted instance groups to which the GCE instance must belong. This option only applies to \"gce\" roles.", + "items": { + "type": "string" + } + }, + "bound_labels": { + "type": "array", + "description": "Comma-separated list of GCP labels formatted as\"key:value\" strings that must be present on the GCE instance in order to authenticate. This option only applies to \"gce\" roles.", + "items": { + "type": "string" + } + }, + "bound_projects": { + "type": "array", + "description": "GCP Projects that authenticating entities must belong to.", + "items": { + "type": "string" + } + }, + "bound_region": { + "type": "string", + "description": "Deprecated: use \"bound_regions\" instead." + }, + "bound_regions": { + "type": "array", + "description": "Comma-separated list of permitted regions to which the GCE instance must belong. If a group is provided, it is assumed to be a regional group. If \"zone\" is provided, this option is ignored. This can be a self-link or region name. This option only applies to \"gce\" roles.", + "items": { + "type": "string" + } + }, + "bound_service_accounts": { + "type": "array", + "description": "Can be set for both 'iam' and 'gce' roles (required for 'iam'). A comma-seperated list of authorized service accounts. If the single value \"*\" is given, this is assumed to be all service accounts under the role's project. If this is set on a GCE role, the inferred service account from the instance metadata token will be used.", + "items": { + "type": "string" + } + }, + "bound_zone": { + "type": "string", + "description": "Deprecated: use \"bound_zones\" instead." + }, + "bound_zones": { + "type": "array", + "description": "Comma-separated list of permitted zones to which the GCE instance must belong. If a group is provided, it is assumed to be a zonal group. This can be a self-link or zone name. This option only applies to \"gce\" roles.", + "items": { + "type": "string" + } + }, + "max_jwt_exp": { + "type": "string", + "description": "Currently enabled for 'iam' only. Duration in seconds from time of validation that a JWT must expire within.", + "format": "duration", + "default": 900 + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "project_id": { + "type": "string", + "description": "Deprecated: use \"bound_projects\" instead" + }, + "service_accounts": { + "type": "array", + "description": "Deprecated: use \"bound_service_accounts\" instead.", + "items": { + "type": "string" + } + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "type": { + "type": "string", + "description": "Type of the role. Currently supported: iam, gce" + } + } + }, + "GoogleCloudWriteRolesetRequest": { + "type": "object", + "properties": { + "bindings": { + "type": "string", + "description": "Bindings configuration string." + }, + "project": { + "type": "string", + "description": "Name of the GCP project that this roleset's service account will belong to." + }, + "secret_type": { + "type": "string", + "description": "Type of secret generated for this role set. Defaults to 'access_token'", + "default": "access_token" + }, + "token_scopes": { + "type": "array", + "description": "List of OAuth scopes to assign to credentials generated under this role set", + "items": { + "type": "string" + } + } + } + }, + "GoogleCloudWriteStaticAccountRequest": { + "type": "object", + "properties": { + "bindings": { + "type": "string", + "description": "Bindings configuration string." + }, + "secret_type": { + "type": "string", + "description": "Type of secret generated for this account. Cannot be updated. Defaults to \"access_token\"", + "default": "access_token" + }, + "service_account_email": { + "type": "string", + "description": "Required. Email of the GCP service account to manage. Cannot be updated." + }, + "token_scopes": { + "type": "array", + "description": "List of OAuth scopes to assign to access tokens generated under this account. Ignored if \"secret_type\" is not \"\"access_token\"\"", + "items": { + "type": "string" + } + } + } + }, + "GroupCreateAliasRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "ID of the group to which this is an alias." + }, + "id": { + "type": "string", + "description": "ID of the group alias." + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this alias belongs to." + }, + "name": { + "type": "string", + "description": "Alias of the group." + } + } + }, + "GroupCreateRequest": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "ID of the group. If set, updates the corresponding existing group." + }, + "member_entity_ids": { + "type": "array", + "description": "Entity IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "member_group_ids": { + "type": "array", + "description": "Group IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "name": { + "type": "string", + "description": "Name of the group." + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the group.", + "items": { + "type": "string" + } + }, + "type": { + "type": "string", + "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" + } + } + }, + "GroupLookUpRequest": { + "type": "object", + "properties": { + "alias_id": { + "type": "string", + "description": "ID of the alias." + }, + "alias_mount_accessor": { + "type": "string", + "description": "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'." + }, + "alias_name": { + "type": "string", + "description": "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'." + }, + "id": { + "type": "string", + "description": "ID of the group." + }, + "name": { + "type": "string", + "description": "Name of the group." + } + } + }, + "GroupUpdateAliasByIdRequest": { + "type": "object", + "properties": { + "canonical_id": { + "type": "string", + "description": "ID of the group to which this is an alias." + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this alias belongs to." + }, + "name": { + "type": "string", + "description": "Alias of the group." + } + } + }, + "GroupUpdateByIdRequest": { + "type": "object", + "properties": { + "member_entity_ids": { + "type": "array", + "description": "Entity IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "member_group_ids": { + "type": "array", + "description": "Group IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "name": { + "type": "string", + "description": "Name of the group." + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the group.", + "items": { + "type": "string" + } + }, + "type": { + "type": "string", + "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" + } + } + }, + "GroupUpdateByNameRequest": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "ID of the group. If set, updates the corresponding existing group." + }, + "member_entity_ids": { + "type": "array", + "description": "Entity IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "member_group_ids": { + "type": "array", + "description": "Group IDs to be assigned as group members.", + "items": { + "type": "string" + } + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "policies": { + "type": "array", + "description": "Policies to be tied to the group.", + "items": { + "type": "string" + } + }, + "type": { + "type": "string", + "description": "Type of the group, 'internal' or 'external'. Defaults to 'internal'" + } + } + }, + "HaStatusResponse": { + "type": "object", + "properties": { + "nodes": { + "type": "array", + "items": { + "type": "object" + } + } + } + }, + "InitializeRequest": { + "type": "object", + "properties": { + "pgp_keys": { + "type": "array", + "description": "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`.", + "items": { + "type": "string" + } + }, + "recovery_pgp_keys": { + "type": "array", + "description": "Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`.", + "items": { + "type": "string" + } + }, + "recovery_shares": { + "type": "integer", + "description": "Specifies the number of shares to split the recovery key into." + }, + "recovery_threshold": { + "type": "integer", + "description": "Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`." + }, + "root_token_pgp_key": { + "type": "string", + "description": "Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation." + }, + "secret_shares": { + "type": "integer", + "description": "Specifies the number of shares to split the unseal key into." + }, + "secret_threshold": { + "type": "integer", + "description": "Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`." + }, + "stored_shares": { + "type": "integer", + "description": "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`." + } + } + }, + "InternalClientActivityConfigureRequest": { + "type": "object", + "properties": { + "default_report_months": { + "type": "integer", + "description": "Number of months to report if no start date specified.", + "default": 12 + }, + "enabled": { + "type": "string", + "description": "Enable or disable collection of client count: enable, disable, or default.", + "default": "default" + }, + "retention_months": { + "type": "integer", + "description": "Number of months of client data to retain. Setting to 0 will clear all existing data.", + "default": 24 + } + } + }, + "InternalCountEntitiesResponse": { + "type": "object", + "properties": { + "counters": { + "type": "object", + "format": "map" + } + } + }, + "InternalCountTokensResponse": { + "type": "object", + "properties": { + "counters": { + "type": "object", + "format": "map" + } + } + }, + "InternalGenerateOpenApiDocumentWithParametersRequest": { + "type": "object", + "properties": { + "context": { + "type": "string", + "description": "Context string appended to every operationId" + }, + "generic_mount_paths": { + "type": "boolean", + "description": "Use generic mount paths", + "default": false + } + } + }, + "InternalUiListEnabledFeatureFlagsResponse": { + "type": "object", + "properties": { + "feature_flags": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "InternalUiListEnabledVisibleMountsResponse": { + "type": "object", + "properties": { + "auth": { + "type": "object", + "description": "auth mounts", + "format": "map" + }, + "secret": { + "type": "object", + "description": "secret mounts", + "format": "map" + } + } + }, + "InternalUiListNamespacesResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "description": "field is only returned if there are one or more namespaces", + "items": { + "type": "string" + } + } + } + }, + "InternalUiReadMountInformationResponse": { + "type": "object", + "properties": { + "accessor": { + "type": "string" + }, + "config": { + "type": "object", + "format": "map" + }, + "description": { + "type": "string" + }, + "external_entropy_access": { + "type": "boolean" + }, + "local": { + "type": "boolean" + }, + "options": { + "type": "object", + "format": "map" + }, + "path": { + "type": "string" + }, + "plugin_version": { + "type": "string" + }, + "running_plugin_version": { + "type": "string" + }, + "running_sha256": { + "type": "string" + }, + "seal_wrap": { + "type": "boolean" + }, + "type": { + "type": "string" + }, + "uuid": { + "type": "string" + } + } + }, + "InternalUiReadResultantAclResponse": { + "type": "object", + "properties": { + "exact_paths": { + "type": "object", + "format": "map" + }, + "glob_paths": { + "type": "object", + "format": "map" + }, + "root": { + "type": "boolean" + } + } + }, + "JwtConfigureRequest": { + "type": "object", + "properties": { + "bound_issuer": { + "type": "string", + "description": "The value against which to match the 'iss' claim in a JWT. Optional." + }, + "default_role": { + "type": "string", + "description": "The default role to use if none is provided during login. If not set, a role is required during login.", + "format": "lowercase" + }, + "jwks_ca_pem": { + "type": "string", + "description": "The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used." + }, + "jwks_url": { + "type": "string", + "description": "JWKS URL to use to authenticate signatures. Cannot be used with \"oidc_discovery_url\" or \"jwt_validation_pubkeys\"." + }, + "jwt_supported_algs": { + "type": "array", + "description": "A list of supported signing algorithms. Defaults to RS256.", + "items": { + "type": "string" + } + }, + "jwt_validation_pubkeys": { + "type": "array", + "description": "A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with \"jwks_url\" or \"oidc_discovery_url\".", + "items": { + "type": "string" + } + }, + "namespace_in_state": { + "type": "boolean", + "description": "Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.", + "x-vault-displayAttrs": { + "name": "Namespace in OIDC state", + "value": true + } + }, + "oidc_client_id": { + "type": "string", + "description": "The OAuth Client ID configured with your OIDC provider." + }, + "oidc_client_secret": { + "type": "string", + "description": "The OAuth Client Secret configured with your OIDC provider.", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "oidc_discovery_ca_pem": { + "type": "string", + "description": "The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used." + }, + "oidc_discovery_url": { + "type": "string", + "description": "OIDC Discovery URL, without any .well-known component (base path). Cannot be used with \"jwks_url\" or \"jwt_validation_pubkeys\"." + }, + "oidc_response_mode": { + "type": "string", + "description": "The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'." + }, + "oidc_response_types": { + "type": "array", + "description": "The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'.", + "items": { + "type": "string" + } + }, + "provider_config": { + "type": "object", + "description": "Provider-specific configuration. Optional.", + "format": "map", + "x-vault-displayAttrs": { + "name": "Provider Config" + } + } + } + }, + "JwtLoginRequest": { + "type": "object", + "properties": { + "jwt": { + "type": "string", + "description": "The signed JWT to validate." + }, + "role": { + "type": "string", + "description": "The role to log in against.", + "format": "lowercase" + } + } + }, + "JwtOidcCallbackFormPostRequest": { + "type": "object", + "properties": { + "client_nonce": { + "type": "string" + }, + "code": { + "type": "string" + }, + "id_token": { + "type": "string" + }, + "state": { + "type": "string" + } + } + }, + "JwtOidcRequestAuthorizationUrlRequest": { + "type": "object", + "properties": { + "client_nonce": { + "type": "string", + "description": "Optional client-provided nonce that must match during callback, if present." + }, + "redirect_uri": { + "type": "string", + "description": "The OAuth redirect_uri to use in the authorization URL." + }, + "role": { + "type": "string", + "description": "The role to issue an OIDC authorization URL against.", + "format": "lowercase" + } + } + }, + "JwtWriteRoleRequest": { + "type": "object", + "properties": { + "allowed_redirect_uris": { + "type": "array", + "description": "Comma-separated list of allowed values for redirect_uri", + "items": { + "type": "string" + } + }, + "bound_audiences": { + "type": "array", + "description": "Comma-separated list of 'aud' claims that are valid for login; any match is sufficient", + "items": { + "type": "string" + } + }, + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "bound_claims": { + "type": "object", + "description": "Map of claims/values which must match for login", + "format": "map" + }, + "bound_claims_type": { + "type": "string", + "description": "How to interpret values in the map of claims/values (which must match for login): allowed values are 'string' or 'glob'", + "default": "string" + }, + "bound_subject": { + "type": "string", + "description": "The 'sub' claim that is valid for login. Optional." + }, + "claim_mappings": { + "type": "object", + "description": "Mappings of claims (key) that will be copied to a metadata field (value)", + "format": "kvpairs" + }, + "clock_skew_leeway": { + "type": "string", + "description": "Duration in seconds of leeway when validating all claims to account for clock skew. Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.", + "format": "duration", + "default": 60000000000 + }, + "expiration_leeway": { + "type": "string", + "description": "Duration in seconds of leeway when validating expiration of a token to account for clock skew. Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.", + "format": "duration", + "default": 150 + }, + "groups_claim": { + "type": "string", + "description": "The claim to use for the Identity group alias names" + }, + "max_age": { + "type": "string", + "description": "Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.", + "format": "duration" + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "not_before_leeway": { + "type": "string", + "description": "Duration in seconds of leeway when validating not before values of a token to account for clock skew. Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.", + "format": "duration", + "default": 150 + }, + "num_uses": { + "type": "integer", + "description": "Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.", + "deprecated": true + }, + "oidc_scopes": { + "type": "array", + "description": "Comma-separated list of OIDC scopes", + "items": { + "type": "string" + } + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "role_type": { + "type": "string", + "description": "Type of the role, either 'jwt' or 'oidc'." + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "user_claim": { + "type": "string", + "description": "The claim to use for the Identity entity alias name" + }, + "user_claim_json_pointer": { + "type": "boolean", + "description": "If true, the user_claim value will use JSON pointer syntax for referencing claims." + }, + "verbose_oidc_logging": { + "type": "boolean", + "description": "Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses." + } + } + }, + "KerberosConfigureLdapRequest": { + "type": "object", + "properties": { + "anonymous_group_search": { + "type": "boolean", + "description": "Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).", + "default": false, + "x-vault-displayAttrs": { + "name": "Anonymous group search" + } + }, + "binddn": { + "type": "string", + "description": "LDAP DN for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "name": "Name of Object to bind (binddn)" + } + }, + "bindpass": { + "type": "string", + "description": "LDAP password for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "case_sensitive_names": { + "type": "boolean", + "description": "If true, case sensitivity will be used when comparing usernames and groups for matching policies." + }, + "certificate": { + "type": "string", + "description": "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "CA certificate", + "editType": "file" + } + }, + "client_tls_cert": { + "type": "string", + "description": "Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client certificate", + "editType": "file" + } + }, + "client_tls_key": { + "type": "string", + "description": "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client key", + "editType": "file" + } + }, + "connection_timeout": { + "type": "string", + "description": "Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.", + "format": "duration", + "default": "30s" + }, + "deny_null_bind": { + "type": "boolean", + "description": "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true", + "default": true + }, + "dereference_aliases": { + "type": "string", + "description": "When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.", + "enum": [ + "never", + "finding", + "searching", + "always" + ], + "default": "never" + }, + "discoverdn": { + "type": "boolean", + "description": "Use anonymous bind to discover the bind DN of a user (optional)", + "x-vault-displayAttrs": { + "name": "Discover DN" + } + }, + "groupattr": { + "type": "string", + "description": "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn", + "default": "cn", + "x-vault-displayAttrs": { + "name": "Group Attribute", + "value": "cn" + } + }, + "groupdn": { + "type": "string", + "description": "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "Group DN" + } + }, + "groupfilter": { + "type": "string", + "description": "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "default": "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "x-vault-displayAttrs": { + "name": "Group Filter" + } + }, + "insecure_tls": { + "type": "boolean", + "description": "Skip LDAP server SSL Certificate verification - VERY insecure (optional)", + "x-vault-displayAttrs": { + "name": "Insecure TLS" + } + }, + "max_page_size": { + "type": "integer", + "description": "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.", + "default": 0 + }, + "request_timeout": { + "type": "string", + "description": "Timeout, in seconds, for the connection when making requests against the server before returning back an error.", + "format": "duration", + "default": "90s" + }, + "starttls": { + "type": "boolean", + "description": "Issue a StartTLS command after establishing unencrypted connection (optional)", + "x-vault-displayAttrs": { + "name": "Issue StartTLS" + } + }, + "tls_max_version": { + "type": "string", + "description": "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Maximum TLS Version" + } + }, + "tls_min_version": { + "type": "string", + "description": "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Minimum TLS Version" + } + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "upndomain": { + "type": "string", + "description": "Enables userPrincipalDomain login with [username]@UPNDomain (optional)", + "x-vault-displayAttrs": { + "name": "User Principal (UPN) Domain" + } + }, + "url": { + "type": "string", + "description": "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.", + "default": "ldap://127.0.0.1", + "x-vault-displayAttrs": { + "name": "URL" + } + }, + "use_pre111_group_cn_behavior": { + "type": "boolean", + "description": "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations." + }, + "use_token_groups": { + "type": "boolean", + "description": "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.", + "default": false + }, + "userattr": { + "type": "string", + "description": "Attribute used for users (default: cn)", + "default": "cn", + "x-vault-displayAttrs": { + "name": "User Attribute", + "value": "cn" + } + }, + "userdn": { + "type": "string", + "description": "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "User DN" + } + }, + "userfilter": { + "type": "string", + "description": "Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})", + "default": "({{.UserAttr}}={{.Username}})", + "x-vault-displayAttrs": { + "name": "User Search Filter" + } + }, + "username_as_alias": { + "type": "boolean", + "description": "If true, sets the alias name to the username", + "default": false + } + } + }, + "KerberosConfigureRequest": { + "type": "object", + "properties": { + "add_group_aliases": { + "type": "boolean", + "description": "If set to true, returns any groups found in LDAP as a group alias." + }, + "keytab": { + "type": "string", + "description": "Base64 encoded keytab", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "remove_instance_name": { + "type": "boolean", + "description": "Remove instance/FQDN from keytab principal names." + }, + "service_account": { + "type": "string", + "description": "Service Account" + } + } + }, + "KerberosLoginRequest": { + "type": "object", + "properties": { + "authorization": { + "type": "string", + "description": "SPNEGO Authorization header. Required." + } + } + }, + "KerberosWriteGroupRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated to the group.", + "items": { + "type": "string" + } + } + } + }, + "KubernetesConfigureAuthRequest": { + "type": "object", + "properties": { + "disable_iss_validation": { + "type": "boolean", + "description": "Disable JWT issuer validation (Deprecated, will be removed in a future release)", + "default": true, + "deprecated": true, + "x-vault-displayAttrs": { + "name": "Disable JWT Issuer Validation" + } + }, + "disable_local_ca_jwt": { + "type": "boolean", + "description": "Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod", + "default": false, + "x-vault-displayAttrs": { + "name": "Disable use of local CA and service account JWT" + } + }, + "issuer": { + "type": "string", + "description": "Optional JWT issuer. If no issuer is specified, then this plugin will use kubernetes.io/serviceaccount as the default issuer. (Deprecated, will be removed in a future release)", + "deprecated": true, + "x-vault-displayAttrs": { + "name": "JWT Issuer" + } + }, + "kubernetes_ca_cert": { + "type": "string", + "description": "PEM encoded CA cert for use by the TLS client used to talk with the API.", + "x-vault-displayAttrs": { + "name": "Kubernetes CA Certificate" + } + }, + "kubernetes_host": { + "type": "string", + "description": "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server." + }, + "pem_keys": { + "type": "array", + "description": "Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Service account verification keys" + } + }, + "token_reviewer_jwt": { + "type": "string", + "description": "A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.", + "x-vault-displayAttrs": { + "name": "Token Reviewer JWT" + } + } + } + }, + "KubernetesConfigureRequest": { + "type": "object", + "properties": { + "disable_local_ca_jwt": { + "type": "boolean", + "description": "Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.", + "default": false, + "x-vault-displayAttrs": { + "name": "Disable use of local CA and service account JWT" + } + }, + "kubernetes_ca_cert": { + "type": "string", + "description": "PEM encoded CA certificate to use to verify the Kubernetes API server certificate. Defaults to the local pod's CA if found.", + "x-vault-displayAttrs": { + "name": "Kubernetes CA Certificate" + } + }, + "kubernetes_host": { + "type": "string", + "description": "Kubernetes API URL to connect to. Defaults to https://$KUBERNETES_SERVICE_HOST:KUBERNETES_SERVICE_PORT if those environment variables are set.", + "x-vault-displayAttrs": { + "name": "Kubernetes API URL" + } + }, + "service_account_jwt": { + "type": "string", + "description": "The JSON web token of the service account used by the secret engine to manage Kubernetes credentials. Defaults to the local pod's JWT if found.", + "x-vault-displayAttrs": { + "name": "Kubernetes API JWT" + } + } + } + }, + "KubernetesGenerateCredentialsRequest": { + "type": "object", + "properties": { + "audiences": { + "type": "array", + "description": "The intended audiences of the generated credentials", + "items": { + "type": "string" + } + }, + "cluster_role_binding": { + "type": "boolean", + "description": "If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace. Requires the Vault role to have kubernetes_role_type set to ClusterRole." + }, + "kubernetes_namespace": { + "type": "string", + "description": "The name of the Kubernetes namespace in which to generate the credentials" + }, + "ttl": { + "type": "string", + "description": "The TTL of the generated credentials", + "format": "duration" + } + }, + "required": [ + "kubernetes_namespace" + ] + }, + "KubernetesLoginRequest": { + "type": "object", + "properties": { + "jwt": { + "type": "string", + "description": "A signed JWT for authenticating a service account. This field is required." + }, + "role": { + "type": "string", + "description": "Name of the role against which the login is being attempted. This field is required" + } + } + }, + "KubernetesWriteAuthRoleRequest": { + "type": "object", + "properties": { + "alias_name_source": { + "type": "string", + "description": "Source to use when deriving the Alias name. valid choices: \"serviceaccount_uid\" : e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) \"serviceaccount_name\" : / e.g. vault/vault-agent default: \"serviceaccount_uid\"", + "default": "serviceaccount_uid" + }, + "audience": { + "type": "string", + "description": "Optional Audience claim to verify in the jwt." + }, + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "bound_service_account_names": { + "type": "array", + "description": "List of service account names able to access this role. If set to \"*\" all names are allowed.", + "items": { + "type": "string" + } + }, + "bound_service_account_namespaces": { + "type": "array", + "description": "List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "num_uses": { + "type": "integer", + "description": "Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.", + "deprecated": true + }, + "period": { + "type": "string", + "description": "Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.", + "format": "duration", + "deprecated": true + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "KubernetesWriteRoleRequest": { + "type": "object", + "properties": { + "allowed_kubernetes_namespace_selector": { + "type": "string", + "description": "A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. If set with allowed_kubernetes_namespaces, the conditions are conjuncted." + }, + "allowed_kubernetes_namespaces": { + "type": "array", + "description": "A list of the Kubernetes namespaces in which credentials can be generated. If set to \"*\" all namespaces are allowed.", + "items": { + "type": "string" + } + }, + "extra_annotations": { + "type": "object", + "description": "Additional annotations to apply to all generated Kubernetes objects.", + "format": "kvpairs" + }, + "extra_labels": { + "type": "object", + "description": "Additional labels to apply to all generated Kubernetes objects.", + "format": "kvpairs" + }, + "generated_role_rules": { + "type": "string", + "description": "The Role or ClusterRole rules to use when generating a role. Accepts either a JSON or YAML object. If set, the entire chain of Kubernetes objects will be generated." + }, + "kubernetes_role_name": { + "type": "string", + "description": "The pre-existing Role or ClusterRole to bind a generated service account to. If set, Kubernetes token, service account, and role binding objects will be created." + }, + "kubernetes_role_type": { + "type": "string", + "description": "Specifies whether the Kubernetes role is a Role or ClusterRole.", + "default": "Role" + }, + "name_template": { + "type": "string", + "description": "The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used." + }, + "service_account_name": { + "type": "string", + "description": "The pre-existing service account to generate tokens for. Mutually exclusive with all role parameters. If set, only a Kubernetes service account token will be created." + }, + "token_default_audiences": { + "type": "array", + "description": "The default audiences for generated Kubernetes service account tokens. If not set or set to \"\", will use k8s cluster default.", + "items": { + "type": "string" + } + }, + "token_default_ttl": { + "type": "string", + "description": "The default ttl for generated Kubernetes service account tokens. If not set or set to 0, will use system default.", + "format": "duration" + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum ttl for generated Kubernetes service account tokens. If not set or set to 0, will use system default.", + "format": "duration" + } + } + }, + "KvV2ConfigureRequest": { + "type": "object", + "properties": { + "cas_required": { + "type": "boolean", + "description": "If true, the backend will require the cas parameter to be set for each write" + }, + "delete_version_after": { + "type": "string", + "description": "If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.", + "format": "duration" + }, + "max_versions": { + "type": "integer", + "description": "The number of versions to keep for each key. Defaults to 10" + } + } + }, + "KvV2DeleteVersionsRequest": { + "type": "object", + "properties": { + "versions": { + "type": "array", + "description": "The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests.", + "items": { + "type": "integer" + } + } + } + }, + "KvV2DestroyVersionsRequest": { + "type": "object", + "properties": { + "versions": { + "type": "array", + "description": "The versions to destroy. Their data will be permanently deleted.", + "items": { + "type": "integer" + } + } + } + }, + "KvV2PatchResponse": { + "type": "object", + "properties": { + "created_time": { + "type": "string", + "format": "date-time" + }, + "custom_metadata": { + "type": "object", + "format": "map" + }, + "deletion_time": { + "type": "string" + }, + "destroyed": { + "type": "boolean" + }, + "version": { + "type": "integer", + "format": "int64" + } + } + }, + "KvV2ReadConfigurationResponse": { + "type": "object", + "properties": { + "cas_required": { + "type": "boolean", + "description": "If true, the backend will require the cas parameter to be set for each write" + }, + "delete_version_after": { + "type": "string", + "description": "The length of time before a version is deleted.", + "format": "duration" + }, + "max_versions": { + "type": "integer", + "description": "The number of versions to keep for each key." + } + } + }, + "KvV2ReadMetadataResponse": { + "type": "object", + "properties": { + "cas_required": { + "type": "boolean" + }, + "created_time": { + "type": "string", + "format": "date-time" + }, + "current_version": { + "type": "integer", + "format": "int64" + }, + "custom_metadata": { + "type": "object", + "description": "User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret.", + "format": "map" + }, + "delete_version_after": { + "type": "string", + "description": "The length of time before a version is deleted.", + "format": "duration" + }, + "max_versions": { + "type": "integer", + "description": "The number of versions to keep", + "format": "int64" + }, + "oldest_version": { + "type": "integer", + "format": "int64" + }, + "updated_time": { + "type": "string", + "format": "date-time" + }, + "versions": { + "type": "object", + "format": "map" + } + } + }, + "KvV2ReadResponse": { + "type": "object", + "properties": { + "data": { + "type": "object", + "format": "map" + }, + "metadata": { + "type": "object", + "format": "map" + } + } + }, + "KvV2ReadSubkeysResponse": { + "type": "object", + "properties": { + "metadata": { + "type": "object", + "format": "map" + }, + "subkeys": { + "type": "object", + "format": "map" + } + } + }, + "KvV2UndeleteVersionsRequest": { + "type": "object", + "properties": { + "versions": { + "type": "array", + "description": "The versions to unarchive. The versions will be restored and their data will be returned on normal get requests.", + "items": { + "type": "integer" + } + } + } + }, + "KvV2WriteMetadataRequest": { + "type": "object", + "properties": { + "cas_required": { + "type": "boolean", + "description": "If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used." + }, + "custom_metadata": { + "type": "object", + "description": "User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret.", + "format": "map" + }, + "delete_version_after": { + "type": "string", + "description": "The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.", + "format": "duration" + }, + "max_versions": { + "type": "integer", + "description": "The number of versions to keep. If not set, the backend’s configured max version is used." + } + } + }, + "KvV2WriteRequest": { + "type": "object", + "properties": { + "data": { + "type": "object", + "description": "The contents of the data map will be stored and returned on read.", + "format": "map" + }, + "options": { + "type": "object", + "description": "Options for writing a KV entry. Set the \"cas\" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter.", + "format": "map" + }, + "version": { + "type": "integer", + "description": "If provided during a read, the value at the version number will be returned" + } + } + }, + "KvV2WriteResponse": { + "type": "object", + "properties": { + "created_time": { + "type": "string", + "format": "date-time" + }, + "custom_metadata": { + "type": "object", + "format": "map" + }, + "deletion_time": { + "type": "string" + }, + "destroyed": { + "type": "boolean" + }, + "version": { + "type": "integer", + "format": "int64" + } + } + }, + "LdapConfigureAuthRequest": { + "type": "object", + "properties": { + "anonymous_group_search": { + "type": "boolean", + "description": "Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).", + "default": false, + "x-vault-displayAttrs": { + "name": "Anonymous group search" + } + }, + "binddn": { + "type": "string", + "description": "LDAP DN for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "name": "Name of Object to bind (binddn)" + } + }, + "bindpass": { + "type": "string", + "description": "LDAP password for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "case_sensitive_names": { + "type": "boolean", + "description": "If true, case sensitivity will be used when comparing usernames and groups for matching policies." + }, + "certificate": { + "type": "string", + "description": "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "CA certificate", + "editType": "file" + } + }, + "client_tls_cert": { + "type": "string", + "description": "Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client certificate", + "editType": "file" + } + }, + "client_tls_key": { + "type": "string", + "description": "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client key", + "editType": "file" + } + }, + "connection_timeout": { + "type": "string", + "description": "Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.", + "format": "duration", + "default": "30s" + }, + "deny_null_bind": { + "type": "boolean", + "description": "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true", + "default": true + }, + "dereference_aliases": { + "type": "string", + "description": "When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.", + "enum": [ + "never", + "finding", + "searching", + "always" + ], + "default": "never" + }, + "discoverdn": { + "type": "boolean", + "description": "Use anonymous bind to discover the bind DN of a user (optional)", + "x-vault-displayAttrs": { + "name": "Discover DN" + } + }, + "groupattr": { + "type": "string", + "description": "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn", + "default": "cn", + "x-vault-displayAttrs": { + "name": "Group Attribute", + "value": "cn" + } + }, + "groupdn": { + "type": "string", + "description": "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "Group DN" + } + }, + "groupfilter": { + "type": "string", + "description": "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "default": "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "x-vault-displayAttrs": { + "name": "Group Filter" + } + }, + "insecure_tls": { + "type": "boolean", + "description": "Skip LDAP server SSL Certificate verification - VERY insecure (optional)", + "x-vault-displayAttrs": { + "name": "Insecure TLS" + } + }, + "max_page_size": { + "type": "integer", + "description": "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.", + "default": 0 + }, + "request_timeout": { + "type": "string", + "description": "Timeout, in seconds, for the connection when making requests against the server before returning back an error.", + "format": "duration", + "default": "90s" + }, + "starttls": { + "type": "boolean", + "description": "Issue a StartTLS command after establishing unencrypted connection (optional)", + "x-vault-displayAttrs": { + "name": "Issue StartTLS" + } + }, + "tls_max_version": { + "type": "string", + "description": "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Maximum TLS Version" + } + }, + "tls_min_version": { + "type": "string", + "description": "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Minimum TLS Version" + } + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "upndomain": { + "type": "string", + "description": "Enables userPrincipalDomain login with [username]@UPNDomain (optional)", + "x-vault-displayAttrs": { + "name": "User Principal (UPN) Domain" + } + }, + "url": { + "type": "string", + "description": "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.", + "default": "ldap://127.0.0.1", + "x-vault-displayAttrs": { + "name": "URL" + } + }, + "use_pre111_group_cn_behavior": { + "type": "boolean", + "description": "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations." + }, + "use_token_groups": { + "type": "boolean", + "description": "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.", + "default": false + }, + "userattr": { + "type": "string", + "description": "Attribute used for users (default: cn)", + "default": "cn", + "x-vault-displayAttrs": { + "name": "User Attribute", + "value": "cn" + } + }, + "userdn": { + "type": "string", + "description": "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "User DN" + } + }, + "userfilter": { + "type": "string", + "description": "Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})", + "default": "({{.UserAttr}}={{.Username}})", + "x-vault-displayAttrs": { + "name": "User Search Filter" + } + }, + "username_as_alias": { + "type": "boolean", + "description": "If true, sets the alias name to the username", + "default": false + } + } + }, + "LdapConfigureRequest": { + "type": "object", + "properties": { + "anonymous_group_search": { + "type": "boolean", + "description": "Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).", + "default": false, + "x-vault-displayAttrs": { + "name": "Anonymous group search" + } + }, + "binddn": { + "type": "string", + "description": "LDAP DN for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "name": "Name of Object to bind (binddn)" + } + }, + "bindpass": { + "type": "string", + "description": "LDAP password for searching for the user DN (optional)", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "case_sensitive_names": { + "type": "boolean", + "description": "If true, case sensitivity will be used when comparing usernames and groups for matching policies." + }, + "certificate": { + "type": "string", + "description": "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "CA certificate", + "editType": "file" + } + }, + "client_tls_cert": { + "type": "string", + "description": "Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client certificate", + "editType": "file" + } + }, + "client_tls_key": { + "type": "string", + "description": "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)", + "x-vault-displayAttrs": { + "name": "Client key", + "editType": "file" + } + }, + "connection_timeout": { + "type": "string", + "description": "Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.", + "format": "duration", + "default": "30s" + }, + "deny_null_bind": { + "type": "boolean", + "description": "Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true", + "default": true + }, + "dereference_aliases": { + "type": "string", + "description": "When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.", + "enum": [ + "never", + "finding", + "searching", + "always" + ], + "default": "never" + }, + "discoverdn": { + "type": "boolean", + "description": "Use anonymous bind to discover the bind DN of a user (optional)", + "x-vault-displayAttrs": { + "name": "Discover DN" + } + }, + "groupattr": { + "type": "string", + "description": "LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn", + "default": "cn", + "x-vault-displayAttrs": { + "name": "Group Attribute", + "value": "cn" + } + }, + "groupdn": { + "type": "string", + "description": "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "Group DN" + } + }, + "groupfilter": { + "type": "string", + "description": "Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "default": "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))", + "x-vault-displayAttrs": { + "name": "Group Filter" + } + }, + "insecure_tls": { + "type": "boolean", + "description": "Skip LDAP server SSL Certificate verification - VERY insecure (optional)", + "x-vault-displayAttrs": { + "name": "Insecure TLS" + } + }, + "length": { + "type": "integer", + "description": "The desired length of passwords that Vault generates.", + "deprecated": true + }, + "max_page_size": { + "type": "integer", + "description": "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.", + "default": 0 + }, + "max_ttl": { + "type": "string", + "description": "The maximum password time-to-live.", + "format": "duration" + }, + "password_policy": { + "type": "string", + "description": "Password policy to use to generate passwords" + }, + "request_timeout": { + "type": "string", + "description": "Timeout, in seconds, for the connection when making requests against the server before returning back an error.", + "format": "duration", + "default": "90s" + }, + "schema": { + "type": "string", + "description": "The desired LDAP schema used when modifying user account passwords.", + "default": "openldap" + }, + "starttls": { + "type": "boolean", + "description": "Issue a StartTLS command after establishing unencrypted connection (optional)", + "x-vault-displayAttrs": { + "name": "Issue StartTLS" + } + }, + "tls_max_version": { + "type": "string", + "description": "Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Maximum TLS Version" + } + }, + "tls_min_version": { + "type": "string", + "description": "Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'", + "enum": [ + "tls10", + "tls11", + "tls12", + "tls13" + ], + "default": "tls12", + "x-vault-displayAttrs": { + "name": "Minimum TLS Version" + } + }, + "ttl": { + "type": "string", + "description": "The default password time-to-live.", + "format": "duration" + }, + "upndomain": { + "type": "string", + "description": "Enables userPrincipalDomain login with [username]@UPNDomain (optional)", + "x-vault-displayAttrs": { + "name": "User Principal (UPN) Domain" + } + }, + "url": { + "type": "string", + "description": "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.", + "default": "ldap://127.0.0.1", + "x-vault-displayAttrs": { + "name": "URL" + } + }, + "use_pre111_group_cn_behavior": { + "type": "boolean", + "description": "In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations." + }, + "use_token_groups": { + "type": "boolean", + "description": "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.", + "default": false + }, + "userattr": { + "type": "string", + "description": "Attribute used for users (default: cn)", + "default": "cn", + "x-vault-displayAttrs": { + "name": "User Attribute", + "value": "cn" + } + }, + "userdn": { + "type": "string", + "description": "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)", + "x-vault-displayAttrs": { + "name": "User DN" + } + }, + "userfilter": { + "type": "string", + "description": "Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})", + "default": "({{.UserAttr}}={{.Username}})", + "x-vault-displayAttrs": { + "name": "User Search Filter" + } + }, + "username_as_alias": { + "type": "boolean", + "description": "If true, sets the alias name to the username", + "default": false + } + } + }, + "LdapLibraryCheckInRequest": { + "type": "object", + "properties": { + "service_account_names": { + "type": "array", + "description": "The username/logon name for the service accounts to check in.", + "items": { + "type": "string" + } + } + } + }, + "LdapLibraryCheckOutRequest": { + "type": "object", + "properties": { + "ttl": { + "type": "string", + "description": "The length of time before the check-out will expire, in seconds.", + "format": "duration" + } + } + }, + "LdapLibraryConfigureRequest": { + "type": "object", + "properties": { + "disable_check_in_enforcement": { + "type": "boolean", + "description": "Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.", + "default": false + }, + "max_ttl": { + "type": "string", + "description": "In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.", + "format": "duration", + "default": 86400 + }, + "service_account_names": { + "type": "array", + "description": "The username/logon name for the service accounts with which this set will be associated.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "In seconds, the amount of time a check-out should last. Defaults to 24 hours.", + "format": "duration", + "default": 86400 + } + } + }, + "LdapLibraryForceCheckInRequest": { + "type": "object", + "properties": { + "service_account_names": { + "type": "array", + "description": "The username/logon name for the service accounts to check in.", + "items": { + "type": "string" + } + } + } + }, + "LdapLoginRequest": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password for this user." + } + } + }, + "LdapWriteDynamicRoleRequest": { + "type": "object", + "properties": { + "creation_ldif": { + "type": "string", + "description": "LDIF string used to create new entities within the LDAP system. This LDIF can be templated." + }, + "default_ttl": { + "type": "string", + "description": "Default TTL for dynamic credentials", + "format": "duration" + }, + "deletion_ldif": { + "type": "string", + "description": "LDIF string used to delete entities created within the LDAP system. This LDIF can be templated." + }, + "max_ttl": { + "type": "string", + "description": "Max TTL a dynamic credential can be extended to", + "format": "duration" + }, + "rollback_ldif": { + "type": "string", + "description": "LDIF string used to rollback changes in the event of a failure to create credentials. This LDIF can be templated." + }, + "username_template": { + "type": "string", + "description": "The template used to create a username" + } + }, + "required": [ + "creation_ldif", + "deletion_ldif" + ] + }, + "LdapWriteGroupRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated to the group.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies associated to the group." + } + } + } + }, + "LdapWriteStaticRoleRequest": { + "type": "object", + "properties": { + "dn": { + "type": "string", + "description": "The distinguished name of the entry to manage." + }, + "rotation_period": { + "type": "string", + "description": "Period for automatic credential rotation of the given entry.", + "format": "duration" + }, + "username": { + "type": "string", + "description": "The username/logon name for the entry with which this role will be associated." + } + } + }, + "LdapWriteUserRequest": { + "type": "object", + "properties": { + "groups": { + "type": "array", + "description": "Comma-separated list of additional groups associated with the user.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of additional groups associated with the user." + } + }, + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated with the user.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies associated with the user." + } + } + } + }, + "LeaderStatusResponse": { + "type": "object", + "properties": { + "active_time": { + "type": "string", + "format": "date-time" + }, + "ha_enabled": { + "type": "boolean" + }, + "is_self": { + "type": "boolean" + }, + "last_wal": { + "type": "integer", + "format": "int64" + }, + "leader_address": { + "type": "string" + }, + "leader_cluster_address": { + "type": "string" + }, + "performance_standby": { + "type": "boolean" + }, + "performance_standby_last_remote_wal": { + "type": "integer", + "format": "int64" + }, + "raft_applied_index": { + "type": "integer", + "format": "int64" + }, + "raft_committed_index": { + "type": "integer", + "format": "int64" + } + } + }, + "LeasesCountResponse": { + "type": "object", + "properties": { + "counts": { + "type": "integer", + "description": "Number of matching leases per mount" + }, + "lease_count": { + "type": "integer", + "description": "Number of matching leases" + } + } + }, + "LeasesListResponse": { + "type": "object", + "properties": { + "counts": { + "type": "integer", + "description": "Number of matching leases per mount" + }, + "lease_count": { + "type": "integer", + "description": "Number of matching leases" + } + } + }, + "LeasesLookUpResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "description": "A list of lease ids", + "items": { + "type": "string" + } + } + } + }, + "LeasesReadLeaseRequest": { + "type": "object", + "properties": { + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + } + } + }, + "LeasesReadLeaseResponse": { + "type": "object", + "properties": { + "expire_time": { + "type": "string", + "description": "Optional lease expiry time", + "format": "date-time" + }, + "id": { + "type": "string", + "description": "Lease id" + }, + "issue_time": { + "type": "string", + "description": "Timestamp for the lease's issue time", + "format": "date-time" + }, + "last_renewal": { + "type": "string", + "description": "Optional Timestamp of the last time the lease was renewed", + "format": "date-time" + }, + "renewable": { + "type": "boolean", + "description": "True if the lease is able to be renewed" + }, + "ttl": { + "type": "integer", + "description": "Time to Live set for the lease, returns 0 if unset" + } + } + }, + "LeasesRenewLease2Request": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the lease", + "format": "duration" + }, + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + } + } + }, + "LeasesRenewLeaseRequest": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the lease", + "format": "duration" + }, + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + } + } + }, + "LeasesRenewLeaseWithId2Request": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the lease", + "format": "duration" + }, + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + } + } + }, + "LeasesRenewLeaseWithIdRequest": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the lease", + "format": "duration" + }, + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + } + } + }, + "LeasesRevokeLease2Request": { + "type": "object", + "properties": { + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + }, + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LeasesRevokeLeaseRequest": { + "type": "object", + "properties": { + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + }, + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LeasesRevokeLeaseWithId2Request": { + "type": "object", + "properties": { + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + }, + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LeasesRevokeLeaseWithIdRequest": { + "type": "object", + "properties": { + "lease_id": { + "type": "string", + "description": "The lease identifier to renew. This is included with a lease." + }, + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LeasesRevokeLeaseWithPrefix2Request": { + "type": "object", + "properties": { + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LeasesRevokeLeaseWithPrefixRequest": { + "type": "object", + "properties": { + "sync": { + "type": "boolean", + "description": "Whether or not to perform the revocation synchronously", + "default": true + } + } + }, + "LoggersUpdateVerbosityLevelForRequest": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log verbosity level. Supported values (in order of detail) are \"trace\", \"debug\", \"info\", \"warn\", and \"error\"." + } + } + }, + "LoggersUpdateVerbosityLevelRequest": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log verbosity level. Supported values (in order of detail) are \"trace\", \"debug\", \"info\", \"warn\", and \"error\"." + } + } + }, + "MfaAdminDestroyTotpSecretRequest": { + "type": "object", + "properties": { + "entity_id": { + "type": "string", + "description": "Identifier of the entity from which the MFA method secret needs to be removed." + }, + "method_id": { + "type": "string", + "description": "The unique identifier for this MFA method." + } + }, + "required": [ + "entity_id", + "method_id" + ] + }, + "MfaAdminGenerateTotpSecretRequest": { + "type": "object", + "properties": { + "entity_id": { + "type": "string", + "description": "Entity ID on which the generated secret needs to get stored." + }, + "method_id": { + "type": "string", + "description": "The unique identifier for this MFA method." + } + }, + "required": [ + "entity_id", + "method_id" + ] + }, + "MfaCreateDuoMethodRequest": { + "type": "object", + "properties": { + "api_hostname": { + "type": "string", + "description": "API host name for Duo." + }, + "integration_key": { + "type": "string", + "description": "Integration key for Duo." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "push_info": { + "type": "string", + "description": "Push information for Duo." + }, + "secret_key": { + "type": "string", + "description": "Secret key for Duo." + }, + "use_passcode": { + "type": "boolean", + "description": "If true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." + } + } + }, + "MfaCreateOktaMethodRequest": { + "type": "object", + "properties": { + "api_token": { + "type": "string", + "description": "Okta API key." + }, + "base_url": { + "type": "string", + "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "org_name": { + "type": "string", + "description": "Name of the organization to be used in the Okta API." + }, + "primary_email": { + "type": "boolean", + "description": "If true, the username will only match the primary email for the account. Defaults to false." + }, + "production": { + "type": "boolean", + "description": "(DEPRECATED) Use base_url instead." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, \"{{entity.name}}@example.com\". If blank, the Entity's name field will be used as-is." + } + } + }, + "MfaCreatePingIdMethodRequest": { + "type": "object", + "properties": { + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "settings_file_base64": { + "type": "string", + "description": "The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." + } + } + }, + "MfaCreateTotpMethodRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.", + "default": "SHA1" + }, + "digits": { + "type": "integer", + "description": "The number of digits in the generated TOTP token. This value can either be 6 or 8.", + "default": 6 + }, + "issuer": { + "type": "string", + "description": "The name of the key's issuing organization." + }, + "key_size": { + "type": "integer", + "description": "Determines the size in bytes of the generated key.", + "default": 20 + }, + "max_validation_attempts": { + "type": "integer", + "description": "Max number of allowed validation attempts." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "period": { + "type": "string", + "description": "The length of time used to generate a counter for the TOTP token calculation.", + "format": "duration", + "default": 30 + }, + "qr_size": { + "type": "integer", + "description": "The pixel size of the generated square QR code.", + "default": 200 + }, + "skew": { + "type": "integer", + "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.", + "default": 1 + } + } + }, + "MfaGenerateTotpSecretRequest": { + "type": "object", + "properties": { + "method_id": { + "type": "string", + "description": "The unique identifier for this MFA method." + } + }, + "required": [ + "method_id" + ] + }, + "MfaUpdateDuoMethodRequest": { + "type": "object", + "properties": { + "api_hostname": { + "type": "string", + "description": "API host name for Duo." + }, + "integration_key": { + "type": "string", + "description": "Integration key for Duo." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "push_info": { + "type": "string", + "description": "Push information for Duo." + }, + "secret_key": { + "type": "string", + "description": "Secret key for Duo." + }, + "use_passcode": { + "type": "boolean", + "description": "If true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." + } + } + }, + "MfaUpdateOktaMethodRequest": { + "type": "object", + "properties": { + "api_token": { + "type": "string", + "description": "Okta API key." + }, + "base_url": { + "type": "string", + "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "org_name": { + "type": "string", + "description": "Name of the organization to be used in the Okta API." + }, + "primary_email": { + "type": "boolean", + "description": "If true, the username will only match the primary email for the account. Defaults to false." + }, + "production": { + "type": "boolean", + "description": "(DEPRECATED) Use base_url instead." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, \"{{entity.name}}@example.com\". If blank, the Entity's name field will be used as-is." + } + } + }, + "MfaUpdatePingIdMethodRequest": { + "type": "object", + "properties": { + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "settings_file_base64": { + "type": "string", + "description": "The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate." + }, + "username_format": { + "type": "string", + "description": "A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." + } + } + }, + "MfaUpdateTotpMethodRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.", + "default": "SHA1" + }, + "digits": { + "type": "integer", + "description": "The number of digits in the generated TOTP token. This value can either be 6 or 8.", + "default": 6 + }, + "issuer": { + "type": "string", + "description": "The name of the key's issuing organization." + }, + "key_size": { + "type": "integer", + "description": "Determines the size in bytes of the generated key.", + "default": 20 + }, + "max_validation_attempts": { + "type": "integer", + "description": "Max number of allowed validation attempts." + }, + "method_name": { + "type": "string", + "description": "The unique name identifier for this MFA method." + }, + "period": { + "type": "string", + "description": "The length of time used to generate a counter for the TOTP token calculation.", + "format": "duration", + "default": 30 + }, + "qr_size": { + "type": "integer", + "description": "The pixel size of the generated square QR code.", + "default": 200 + }, + "skew": { + "type": "integer", + "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.", + "default": 1 + } + } + }, + "MfaValidateRequest": { + "type": "object", + "properties": { + "mfa_payload": { + "type": "object", + "description": "A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes", + "format": "map" + }, + "mfa_request_id": { + "type": "string", + "description": "ID for this MFA request" + } + }, + "required": [ + "mfa_payload", + "mfa_request_id" + ] + }, + "MfaWriteLoginEnforcementRequest": { + "type": "object", + "properties": { + "auth_method_accessors": { + "type": "array", + "description": "Array of auth mount accessor IDs", + "items": { + "type": "string" + } + }, + "auth_method_types": { + "type": "array", + "description": "Array of auth mount types", + "items": { + "type": "string" + } + }, + "identity_entity_ids": { + "type": "array", + "description": "Array of identity entity IDs", + "items": { + "type": "string" + } + }, + "identity_group_ids": { + "type": "array", + "description": "Array of identity group IDs", + "items": { + "type": "string" + } + }, + "mfa_method_ids": { + "type": "array", + "description": "Array of Method IDs that determine what methods will be enforced", + "items": { + "type": "string" + } + } + }, + "required": [ + "mfa_method_ids" + ] + }, + "MongoDbAtlasConfigureRequest": { + "type": "object", + "properties": { + "private_key": { + "type": "string", + "description": "MongoDB Atlas Programmatic Private Key", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "public_key": { + "type": "string", + "description": "MongoDB Atlas Programmatic Public Key" + } + }, + "required": [ + "private_key", + "public_key" + ] + }, + "MongoDbAtlasWriteRoleRequest": { + "type": "object", + "properties": { + "cidr_blocks": { + "type": "array", + "description": "Access list entry in CIDR notation to be added for the API key. Optional for organization and project keys.", + "items": { + "type": "string" + } + }, + "ip_addresses": { + "type": "array", + "description": "IP address to be added to the access list for the API key. Optional for organization and project keys.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "string", + "description": "The maximum allowed lifetime of credentials issued using this role.", + "format": "duration" + }, + "organization_id": { + "type": "string", + "description": "Organization ID required for an organization API key" + }, + "project_id": { + "type": "string", + "description": "Project ID the project API key belongs to." + }, + "project_roles": { + "type": "array", + "description": "Roles assigned when an organization API Key is assigned to a project API key", + "items": { + "type": "string" + } + }, + "roles": { + "type": "array", + "description": "List of roles that the API Key should be granted. A minimum of one role must be provided. Any roles provided must be valid for the assigned Project, required for organization and project keys.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "Duration in seconds after which the issued credential should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.", + "format": "duration" + } + }, + "required": [ + "roles" + ] + }, + "MountsEnableSecretsEngineRequest": { + "type": "object", + "properties": { + "config": { + "type": "object", + "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", + "format": "map" + }, + "description": { + "type": "string", + "description": "User-friendly description for this mount." + }, + "external_entropy_access": { + "type": "boolean", + "description": "Whether to give the mount access to Vault's external entropy.", + "default": false + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "plugin_name": { + "type": "string", + "description": "Name of the plugin to mount based from the name registered in the plugin catalog." + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "seal_wrap": { + "type": "boolean", + "description": "Whether to turn on seal wrapping for the mount.", + "default": false + }, + "type": { + "type": "string", + "description": "The type of the backend. Example: \"passthrough\"" + } + } + }, + "MountsReadConfigurationResponse": { + "type": "object", + "properties": { + "accessor": { + "type": "string" + }, + "config": { + "type": "object", + "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", + "format": "map" + }, + "deprecation_status": { + "type": "string" + }, + "description": { + "type": "string", + "description": "User-friendly description for this mount." + }, + "external_entropy_access": { + "type": "boolean" + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "running_plugin_version": { + "type": "string" + }, + "running_sha256": { + "type": "string" + }, + "seal_wrap": { + "type": "boolean", + "description": "Whether to turn on seal wrapping for the mount.", + "default": false + }, + "type": { + "type": "string", + "description": "The type of the backend. Example: \"passthrough\"" + }, + "uuid": { + "type": "string" + } + } + }, + "MountsReadTuningInformationResponse": { + "type": "object", + "properties": { + "allowed_managed_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_response_headers": { + "type": "array", + "description": "A list of headers to whitelist and allow a plugin to set on responses.", + "items": { + "type": "string" + } + }, + "audit_non_hmac_request_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "audit_non_hmac_response_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "default_lease_ttl": { + "type": "integer", + "description": "The default lease TTL for this mount." + }, + "description": { + "type": "string", + "description": "User-friendly description for this credential backend." + }, + "external_entropy_access": { + "type": "boolean" + }, + "force_no_cache": { + "type": "boolean" + }, + "listing_visibility": { + "type": "string" + }, + "max_lease_ttl": { + "type": "integer", + "description": "The max lease TTL for this mount." + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "passthrough_request_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "token_type": { + "type": "string", + "description": "The type of token to issue (service or batch)." + }, + "user_lockout_counter_reset_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_disable": { + "type": "boolean" + }, + "user_lockout_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_threshold": { + "type": "integer", + "format": "int64" + } + } + }, + "MountsTuneConfigurationParametersRequest": { + "type": "object", + "properties": { + "allowed_managed_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_response_headers": { + "type": "array", + "description": "A list of headers to whitelist and allow a plugin to set on responses.", + "items": { + "type": "string" + } + }, + "audit_non_hmac_request_keys": { + "type": "array", + "description": "The list of keys in the request data object that will not be HMAC'ed by audit devices.", + "items": { + "type": "string" + } + }, + "audit_non_hmac_response_keys": { + "type": "array", + "description": "The list of keys in the response data object that will not be HMAC'ed by audit devices.", + "items": { + "type": "string" + } + }, + "default_lease_ttl": { + "type": "string", + "description": "The default lease TTL for this mount." + }, + "description": { + "type": "string", + "description": "User-friendly description for this credential backend." + }, + "listing_visibility": { + "type": "string", + "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'." + }, + "max_lease_ttl": { + "type": "string", + "description": "The max lease TTL for this mount." + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "passthrough_request_headers": { + "type": "array", + "description": "A list of headers to whitelist and pass from the request to the plugin.", + "items": { + "type": "string" + } + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "token_type": { + "type": "string", + "description": "The type of token to issue (service or batch)." + }, + "user_lockout_config": { + "type": "object", + "description": "The user lockout configuration to pass into the backend. Should be a json object with string keys and values.", + "format": "map" + } + } + }, + "NomadConfigureAccessRequest": { + "type": "object", + "properties": { + "address": { + "type": "string", + "description": "Nomad server address" + }, + "ca_cert": { + "type": "string", + "description": "CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded." + }, + "client_cert": { + "type": "string", + "description": "Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key." + }, + "client_key": { + "type": "string", + "description": "Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert." + }, + "max_token_name_length": { + "type": "integer", + "description": "Max length for name of generated Nomad tokens" + }, + "token": { + "type": "string", + "description": "Token for API calls" + } + } + }, + "NomadConfigureLeaseRequest": { + "type": "object", + "properties": { + "max_ttl": { + "type": "string", + "description": "Duration after which the issued token should not be allowed to be renewed", + "format": "duration" + }, + "ttl": { + "type": "string", + "description": "Duration before which the issued token needs renewal", + "format": "duration" + } + } + }, + "NomadWriteRoleRequest": { + "type": "object", + "properties": { + "global": { + "type": "boolean", + "description": "Boolean value describing if the token should be global or not. Defaults to false." + }, + "policies": { + "type": "array", + "description": "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.", + "items": { + "type": "string" + } + }, + "type": { + "type": "string", + "description": "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'.", + "default": "client" + } + } + }, + "OciConfigureRequest": { + "type": "object", + "properties": { + "home_tenancy_id": { + "type": "string", + "description": "The tenancy id of the account." + } + } + }, + "OciLoginRequest": { + "type": "object", + "properties": { + "request_headers": { + "type": "string", + "description": "The signed headers of the client" + } + } + }, + "OciWriteRoleRequest": { + "type": "object", + "properties": { + "ocid_list": { + "type": "array", + "description": "A comma separated list of Group or Dynamic Group OCIDs that are allowed to take this role.", + "items": { + "type": "string" + } + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + } + } + }, + "OidcConfigureRequest": { + "type": "object", + "properties": { + "issuer": { + "type": "string", + "description": "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used." + } + } + }, + "OidcIntrospectRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Optional client_id to verify" + }, + "token": { + "type": "string", + "description": "Token to verify" + } + } + }, + "OidcProviderAuthorizeWithParametersRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "The ID of the requesting client." + }, + "code_challenge": { + "type": "string", + "description": "The code challenge derived from the code verifier." + }, + "code_challenge_method": { + "type": "string", + "description": "The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.", + "default": "plain" + }, + "max_age": { + "type": "integer", + "description": "The allowable elapsed time in seconds since the last time the end-user was actively authenticated." + }, + "nonce": { + "type": "string", + "description": "The value that will be returned in the ID token nonce claim after a token exchange." + }, + "redirect_uri": { + "type": "string", + "description": "The redirection URI to which the response will be sent." + }, + "response_type": { + "type": "string", + "description": "The OIDC authentication flow to be used. The following response types are supported: 'code'" + }, + "scope": { + "type": "string", + "description": "A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required." + }, + "state": { + "type": "string", + "description": "The value used to maintain state between the authentication request and client." + } + }, + "required": [ + "client_id", + "redirect_uri", + "response_type", + "scope" + ] + }, + "OidcProviderTokenRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "The ID of the requesting client." + }, + "client_secret": { + "type": "string", + "description": "The secret of the requesting client." + }, + "code": { + "type": "string", + "description": "The authorization code received from the provider's authorization endpoint." + }, + "code_verifier": { + "type": "string", + "description": "The code verifier associated with the authorization code." + }, + "grant_type": { + "type": "string", + "description": "The authorization grant type. The following grant types are supported: 'authorization_code'." + }, + "redirect_uri": { + "type": "string", + "description": "The callback location where the authentication response was sent." + } + }, + "required": [ + "code", + "grant_type", + "redirect_uri" + ] + }, + "OidcRotateKeyRequest": { + "type": "object", + "properties": { + "verification_ttl": { + "type": "string", + "description": "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.", + "format": "duration" + } + } + }, + "OidcWriteAssignmentRequest": { + "type": "object", + "properties": { + "entity_ids": { + "type": "array", + "description": "Comma separated string or array of identity entity IDs", + "items": { + "type": "string" + } + }, + "group_ids": { + "type": "array", + "description": "Comma separated string or array of identity group IDs", + "items": { + "type": "string" + } + } + } + }, + "OidcWriteClientRequest": { + "type": "object", + "properties": { + "access_token_ttl": { + "type": "string", + "description": "The time-to-live for access tokens obtained by the client.", + "format": "duration", + "default": "24h" + }, + "assignments": { + "type": "array", + "description": "Comma separated string or array of assignment resources.", + "items": { + "type": "string" + } + }, + "client_type": { + "type": "string", + "description": "The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.", + "default": "confidential" + }, + "id_token_ttl": { + "type": "string", + "description": "The time-to-live for ID tokens obtained by the client.", + "format": "duration", + "default": "24h" + }, + "key": { + "type": "string", + "description": "A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.", + "default": "default" + }, + "redirect_uris": { + "type": "array", + "description": "Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.", + "items": { + "type": "string" + } + } + } + }, + "OidcWriteKeyRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Signing algorithm to use. This will default to RS256.", + "default": "RS256" + }, + "allowed_client_ids": { + "type": "array", + "description": "Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If \"*\" all roles are allowed.", + "items": { + "type": "string" + } + }, + "rotation_period": { + "type": "string", + "description": "How often to generate a new keypair.", + "format": "duration", + "default": "24h" + }, + "verification_ttl": { + "type": "string", + "description": "Controls how long the public portion of a key will be available for verification after being rotated.", + "format": "duration", + "default": "24h" + } + } + }, + "OidcWriteProviderRequest": { + "type": "object", + "properties": { + "allowed_client_ids": { + "type": "array", + "description": "The client IDs that are permitted to use the provider", + "items": { + "type": "string" + } + }, + "issuer": { + "type": "string", + "description": "Specifies what will be used for the iss claim of ID tokens." + }, + "scopes_supported": { + "type": "array", + "description": "The scopes supported for requesting on the provider", + "items": { + "type": "string" + } + } + } + }, + "OidcWriteRoleRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Optional client_id" + }, + "key": { + "type": "string", + "description": "The OIDC key to use for generating tokens. The specified key must already exist." + }, + "template": { + "type": "string", + "description": "The template string to use for generating tokens. This may be in string-ified JSON or base64 format." + }, + "ttl": { + "type": "string", + "description": "TTL of the tokens generated against the role.", + "format": "duration", + "default": "24h" + } + }, + "required": [ + "key" + ] + }, + "OidcWriteScopeRequest": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "The description of the scope" + }, + "template": { + "type": "string", + "description": "The template string to use for the scope. This may be in string-ified JSON or base64 format." + } + } + }, + "OktaConfigureRequest": { + "type": "object", + "properties": { + "api_token": { + "type": "string", + "description": "Okta API key.", + "x-vault-displayAttrs": { + "name": "API Token" + } + }, + "base_url": { + "type": "string", + "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.", + "x-vault-displayAttrs": { + "name": "Base URL" + } + }, + "bypass_okta_mfa": { + "type": "boolean", + "description": "When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.", + "x-vault-displayAttrs": { + "name": "Bypass Okta MFA" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "org_name": { + "type": "string", + "description": "Name of the organization to be used in the Okta API.", + "x-vault-displayAttrs": { + "name": "Organization Name" + } + }, + "organization": { + "type": "string", + "description": "Use org_name instead.", + "deprecated": true + }, + "production": { + "type": "boolean", + "description": "Use base_url instead.", + "deprecated": true + }, + "token": { + "type": "string", + "description": "Use api_token instead.", + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "OktaLoginRequest": { + "type": "object", + "properties": { + "nonce": { + "type": "string", + "description": "Nonce provided if performing login that requires number verification challenge. Logins through the vault login CLI command will automatically generate a nonce." + }, + "password": { + "type": "string", + "description": "Password for this user." + }, + "provider": { + "type": "string", + "description": "Preferred factor provider." + }, + "totp": { + "type": "string", + "description": "TOTP passcode." + } + } + }, + "OktaWriteGroupRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated to the group.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies associated to the group." + } + } + } + }, + "OktaWriteUserRequest": { + "type": "object", + "properties": { + "groups": { + "type": "array", + "description": "List of groups associated with the user.", + "items": { + "type": "string" + } + }, + "policies": { + "type": "array", + "description": "List of policies associated with the user.", + "items": { + "type": "string" + } + } + } + }, + "PersonaCreateRequest": { + "type": "object", + "properties": { + "entity_id": { + "type": "string", + "description": "Entity ID to which this persona belongs to" + }, + "id": { + "type": "string", + "description": "ID of the persona" + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this persona belongs to" + }, + "name": { + "type": "string", + "description": "Name of the persona" + } + } + }, + "PersonaUpdateByIdRequest": { + "type": "object", + "properties": { + "entity_id": { + "type": "string", + "description": "Entity ID to which this persona should be tied to" + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this persona belongs to" + }, + "name": { + "type": "string", + "description": "Name of the persona" + } + } + }, + "PkiConfigureAcmeRequest": { + "type": "object", + "properties": { + "allow_role_ext_key_usage": { + "type": "boolean", + "description": "whether the ExtKeyUsage field from a role is used, defaults to false meaning that certificate will be signed with ServerAuth.", + "default": false + }, + "allowed_issuers": { + "type": "array", + "description": "which issuers are allowed for use with ACME; by default, this will only be the primary (default) issuer", + "items": { + "type": "string" + }, + "default": [ + "*" + ] + }, + "allowed_roles": { + "type": "array", + "description": "which roles are allowed for use with ACME; by default via '*', these will be all roles including sign-verbatim; when concrete role names are specified, any default_directory_policy role must be included to allow usage of the default acme directories under /pki/acme/directory and /pki/issuer/:issuer_id/acme/directory.", + "items": { + "type": "string" + }, + "default": [ + "*" + ] + }, + "default_directory_policy": { + "type": "string", + "description": "the policy to be used for non-role-qualified ACME requests; by default ACME issuance will be otherwise unrestricted, equivalent to the sign-verbatim endpoint; one may also specify a role to use as this policy, as \"role:\", the specified role must be allowed by allowed_roles", + "default": "sign-verbatim" + }, + "dns_resolver": { + "type": "string", + "description": "DNS resolver to use for domain resolution on this mount. Defaults to using the default system resolver. Must be in the format :, with both parts mandatory.", + "default": "" + }, + "eab_policy": { + "type": "string", + "description": "Specify the policy to use for external account binding behaviour, 'not-required', 'new-account-required' or 'always-required'", + "default": "always-required" + }, + "enabled": { + "type": "boolean", + "description": "whether ACME is enabled, defaults to false meaning that clusters will by default not get ACME support", + "default": false + } + } + }, + "PkiConfigureAutoTidyRequest": { + "type": "object", + "properties": { + "acme_account_safety_buffer": { + "type": "string", + "description": "The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.", + "format": "duration", + "default": 2592000 + }, + "enabled": { + "type": "boolean", + "description": "Set to true to enable automatic tidy operations." + }, + "interval_duration": { + "type": "string", + "description": "Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.", + "format": "duration", + "default": 43200 + }, + "issuer_safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).", + "format": "duration", + "default": 31536000 + }, + "maintain_stored_certificate_counts": { + "type": "boolean", + "description": "This configures whether stored certificates are counted upon initialization of the backend, and whether during normal operation, a running count of certificates stored is maintained.", + "default": false + }, + "pause_duration": { + "type": "string", + "description": "The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.", + "default": "0s" + }, + "publish_stored_certificate_count_metrics": { + "type": "boolean", + "description": "This configures whether the stored certificate count is published to the metrics consumer. It does not affect if the stored certificate count is maintained, and if maintained, it will be available on the tidy-status endpoint.", + "default": false + }, + "revocation_queue_safety_buffer": { + "type": "string", + "description": "The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.", + "format": "duration", + "default": 172800 + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.", + "format": "duration", + "default": 259200 + }, + "tidy_acme": { + "type": "boolean", + "description": "Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.", + "default": false + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Set to true to enable tidying up the certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node." + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation." + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean", + "description": "Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios)." + }, + "tidy_revocation_list": { + "type": "boolean", + "description": "Deprecated; synonym for 'tidy_revoked_certs" + }, + "tidy_revocation_queue": { + "type": "boolean", + "description": "Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node", + "default": false + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses." + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed." + } + } + }, + "PkiConfigureAutoTidyResponse": { + "type": "object", + "properties": { + "acme_account_safety_buffer": { + "type": "integer", + "description": "Safety buffer after creation after which accounts lacking orders are revoked" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether automatic tidy is enabled or not" + }, + "interval_duration": { + "type": "integer", + "description": "Specifies the duration between automatic tidy operation" + }, + "issuer_safety_buffer": { + "type": "integer", + "description": "Issuer safety buffer" + }, + "maintain_stored_certificate_counts": { + "type": "boolean" + }, + "pause_duration": { + "type": "string", + "description": "Duration to pause between tidying certificates" + }, + "publish_stored_certificate_count_metrics": { + "type": "boolean" + }, + "revocation_queue_safety_buffer": { + "type": "integer" + }, + "safety_buffer": { + "type": "integer", + "description": "Safety buffer time duration" + }, + "tidy_acme": { + "type": "boolean", + "description": "Tidy Unused Acme Accounts, and Orders" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Specifies whether to tidy up the certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Tidy the cross-cluster revoked certificate store" + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Specifies whether tidy expired issuers" + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean" + }, + "tidy_revocation_queue": { + "type": "boolean" + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Specifies whether to associate revoked certificates with their corresponding issuers" + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Specifies whether to remove all invalid and expired certificates from storage" + } + } + }, + "PkiConfigureCaRequest": { + "type": "object", + "properties": { + "pem_bundle": { + "type": "string", + "description": "PEM-format, concatenated unencrypted secret key and certificate." + } + } + }, + "PkiConfigureCaResponse": { + "type": "object", + "properties": { + "existing_issuers": { + "type": "array", + "description": "Existing issuers specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "existing_keys": { + "type": "array", + "description": "Existing keys specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "imported_issuers": { + "type": "array", + "description": "Net-new issuers imported as a part of this request", + "items": { + "type": "string" + } + }, + "imported_keys": { + "type": "array", + "description": "Net-new keys imported as a part of this request", + "items": { + "type": "string" + } + }, + "mapping": { + "type": "object", + "description": "A mapping of issuer_id to key_id for all issuers included in this request", + "format": "map" + } + } + }, + "PkiConfigureClusterRequest": { + "type": "object", + "properties": { + "aia_path": { + "type": "string", + "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" + }, + "path": { + "type": "string", + "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" + } + } + }, + "PkiConfigureClusterResponse": { + "type": "object", + "properties": { + "aia_path": { + "type": "string", + "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" + }, + "path": { + "type": "string", + "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" + } + } + }, + "PkiConfigureCrlRequest": { + "type": "object", + "properties": { + "auto_rebuild": { + "type": "boolean", + "description": "If set to true, enables automatic rebuilding of the CRL" + }, + "auto_rebuild_grace_period": { + "type": "string", + "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", + "default": "12h" + }, + "cross_cluster_revocation": { + "type": "boolean", + "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." + }, + "delta_rebuild_interval": { + "type": "string", + "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", + "default": "15m" + }, + "disable": { + "type": "boolean", + "description": "If set to true, disables generating the CRL entirely." + }, + "enable_delta": { + "type": "boolean", + "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" + }, + "expiry": { + "type": "string", + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", + "default": "72h" + }, + "ocsp_disable": { + "type": "boolean", + "description": "If set to true, ocsp unauthorized responses will be returned." + }, + "ocsp_expiry": { + "type": "string", + "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", + "default": "1h" + }, + "unified_crl": { + "type": "boolean", + "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.", + "default": "false" + }, + "unified_crl_on_existing_paths": { + "type": "boolean", + "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data", + "default": "false" + } + } + }, + "PkiConfigureCrlResponse": { + "type": "object", + "properties": { + "auto_rebuild": { + "type": "boolean", + "description": "If set to true, enables automatic rebuilding of the CRL" + }, + "auto_rebuild_grace_period": { + "type": "string", + "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", + "default": "12h" + }, + "cross_cluster_revocation": { + "type": "boolean", + "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." + }, + "delta_rebuild_interval": { + "type": "string", + "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", + "default": "15m" + }, + "disable": { + "type": "boolean", + "description": "If set to true, disables generating the CRL entirely." + }, + "enable_delta": { + "type": "boolean", + "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" + }, + "expiry": { + "type": "string", + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", + "default": "72h" + }, + "ocsp_disable": { + "type": "boolean", + "description": "If set to true, ocsp unauthorized responses will be returned." + }, + "ocsp_expiry": { + "type": "string", + "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", + "default": "1h" + }, + "unified_crl": { + "type": "boolean", + "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP." + }, + "unified_crl_on_existing_paths": { + "type": "boolean", + "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data" + } + } + }, + "PkiConfigureIssuersRequest": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + }, + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.", + "default": false + } + } + }, + "PkiConfigureIssuersResponse": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + }, + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false." + } + } + }, + "PkiConfigureKeysRequest": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) of the default key." + } + } + }, + "PkiConfigureKeysResponse": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + } + } + }, + "PkiConfigureUrlsRequest": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } + }, + "enable_templating": { + "type": "boolean", + "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', and '{{cluster_aia_path}}' are available, but the addresses are not checked for URI validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.", + "default": false + }, + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + } + } + }, + "PkiConfigureUrlsResponse": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } + }, + "enable_templating": { + "type": "boolean", + "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters.", + "default": false + }, + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + } + } + }, + "PkiCrossSignIntermediateRequest": { + "type": "object", + "properties": { + "add_basic_constraints": { + "type": "boolean", + "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." + }, + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "exported": { + "type": "string", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + } + } + }, + "PkiCrossSignIntermediateResponse": { + "type": "object", + "properties": { + "csr": { + "type": "string", + "description": "Certificate signing request." + }, + "key_id": { + "type": "string", + "description": "Id of the key." + }, + "private_key": { + "type": "string", + "description": "Generated private key." + }, + "private_key_type": { + "type": "string", + "description": "Specifies the format used for marshaling the private key." + } + } + }, + "PkiGenerateEabKeyForIssuerAndRoleResponse": { + "type": "object", + "properties": { + "acme_directory": { + "type": "string", + "description": "The ACME directory to which the key belongs" + }, + "created_on": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created", + "format": "date-time" + }, + "id": { + "type": "string", + "description": "The EAB key identifier" + }, + "key": { + "type": "string", + "description": "The EAB hmac key" + }, + "key_type": { + "type": "string", + "description": "The EAB key type" + } + } + }, + "PkiGenerateEabKeyForIssuerResponse": { + "type": "object", + "properties": { + "acme_directory": { + "type": "string", + "description": "The ACME directory to which the key belongs" + }, + "created_on": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created", + "format": "date-time" + }, + "id": { + "type": "string", + "description": "The EAB key identifier" + }, + "key": { + "type": "string", + "description": "The EAB hmac key" + }, + "key_type": { + "type": "string", + "description": "The EAB key type" + } + } + }, + "PkiGenerateEabKeyForRoleResponse": { + "type": "object", + "properties": { + "acme_directory": { + "type": "string", + "description": "The ACME directory to which the key belongs" + }, + "created_on": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created", + "format": "date-time" + }, + "id": { + "type": "string", + "description": "The EAB key identifier" + }, + "key": { + "type": "string", + "description": "The EAB hmac key" + }, + "key_type": { + "type": "string", + "description": "The EAB key type" + } + } + }, + "PkiGenerateEabKeyResponse": { + "type": "object", + "properties": { + "acme_directory": { + "type": "string", + "description": "The ACME directory to which the key belongs" + }, + "created_on": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created", + "format": "date-time" + }, + "id": { + "type": "string", + "description": "The EAB key identifier" + }, + "key": { + "type": "string", + "description": "The EAB hmac key" + }, + "key_type": { + "type": "string", + "description": "The EAB key type" + } + } + }, + "PkiGenerateExportedKeyRequest": { + "type": "object", + "properties": { + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0 + }, + "key_name": { + "type": "string", + "description": "Optional name to be used for this key" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + } + } + }, + "PkiGenerateExportedKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "ID assigned to this key." + }, + "key_name": { + "type": "string", + "description": "Name assigned to this key." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values." + }, + "private_key": { + "type": "string", + "description": "The private key string" + } + } + }, + "PkiGenerateIntermediateRequest": { + "type": "object", + "properties": { + "add_basic_constraints": { + "type": "boolean", + "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." + }, + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + } + } + }, + "PkiGenerateIntermediateResponse": { + "type": "object", + "properties": { + "csr": { + "type": "string", + "description": "Certificate signing request." + }, + "key_id": { + "type": "string", + "description": "Id of the key." + }, + "private_key": { + "type": "string", + "description": "Generated private key." + }, + "private_key_type": { + "type": "string", + "description": "Specifies the format used for marshaling the private key." + } + } + }, + "PkiGenerateInternalKeyRequest": { + "type": "object", + "properties": { + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0 + }, + "key_name": { + "type": "string", + "description": "Optional name to be used for this key" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + } + } + }, + "PkiGenerateInternalKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "ID assigned to this key." + }, + "key_name": { + "type": "string", + "description": "Name assigned to this key." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values." + }, + "private_key": { + "type": "string", + "description": "The private key string" + } + } + }, + "PkiGenerateKmsKeyRequest": { + "type": "object", + "properties": { + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0 + }, + "key_name": { + "type": "string", + "description": "Optional name to be used for this key" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + } + } + }, + "PkiGenerateKmsKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "ID assigned to this key." + }, + "key_name": { + "type": "string", + "description": "Name assigned to this key." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values." + }, + "private_key": { + "type": "string", + "description": "The private key string" + } + } + }, + "PkiGenerateRootRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "max_path_length": { + "type": "integer", + "description": "The maximum allowable path length", + "default": -1 + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "permitted_dns_domains": { + "type": "array", + "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Permitted DNS Domains" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiGenerateRootResponse": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "The generated self-signed CA certificate." + }, + "expiration": { + "type": "integer", + "description": "The expiration of the given issuer.", + "format": "int64" + }, + "issuer_id": { + "type": "string", + "description": "The ID of the issuer" + }, + "issuer_name": { + "type": "string", + "description": "The name of the issuer." + }, + "issuing_ca": { + "type": "string", + "description": "The issuing certificate authority." + }, + "key_id": { + "type": "string", + "description": "The ID of the key." + }, + "key_name": { + "type": "string", + "description": "The key name if given." + }, + "private_key": { + "type": "string", + "description": "The private key if exported was specified." + }, + "serial_number": { + "type": "string", + "description": "The requested Subject's named serial number." + } + } + }, + "PkiImportKeyRequest": { + "type": "object", + "properties": { + "key_name": { + "type": "string", + "description": "Optional name to be used for this key" + }, + "pem_bundle": { + "type": "string", + "description": "PEM-format, unencrypted secret key" + } + } + }, + "PkiImportKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "ID assigned to this key." + }, + "key_name": { + "type": "string", + "description": "Name assigned to this key." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values." + } + } + }, + "PkiIssueWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiIssueWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "private_key": { + "type": "string", + "description": "Private key" + }, + "private_key_type": { + "type": "string", + "description": "Private key type" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuerIssueWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiIssuerIssueWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "private_key": { + "type": "string", + "description": "Private key" + }, + "private_key_type": { + "type": "string", + "description": "Private key type" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuerReadCrlDeltaDerResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerReadCrlDeltaPemResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerReadCrlDeltaResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerReadCrlDerResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerReadCrlPemResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerReadCrlResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string" + } + } + }, + "PkiIssuerResignCrlsRequest": { + "type": "object", + "properties": { + "crl_number": { + "type": "integer", + "description": "The sequence number to be written within the CRL Number extension." + }, + "crls": { + "type": "array", + "description": "A list of PEM encoded CRLs to combine, originally signed by the requested issuer.", + "items": { + "type": "string" + } + }, + "delta_crl_base_number": { + "type": "integer", + "description": "Using a zero or greater value specifies the base CRL revision number to encode within a Delta CRL indicator extension, otherwise the extension will not be added.", + "default": -1 + }, + "format": { + "type": "string", + "description": "The format of the combined CRL, can be \"pem\" or \"der\". If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "default": "pem" + }, + "next_update": { + "type": "string", + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours.", + "default": "72h" + } + } + }, + "PkiIssuerResignCrlsResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string", + "description": "CRL" + } + } + }, + "PkiIssuerSignIntermediateRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "max_path_length": { + "type": "integer", + "description": "The maximum allowable path length", + "default": -1 + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "permitted_dns_domains": { + "type": "array", + "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Permitted DNS Domains" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "skid": { + "type": "string", + "description": "Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). This value should ONLY be used when cross-signing to mimic the existing certificate's SKID value; this is necessary to allow certain TLS implementations (such as OpenSSL) which use SKID/AKID matches in chain building to restrict possible valid chains. Specified as a string in hex format. Default is empty, allowing Vault to automatically calculate the SKID according to method one in the above RFC section.", + "default": "", + "x-vault-displayAttrs": { + "value": "" + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_csr_values": { + "type": "boolean", + "description": "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag; 3) Extensions requested in the CSR will be copied into the issued certificate.", + "default": false + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiIssuerSignIntermediateResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Expiration Time", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing CA" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuerSignRevocationListRequest": { + "type": "object", + "properties": { + "crl_number": { + "type": "integer", + "description": "The sequence number to be written within the CRL Number extension." + }, + "delta_crl_base_number": { + "type": "integer", + "description": "Using a zero or greater value specifies the base CRL revision number to encode within a Delta CRL indicator extension, otherwise the extension will not be added.", + "default": -1 + }, + "extensions": { + "type": "array", + "description": "A list of maps containing extensions with keys id (string), critical (bool), value (string)", + "items": { + "type": "object" + } + }, + "format": { + "type": "string", + "description": "The format of the combined CRL, can be \"pem\" or \"der\". If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "default": "pem" + }, + "next_update": { + "type": "string", + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours.", + "default": "72h" + }, + "revoked_certs": { + "type": "array", + "description": "A list of maps containing the keys serial_number (string), revocation_time (string), and extensions (map with keys id (string), critical (bool), value (string))", + "items": { + "type": "object" + } + } + } + }, + "PkiIssuerSignRevocationListResponse": { + "type": "object", + "properties": { + "crl": { + "type": "string", + "description": "CRL" + } + } + }, + "PkiIssuerSignSelfIssuedRequest": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "PEM-format self-issued certificate to be signed." + }, + "require_matching_certificate_algorithms": { + "type": "boolean", + "description": "If true, require the public key algorithm of the signer to match that of the self issued certificate.", + "default": false + } + } + }, + "PkiIssuerSignSelfIssuedResponse": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing CA" + } + } + }, + "PkiIssuerSignVerbatimRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [] + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [ + "DigitalSignature", + "KeyAgreement", + "KeyEncipherment" + ] + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiIssuerSignVerbatimResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuerSignVerbatimWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [] + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [ + "DigitalSignature", + "KeyAgreement", + "KeyEncipherment" + ] + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiIssuerSignVerbatimWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuerSignWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiIssuerSignWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiIssuersGenerateIntermediateRequest": { + "type": "object", + "properties": { + "add_basic_constraints": { + "type": "boolean", + "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." + }, + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + } + } + }, + "PkiIssuersGenerateIntermediateResponse": { + "type": "object", + "properties": { + "csr": { + "type": "string", + "description": "Certificate signing request." + }, + "key_id": { + "type": "string", + "description": "Id of the key." + }, + "private_key": { + "type": "string", + "description": "Generated private key." + }, + "private_key_type": { + "type": "string", + "description": "Specifies the format used for marshaling the private key." + } + } + }, + "PkiIssuersGenerateRootRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "max_path_length": { + "type": "integer", + "description": "The maximum allowable path length", + "default": -1 + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "permitted_dns_domains": { + "type": "array", + "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Permitted DNS Domains" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiIssuersGenerateRootResponse": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "The generated self-signed CA certificate." + }, + "expiration": { + "type": "integer", + "description": "The expiration of the given issuer.", + "format": "int64" + }, + "issuer_id": { + "type": "string", + "description": "The ID of the issuer" + }, + "issuer_name": { + "type": "string", + "description": "The name of the issuer." + }, + "issuing_ca": { + "type": "string", + "description": "The issuing certificate authority." + }, + "key_id": { + "type": "string", + "description": "The ID of the key." + }, + "key_name": { + "type": "string", + "description": "The key name if given." + }, + "private_key": { + "type": "string", + "description": "The private key if exported was specified." + }, + "serial_number": { + "type": "string", + "description": "The requested Subject's named serial number." + } + } + }, + "PkiIssuersImportBundleRequest": { + "type": "object", + "properties": { + "pem_bundle": { + "type": "string", + "description": "PEM-format, concatenated unencrypted secret-key (optional) and certificates." + } + } + }, + "PkiIssuersImportBundleResponse": { + "type": "object", + "properties": { + "existing_issuers": { + "type": "array", + "description": "Existing issuers specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "existing_keys": { + "type": "array", + "description": "Existing keys specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "imported_issuers": { + "type": "array", + "description": "Net-new issuers imported as a part of this request", + "items": { + "type": "string" + } + }, + "imported_keys": { + "type": "array", + "description": "Net-new keys imported as a part of this request", + "items": { + "type": "string" + } + }, + "mapping": { + "type": "object", + "description": "A mapping of issuer_id to key_id for all issuers included in this request", + "format": "map" + } + } + }, + "PkiIssuersImportCertRequest": { + "type": "object", + "properties": { + "pem_bundle": { + "type": "string", + "description": "PEM-format, concatenated unencrypted secret-key (optional) and certificates." + } + } + }, + "PkiIssuersImportCertResponse": { + "type": "object", + "properties": { + "existing_issuers": { + "type": "array", + "description": "Existing issuers specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "existing_keys": { + "type": "array", + "description": "Existing keys specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "imported_issuers": { + "type": "array", + "description": "Net-new issuers imported as a part of this request", + "items": { + "type": "string" + } + }, + "imported_keys": { + "type": "array", + "description": "Net-new keys imported as a part of this request", + "items": { + "type": "string" + } + }, + "mapping": { + "type": "object", + "description": "A mapping of issuer_id to key_id for all issuers included in this request", + "format": "map" + } + } + }, + "PkiListEabKeysResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "description": "EAB details keyed by the eab key id", + "format": "map" + }, + "keys": { + "type": "array", + "description": "A list of unused eab keys", + "items": { + "type": "string" + } + } + } + }, + "PkiListIssuersResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "description": "Key info with issuer name", + "format": "map" + }, + "keys": { + "type": "array", + "description": "A list of keys", + "items": { + "type": "string" + } + } + } + }, + "PkiListKeysResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "description": "Key info with issuer name", + "format": "map" + }, + "keys": { + "type": "array", + "description": "A list of keys", + "items": { + "type": "string" + } + } + } + }, + "PkiPatchIssuerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "crl_distribution_points": { + "type": "array", + "description": "CRL Distribution Points", + "items": { + "type": "string" + } + }, + "enable_aia_url_templating": { + "type": "boolean", + "description": "Whether or not templating is enabled for AIA fields" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + }, + "issuing_certificates": { + "type": "array", + "description": "Issuing Certificates", + "items": { + "type": "string" + } + }, + "key_id": { + "type": "string", + "description": "Key Id" + }, + "leaf_not_after_behavior": { + "type": "string", + "description": "Leaf Not After Behavior" + }, + "manual_chain": { + "type": "array", + "description": "Manual Chain", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "OCSP Servers", + "items": { + "type": "string" + } + }, + "revocation_signature_algorithm": { + "type": "string", + "description": "Revocation Signature Alogrithm" + }, + "revocation_time": { + "type": "integer" + }, + "revocation_time_rfc3339": { + "type": "string" + }, + "revoked": { + "type": "boolean", + "description": "Revoked" + }, + "usage": { + "type": "string", + "description": "Usage" + } + } + }, + "PkiPatchRoleResponse": { + "type": "object", + "properties": { + "allow_any_name": { + "type": "boolean", + "description": "If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information." + }, + "allow_bare_domains": { + "type": "boolean", + "description": "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information." + }, + "allow_glob_domains": { + "type": "boolean", + "description": "If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information." + }, + "allow_ip_sans": { + "type": "boolean", + "description": "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed." + }, + "allow_localhost": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_subdomains": { + "type": "boolean", + "description": "If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information." + }, + "allow_token_displayname": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_wildcard_certificates": { + "type": "boolean", + "description": "If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information." + }, + "allowed_domains": { + "type": "array", + "description": "Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.", + "items": { + "type": "string" + } + }, + "allowed_domains_template": { + "type": "boolean", + "description": "If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted." + }, + "allowed_other_sans": { + "type": "array", + "description": "If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).", + "items": { + "type": "string" + } + }, + "allowed_serial_numbers": { + "type": "array", + "description": "If set, an array of allowed serial numbers to put in Subject. These values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans": { + "type": "array", + "description": "If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans_template": { + "type": "boolean", + "description": "If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted." + }, + "allowed_user_ids": { + "type": "array", + "description": "If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1", + "items": { + "type": "string" + } + }, + "basic_constraints_valid_for_non_ca": { + "type": "boolean", + "description": "Mark Basic Constraints valid when issuing non-CA certificates." + }, + "client_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12." + }, + "cn_validations": { + "type": "array", + "description": "List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.", + "items": { + "type": "string" + } + }, + "code_signing_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "email_protection_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "enforce_hostnames": { + "type": "boolean", + "description": "If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true." + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.", + "items": { + "type": "string" + } + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "generate_lease": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault." + }, + "issuer_ref": { + "type": "string", + "description": "Reference to the issuer used to sign requests serviced by this role." + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values." + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.", + "items": { + "type": "string" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "integer", + "description": "The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.", + "format": "int64" + }, + "no_store": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\"." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ." + }, + "not_before_duration": { + "type": "integer", + "description": "The duration in seconds before now which the certificate needs to be backdated by.", + "format": "int64" + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "policy_identifiers": { + "type": "array", + "description": "A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].", + "items": { + "type": "string" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "require_cn": { + "type": "boolean", + "description": "If set to false, makes the 'common_name' field optional while generating a certificate." + }, + "server_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.", + "default": true + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves)." + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "integer", + "description": "The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.", + "format": "int64" + }, + "use_csr_common_name": { + "type": "boolean", + "description": "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true." + }, + "use_csr_sans": { + "type": "boolean", + "description": "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true." + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false." + } + } + }, + "PkiReadAutoTidyConfigurationResponse": { + "type": "object", + "properties": { + "acme_account_safety_buffer": { + "type": "integer", + "description": "Safety buffer after creation after which accounts lacking orders are revoked" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether automatic tidy is enabled or not" + }, + "interval_duration": { + "type": "integer", + "description": "Specifies the duration between automatic tidy operation" + }, + "issuer_safety_buffer": { + "type": "integer", + "description": "Issuer safety buffer" + }, + "maintain_stored_certificate_counts": { + "type": "boolean" + }, + "pause_duration": { + "type": "string", + "description": "Duration to pause between tidying certificates" + }, + "publish_stored_certificate_count_metrics": { + "type": "boolean" + }, + "revocation_queue_safety_buffer": { + "type": "integer" + }, + "safety_buffer": { + "type": "integer", + "description": "Safety buffer time duration" + }, + "tidy_acme": { + "type": "boolean", + "description": "Tidy Unused Acme Accounts, and Orders" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Specifies whether to tidy up the certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean" + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Specifies whether tidy expired issuers" + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean" + }, + "tidy_revocation_queue": { + "type": "boolean" + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Specifies whether to associate revoked certificates with their corresponding issuers" + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Specifies whether to remove all invalid and expired certificates from storage" + } + } + }, + "PkiReadCaChainPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCaDerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCaPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertCaChainResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertCrlResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertDeltaCrlResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertRawDerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertRawPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCertResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadClusterConfigurationResponse": { + "type": "object", + "properties": { + "aia_path": { + "type": "string", + "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" + }, + "path": { + "type": "string", + "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" + } + } + }, + "PkiReadCrlConfigurationResponse": { + "type": "object", + "properties": { + "auto_rebuild": { + "type": "boolean", + "description": "If set to true, enables automatic rebuilding of the CRL" + }, + "auto_rebuild_grace_period": { + "type": "string", + "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h." + }, + "cross_cluster_revocation": { + "type": "boolean", + "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." + }, + "delta_rebuild_interval": { + "type": "string", + "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m." + }, + "disable": { + "type": "boolean", + "description": "If set to true, disables generating the CRL entirely." + }, + "enable_delta": { + "type": "boolean", + "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" + }, + "expiry": { + "type": "string", + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours" + }, + "ocsp_disable": { + "type": "boolean", + "description": "If set to true, ocsp unauthorized responses will be returned." + }, + "ocsp_expiry": { + "type": "string", + "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours" + }, + "unified_crl": { + "type": "boolean", + "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP." + }, + "unified_crl_on_existing_paths": { + "type": "boolean", + "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data" + } + } + }, + "PkiReadCrlDeltaPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCrlDeltaResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCrlDerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadCrlPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "string", + "description": "Issuing CA Chain" + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "revocation_time": { + "type": "integer", + "description": "Revocation time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation time RFC 3339 formatted" + } + } + }, + "PkiReadIssuerDerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + } + } + }, + "PkiReadIssuerJsonResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + } + } + }, + "PkiReadIssuerPemResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + } + } + }, + "PkiReadIssuerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "crl_distribution_points": { + "type": "array", + "description": "CRL Distribution Points", + "items": { + "type": "string" + } + }, + "enable_aia_url_templating": { + "type": "boolean", + "description": "Whether or not templating is enabled for AIA fields" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + }, + "issuing_certificates": { + "type": "array", + "description": "Issuing Certificates", + "items": { + "type": "string" + } + }, + "key_id": { + "type": "string", + "description": "Key Id" + }, + "leaf_not_after_behavior": { + "type": "string", + "description": "Leaf Not After Behavior" + }, + "manual_chain": { + "type": "array", + "description": "Manual Chain", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "OCSP Servers", + "items": { + "type": "string" + } + }, + "revocation_signature_algorithm": { + "type": "string", + "description": "Revocation Signature Alogrithm" + }, + "revocation_time": { + "type": "integer" + }, + "revocation_time_rfc3339": { + "type": "string" + }, + "revoked": { + "type": "boolean", + "description": "Revoked" + }, + "usage": { + "type": "string", + "description": "Usage" + } + } + }, + "PkiReadIssuersConfigurationResponse": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + }, + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false." + } + } + }, + "PkiReadKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "Key Id" + }, + "key_name": { + "type": "string", + "description": "Key Name" + }, + "key_type": { + "type": "string", + "description": "Key Type" + }, + "managed_key_id": { + "type": "string", + "description": "Managed Key Id" + }, + "managed_key_name": { + "type": "string", + "description": "Managed Key Name" + }, + "subject_key_id": { + "type": "string", + "description": "RFC 5280 Subject Key Identifier of the public counterpart" + } + } + }, + "PkiReadKeysConfigurationResponse": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + } + } + }, + "PkiReadRoleResponse": { + "type": "object", + "properties": { + "allow_any_name": { + "type": "boolean", + "description": "If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information." + }, + "allow_bare_domains": { + "type": "boolean", + "description": "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information." + }, + "allow_glob_domains": { + "type": "boolean", + "description": "If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information." + }, + "allow_ip_sans": { + "type": "boolean", + "description": "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed." + }, + "allow_localhost": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_subdomains": { + "type": "boolean", + "description": "If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information." + }, + "allow_token_displayname": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_wildcard_certificates": { + "type": "boolean", + "description": "If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information." + }, + "allowed_domains": { + "type": "array", + "description": "Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.", + "items": { + "type": "string" + } + }, + "allowed_domains_template": { + "type": "boolean", + "description": "If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted." + }, + "allowed_other_sans": { + "type": "array", + "description": "If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).", + "items": { + "type": "string" + } + }, + "allowed_serial_numbers": { + "type": "array", + "description": "If set, an array of allowed serial numbers to put in Subject. These values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans": { + "type": "array", + "description": "If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans_template": { + "type": "boolean", + "description": "If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted." + }, + "allowed_user_ids": { + "type": "array", + "description": "If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1", + "items": { + "type": "string" + } + }, + "basic_constraints_valid_for_non_ca": { + "type": "boolean", + "description": "Mark Basic Constraints valid when issuing non-CA certificates." + }, + "client_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12." + }, + "cn_validations": { + "type": "array", + "description": "List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.", + "items": { + "type": "string" + } + }, + "code_signing_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "email_protection_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "enforce_hostnames": { + "type": "boolean", + "description": "If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true." + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.", + "items": { + "type": "string" + } + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "generate_lease": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault." + }, + "issuer_ref": { + "type": "string", + "description": "Reference to the issuer used to sign requests serviced by this role." + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values." + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.", + "items": { + "type": "string" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "integer", + "description": "The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.", + "format": "int64" + }, + "no_store": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\"." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ." + }, + "not_before_duration": { + "type": "integer", + "description": "The duration in seconds before now which the certificate needs to be backdated by.", + "format": "int64" + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "policy_identifiers": { + "type": "array", + "description": "A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].", + "items": { + "type": "string" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "require_cn": { + "type": "boolean", + "description": "If set to false, makes the 'common_name' field optional while generating a certificate." + }, + "server_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.", + "default": true + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves)." + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "integer", + "description": "The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.", + "format": "int64" + }, + "use_csr_common_name": { + "type": "boolean", + "description": "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true." + }, + "use_csr_sans": { + "type": "boolean", + "description": "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true." + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false." + } + } + }, + "PkiReadUrlsConfigurationResponse": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } + }, + "enable_templating": { + "type": "boolean", + "description": "Whether or not to enable templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters." + }, + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + } + } + }, + "PkiReplaceRootRequest": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer.", + "default": "next" + } + } + }, + "PkiReplaceRootResponse": { + "type": "object", + "properties": { + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." + }, + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false." + } + } + }, + "PkiRevokeIssuerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Authority Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "crl_distribution_points": { + "type": "array", + "description": "Specifies the URL values for the CRL Distribution Points field", + "items": { + "type": "string" + } + }, + "issuer_id": { + "type": "string", + "description": "ID of the issuer" + }, + "issuer_name": { + "type": "string", + "description": "Name of the issuer" + }, + "issuing_certificates": { + "type": "array", + "description": "Specifies the URL values for the Issuing Certificate field", + "items": { + "type": "string" + } + }, + "key_id": { + "type": "string", + "description": "ID of the Key" + }, + "leaf_not_after_behavior": { + "type": "string" + }, + "manual_chain": { + "type": "array", + "description": "Manual Chain", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "Specifies the URL values for the OCSP Servers field", + "items": { + "type": "string" + } + }, + "revocation_signature_algorithm": { + "type": "string", + "description": "Which signature algorithm to use when building CRLs" + }, + "revocation_time": { + "type": "integer", + "description": "Time of revocation", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "RFC formatted time of revocation", + "format": "date-time" + }, + "revoked": { + "type": "boolean", + "description": "Whether the issuer was revoked" + }, + "usage": { + "type": "string", + "description": "Allowed usage" + } + } + }, + "PkiRevokeRequest": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "Certificate to revoke in PEM format; must be signed by an issuer in this mount." + }, + "serial_number": { + "type": "string", + "description": "Certificate serial number, in colon- or hyphen-separated octal" + } + } + }, + "PkiRevokeResponse": { + "type": "object", + "properties": { + "revocation_time": { + "type": "integer", + "description": "Revocation Time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation Time", + "format": "date-time" + }, + "state": { + "type": "string", + "description": "Revocation State" + } + } + }, + "PkiRevokeWithKeyRequest": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "Certificate to revoke in PEM format; must be signed by an issuer in this mount." + }, + "private_key": { + "type": "string", + "description": "Key to use to verify revocation permission; must be in PEM format." + }, + "serial_number": { + "type": "string", + "description": "Certificate serial number, in colon- or hyphen-separated octal" + } + } + }, + "PkiRevokeWithKeyResponse": { + "type": "object", + "properties": { + "revocation_time": { + "type": "integer", + "description": "Revocation Time", + "format": "int64" + }, + "revocation_time_rfc3339": { + "type": "string", + "description": "Revocation Time", + "format": "date-time" + }, + "state": { + "type": "string", + "description": "Revocation State" + } + } + }, + "PkiRootSignIntermediateRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "max_path_length": { + "type": "integer", + "description": "The maximum allowable path length", + "default": -1 + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "permitted_dns_domains": { + "type": "array", + "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Permitted DNS Domains" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "skid": { + "type": "string", + "description": "Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). This value should ONLY be used when cross-signing to mimic the existing certificate's SKID value; this is necessary to allow certain TLS implementations (such as OpenSSL) which use SKID/AKID matches in chain building to restrict possible valid chains. Specified as a string in hex format. Default is empty, allowing Vault to automatically calculate the SKID according to method one in the above RFC section.", + "default": "", + "x-vault-displayAttrs": { + "value": "" + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_csr_values": { + "type": "boolean", + "description": "If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag; 3) Extensions requested in the CSR will be copied into the issued certificate.", + "default": false + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiRootSignIntermediateResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Expiration Time", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing CA" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiRootSignSelfIssuedRequest": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "PEM-format self-issued certificate to be signed." + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "require_matching_certificate_algorithms": { + "type": "boolean", + "description": "If true, require the public key algorithm of the signer to match that of the self issued certificate.", + "default": false + } + } + }, + "PkiRootSignSelfIssuedResponse": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "Certificate" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing CA" + } + } + }, + "PkiRotateCrlResponse": { + "type": "object", + "properties": { + "success": { + "type": "boolean", + "description": "Whether rotation was successful" + } + } + }, + "PkiRotateDeltaCrlResponse": { + "type": "object", + "properties": { + "success": { + "type": "boolean", + "description": "Whether rotation was successful" + } + } + }, + "PkiRotateRootRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + }, + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + }, + "max_path_length": { + "type": "integer", + "description": "The maximum allowable path length", + "default": -1 + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value.", + "items": { + "type": "string" + } + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" + } + }, + "permitted_dns_domains": { + "type": "array", + "description": "Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Permitted DNS Domains" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Postal Code" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiRotateRootResponse": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "The generated self-signed CA certificate." + }, + "expiration": { + "type": "integer", + "description": "The expiration of the given issuer.", + "format": "int64" + }, + "issuer_id": { + "type": "string", + "description": "The ID of the issuer" + }, + "issuer_name": { + "type": "string", + "description": "The name of the issuer." + }, + "issuing_ca": { + "type": "string", + "description": "The issuing certificate authority." + }, + "key_id": { + "type": "string", + "description": "The ID of the key." + }, + "key_name": { + "type": "string", + "description": "The key name if given." + }, + "private_key": { + "type": "string", + "description": "The private key if exported was specified." + }, + "serial_number": { + "type": "string", + "description": "The requested Subject's named serial number." + } + } + }, + "PkiSetSignedIntermediateRequest": { + "type": "object", + "properties": { + "certificate": { + "type": "string", + "description": "PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint. Additional parent CAs may be optionally appended to the bundle." + } + } + }, + "PkiSetSignedIntermediateResponse": { + "type": "object", + "properties": { + "existing_issuers": { + "type": "array", + "description": "Existing issuers specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "existing_keys": { + "type": "array", + "description": "Existing keys specified as part of the import bundle of this request", + "items": { + "type": "string" + } + }, + "imported_issuers": { + "type": "array", + "description": "Net-new issuers imported as a part of this request", + "items": { + "type": "string" + } + }, + "imported_keys": { + "type": "array", + "description": "Net-new keys imported as a part of this request", + "items": { + "type": "string" + } + }, + "mapping": { + "type": "object", + "description": "A mapping of issuer_id to key_id for all issuers included in this request", + "format": "map" + } + } + }, + "PkiSignVerbatimRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [] + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [ + "DigitalSignature", + "KeyAgreement", + "KeyEncipherment" + ] + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiSignVerbatimResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiSignVerbatimWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [] + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.", + "items": { + "type": "string" + }, + "default": [ + "DigitalSignature", + "KeyAgreement", + "KeyEncipherment" + ] + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiSignVerbatimWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiSignWithRoleRequest": { + "type": "object", + "properties": { + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } + }, + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address." + }, + "csr": { + "type": "string", + "description": "PEM-format CSR to be signed.", + "default": "" + }, + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } + }, + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } + }, + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } + }, + "issuer_ref": { + "type": "string", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "default": "default" + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + }, + "other_sans": { + "type": "array", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" + } + }, + "private_key_format": { + "type": "string", + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } + }, + "remove_roots_from_chain": { + "type": "boolean", + "description": "Whether or not to remove self-signed CA certificates in the output of the ca_chain field.", + "default": false + }, + "serial_number": { + "type": "string", + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } + }, + "user_ids": { + "type": "array", + "description": "The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "User ID(s)" + } + } + } + }, + "PkiSignWithRoleResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "Certificate Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "expiration": { + "type": "integer", + "description": "Time of expiration", + "format": "int64" + }, + "issuing_ca": { + "type": "string", + "description": "Issuing Certificate Authority" + }, + "serial_number": { + "type": "string", + "description": "Serial Number" + } + } + }, + "PkiTidyCancelResponse": { + "type": "object", + "properties": { + "acme_account_deleted_count": { + "type": "integer", + "description": "The number of revoked acme accounts removed" + }, + "acme_account_revoked_count": { + "type": "integer", + "description": "The number of unused acme accounts revoked" + }, + "acme_account_safety_buffer": { + "type": "integer", + "description": "Safety buffer after creation after which accounts lacking orders are revoked" + }, + "acme_orders_deleted_count": { + "type": "integer", + "description": "The number of expired, unused acme orders removed" + }, + "cert_store_deleted_count": { + "type": "integer", + "description": "The number of certificate storage entries deleted" + }, + "cross_revoked_cert_deleted_count": { + "type": "integer" + }, + "current_cert_store_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "current_revoked_cert_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "error": { + "type": "string", + "description": "The error message" + }, + "internal_backend_uuid": { + "type": "string" + }, + "issuer_safety_buffer": { + "type": "integer", + "description": "Issuer safety buffer" + }, + "last_auto_tidy_finished": { + "type": "string", + "description": "Time the last auto-tidy operation finished" + }, + "message": { + "type": "string", + "description": "Message of the operation" + }, + "missing_issuer_cert_count": { + "type": "integer" + }, + "pause_duration": { + "type": "string", + "description": "Duration to pause between tidying certificates" + }, + "revocation_queue_deleted_count": { + "type": "integer" + }, + "revocation_queue_safety_buffer": { + "type": "integer", + "description": "Revocation queue safety buffer" + }, + "revoked_cert_deleted_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "safety_buffer": { + "type": "integer", + "description": "Safety buffer time duration" + }, + "state": { + "type": "string", + "description": "One of Inactive, Running, Finished, or Error" + }, + "tidy_acme": { + "type": "boolean", + "description": "Tidy Unused Acme Accounts, and Orders" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Tidy certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Tidy the cross-cluster revoked certificate store" + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Tidy expired issuers" + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean" + }, + "tidy_revocation_queue": { + "type": "boolean" + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Tidy revoked certificate issuer associations" + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Tidy revoked certificates" + }, + "time_finished": { + "type": "string", + "description": "Time the operation finished" + }, + "time_started": { + "type": "string", + "description": "Time the operation started" + }, + "total_acme_account_count": { + "type": "integer", + "description": "Total number of acme accounts iterated over" + } + } + }, + "PkiTidyRequest": { + "type": "object", + "properties": { + "acme_account_safety_buffer": { + "type": "string", + "description": "The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.", + "format": "duration", + "default": 2592000 + }, + "issuer_safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).", + "format": "duration", + "default": 31536000 + }, + "pause_duration": { + "type": "string", + "description": "The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.", + "default": "0s" + }, + "revocation_queue_safety_buffer": { + "type": "string", + "description": "The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.", + "format": "duration", + "default": 172800 + }, + "safety_buffer": { + "type": "string", + "description": "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.", + "format": "duration", + "default": 259200 + }, + "tidy_acme": { + "type": "boolean", + "description": "Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.", + "default": false + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Set to true to enable tidying up the certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node." + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation." + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean", + "description": "Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios)." + }, + "tidy_revocation_list": { + "type": "boolean", + "description": "Deprecated; synonym for 'tidy_revoked_certs" + }, + "tidy_revocation_queue": { + "type": "boolean", + "description": "Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node", + "default": false + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses." + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed." + } + } + }, + "PkiTidyStatusResponse": { + "type": "object", + "properties": { + "acme_account_deleted_count": { + "type": "integer", + "description": "The number of revoked acme accounts removed" + }, + "acme_account_revoked_count": { + "type": "integer", + "description": "The number of unused acme accounts revoked" + }, + "acme_account_safety_buffer": { + "type": "integer", + "description": "Safety buffer after creation after which accounts lacking orders are revoked" + }, + "acme_orders_deleted_count": { + "type": "integer", + "description": "The number of expired, unused acme orders removed" + }, + "cert_store_deleted_count": { + "type": "integer", + "description": "The number of certificate storage entries deleted" + }, + "cross_revoked_cert_deleted_count": { + "type": "integer" + }, + "current_cert_store_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "current_revoked_cert_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "error": { + "type": "string", + "description": "The error message" + }, + "internal_backend_uuid": { + "type": "string" + }, + "issuer_safety_buffer": { + "type": "integer", + "description": "Issuer safety buffer" + }, + "last_auto_tidy_finished": { + "type": "string", + "description": "Time the last auto-tidy operation finished" + }, + "message": { + "type": "string", + "description": "Message of the operation" + }, + "missing_issuer_cert_count": { + "type": "integer" + }, + "pause_duration": { + "type": "string", + "description": "Duration to pause between tidying certificates" + }, + "revocation_queue_deleted_count": { + "type": "integer" + }, + "revocation_queue_safety_buffer": { + "type": "integer", + "description": "Revocation queue safety buffer" + }, + "revoked_cert_deleted_count": { + "type": "integer", + "description": "The number of revoked certificate entries deleted" + }, + "safety_buffer": { + "type": "integer", + "description": "Safety buffer time duration" + }, + "state": { + "type": "string", + "description": "One of Inactive, Running, Finished, or Error" + }, + "tidy_acme": { + "type": "boolean", + "description": "Tidy Unused Acme Accounts, and Orders" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Tidy certificate store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Tidy the cross-cluster revoked certificate store" + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Tidy expired issuers" + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean" + }, + "tidy_revocation_queue": { + "type": "boolean" + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Tidy revoked certificate issuer associations" + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Tidy revoked certificates" + }, + "time_finished": { + "type": "string", + "description": "Time the operation finished" + }, + "time_started": { + "type": "string", + "description": "Time the operation started" + }, + "total_acme_account_count": { + "type": "integer", + "description": "Total number of acme accounts iterated over" + } + } + }, + "PkiWriteAcmeAccountKidRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeAuthorizationAuth_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeChallengeAuth_idChallenge_typeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeNewAccountRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeNewOrderRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeOrderOrder_idCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeOrderOrder_idFinalizeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeOrderOrder_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeOrdersRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteAcmeRevokeCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeAccountKidRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeAuthorizationAuth_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeChallengeAuth_idChallenge_typeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeNewAccountRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeNewOrderRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeOrderOrder_idCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeOrderOrder_idFinalizeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeOrderOrder_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeOrdersRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refAcmeRevokeCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeAccountKidRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeAuthorizationAuth_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeChallengeAuth_idChallenge_typeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeNewAccountRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeNewOrderRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idFinalizeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeOrdersRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerIssuer_refRolesRoleAcmeRevokeCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteIssuerRequest": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } + }, + "enable_aia_url_templating": { + "type": "boolean", + "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', '{{cluster_aia_path}}' are available, but the addresses are not checked for URL validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.", + "default": false + }, + "issuer_name": { + "type": "string", + "description": "Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'" + }, + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + }, + "leaf_not_after_behavior": { + "type": "string", + "description": "Behavior of leaf's NotAfter fields: \"err\" to error if the computed NotAfter date exceeds that of this issuer; \"truncate\" to silently truncate to that of this issuer; or \"permit\" to allow this issuance to succeed (with NotAfter exceeding that of an issuer). Note that not all values will results in certificates that can be validated through the entire validity period. It is suggested to use \"truncate\" for intermediate CAs and \"permit\" only for root CAs.", + "default": "err" + }, + "manual_chain": { + "type": "array", + "description": "Chain of issuer references to use to build this issuer's computed CAChain field, when non-empty.", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + }, + "revocation_signature_algorithm": { + "type": "string", + "description": "Which x509.SignatureAlgorithm name to use for signing CRLs. This parameter allows differentiation between PKCS#1v1.5 and PSS keys and choice of signature hash algorithm. The default (empty string) value is for Go to select the signature algorithm. This can fail if the underlying key does not support the requested signature algorithm, which may not be known at modification time (such as with PKCS#11 managed RSA keys).", + "default": "" + }, + "usage": { + "type": "array", + "description": "Comma-separated list (or string slice) of usages for this issuer; valid values are \"read-only\", \"issuing-certificates\", \"crl-signing\", and \"ocsp-signing\". Multiple values may be specified. Read-only is implicit and always set.", + "items": { + "type": "string" + }, + "default": [ + "read-only", + "issuing-certificates", + "crl-signing", + "ocsp-signing" + ] + } + } + }, + "PkiWriteIssuerResponse": { + "type": "object", + "properties": { + "ca_chain": { + "type": "array", + "description": "CA Chain", + "items": { + "type": "string" + } + }, + "certificate": { + "type": "string", + "description": "Certificate" + }, + "crl_distribution_points": { + "type": "array", + "description": "CRL Distribution Points", + "items": { + "type": "string" + } + }, + "enable_aia_url_templating": { + "type": "boolean", + "description": "Whether or not templating is enabled for AIA fields" + }, + "issuer_id": { + "type": "string", + "description": "Issuer Id" + }, + "issuer_name": { + "type": "string", + "description": "Issuer Name" + }, + "issuing_certificates": { + "type": "array", + "description": "Issuing Certificates", + "items": { + "type": "string" + } + }, + "key_id": { + "type": "string", + "description": "Key Id" + }, + "leaf_not_after_behavior": { + "type": "string", + "description": "Leaf Not After Behavior" + }, + "manual_chain": { + "type": "array", + "description": "Manual Chain", + "items": { + "type": "string" + } + }, + "ocsp_servers": { + "type": "array", + "description": "OCSP Servers", + "items": { + "type": "string" + } + }, + "revocation_signature_algorithm": { + "type": "string", + "description": "Revocation Signature Alogrithm" + }, + "revocation_time": { + "type": "integer" + }, + "revocation_time_rfc3339": { + "type": "string" + }, + "revoked": { + "type": "boolean", + "description": "Revoked" + }, + "usage": { + "type": "string", + "description": "Usage" + } + } + }, + "PkiWriteKeyRequest": { + "type": "object", + "properties": { + "key_name": { + "type": "string", + "description": "Human-readable name for this key." + } + } + }, + "PkiWriteKeyResponse": { + "type": "object", + "properties": { + "key_id": { + "type": "string", + "description": "Key Id" + }, + "key_name": { + "type": "string", + "description": "Key Name" + }, + "key_type": { + "type": "string", + "description": "Key Type" + } + } + }, + "PkiWriteRoleRequest": { + "type": "object", + "properties": { + "allow_any_name": { + "type": "boolean", + "description": "If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information." + }, + "allow_bare_domains": { + "type": "boolean", + "description": "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information." + }, + "allow_glob_domains": { + "type": "boolean", + "description": "If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information." + }, + "allow_ip_sans": { + "type": "boolean", + "description": "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed.", + "default": true, + "x-vault-displayAttrs": { + "name": "Allow IP Subject Alternative Names", + "value": true + } + }, + "allow_localhost": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.", + "default": true, + "x-vault-displayAttrs": { + "value": true + } + }, + "allow_subdomains": { + "type": "boolean", + "description": "If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information." + }, + "allow_wildcard_certificates": { + "type": "boolean", + "description": "If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information.", + "default": true + }, + "allowed_domains": { + "type": "array", + "description": "Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.", + "items": { + "type": "string" + } + }, + "allowed_domains_template": { + "type": "boolean", + "description": "If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.", + "default": false + }, + "allowed_other_sans": { + "type": "array", + "description": "If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Allowed Other Subject Alternative Names" + } + }, + "allowed_serial_numbers": { + "type": "array", + "description": "If set, an array of allowed serial numbers to put in Subject. These values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans": { + "type": "array", + "description": "If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Allowed URI Subject Alternative Names" + } + }, + "allowed_uri_sans_template": { + "type": "boolean", + "description": "If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted.", + "default": false + }, + "allowed_user_ids": { + "type": "array", + "description": "If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1", + "items": { + "type": "string" + } + }, + "backend": { + "type": "string", + "description": "Backend Type" + }, + "basic_constraints_valid_for_non_ca": { + "type": "boolean", + "description": "Mark Basic Constraints valid when issuing non-CA certificates.", + "x-vault-displayAttrs": { + "name": "Basic Constraints Valid for Non-CA" + } + }, + "client_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.", + "default": true, + "x-vault-displayAttrs": { + "value": true + } + }, + "cn_validations": { + "type": "array", + "description": "List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.", + "items": { + "type": "string" + }, + "default": [ + "email", + "hostname" + ], + "x-vault-displayAttrs": { + "name": "Common Name Validations" + } + }, + "code_signing_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "email_protection_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "enforce_hostnames": { + "type": "boolean", + "description": "If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true.", + "default": true, + "x-vault-displayAttrs": { + "value": true + } + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.", + "items": { + "type": "string" + }, + "default": [], + "x-vault-displayAttrs": { + "name": "Extended Key Usage" + } + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Extended Key Usage OIDs" + } + }, + "generate_lease": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault." + }, + "issuer_ref": { + "type": "string", + "description": "Reference to the issuer used to sign requests serviced by this role.", + "default": "default" + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0 + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519", + "any" + ], + "default": "rsa" + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.", + "items": { + "type": "string" + }, + "default": [ + "DigitalSignature", + "KeyAgreement", + "KeyEncipherment" + ], + "x-vault-displayAttrs": { + "value": "DigitalSignature,KeyAgreement,KeyEncipherment" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } + }, + "max_ttl": { + "type": "string", + "description": "The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Max TTL" + } + }, + "no_store": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\"." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ." + }, + "not_before_duration": { + "type": "string", + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 + } + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Organizational Unit" + } + }, + "policy_identifiers": { + "type": "array", + "description": "A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].", + "items": { + "type": "string" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" + } + }, + "require_cn": { + "type": "boolean", + "description": "If set to false, makes the 'common_name' field optional while generating a certificate.", + "default": true, + "x-vault-displayAttrs": { + "name": "Require Common Name" + } + }, + "server_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.", + "default": true, + "x-vault-displayAttrs": { + "value": true + } + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0 + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + }, + "use_csr_common_name": { + "type": "boolean", + "description": "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true.", + "default": true, + "x-vault-displayAttrs": { + "name": "Use CSR Common Name", + "value": true + } + }, + "use_csr_sans": { + "type": "boolean", + "description": "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true.", + "default": true, + "x-vault-displayAttrs": { + "name": "Use CSR Subject Alternative Names", + "value": true + } + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.", + "default": false + } + } + }, + "PkiWriteRoleResponse": { + "type": "object", + "properties": { + "allow_any_name": { + "type": "boolean", + "description": "If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information." + }, + "allow_bare_domains": { + "type": "boolean", + "description": "If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information." + }, + "allow_glob_domains": { + "type": "boolean", + "description": "If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information." + }, + "allow_ip_sans": { + "type": "boolean", + "description": "If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed." + }, + "allow_localhost": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_subdomains": { + "type": "boolean", + "description": "If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information." + }, + "allow_token_displayname": { + "type": "boolean", + "description": "Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value." + }, + "allow_wildcard_certificates": { + "type": "boolean", + "description": "If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information." + }, + "allowed_domains": { + "type": "array", + "description": "Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.", + "items": { + "type": "string" + } + }, + "allowed_domains_template": { + "type": "boolean", + "description": "If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted." + }, + "allowed_other_sans": { + "type": "array", + "description": "If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).", + "items": { + "type": "string" + } + }, + "allowed_serial_numbers": { + "type": "array", + "description": "If set, an array of allowed serial numbers to put in Subject. These values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans": { + "type": "array", + "description": "If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.", + "items": { + "type": "string" + } + }, + "allowed_uri_sans_template": { + "type": "boolean", + "description": "If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted." + }, + "allowed_user_ids": { + "type": "array", + "description": "If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1", + "items": { + "type": "string" + } + }, + "basic_constraints_valid_for_non_ca": { + "type": "boolean", + "description": "Mark Basic Constraints valid when issuing non-CA certificates." + }, + "client_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12." + }, + "cn_validations": { + "type": "array", + "description": "List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.", + "items": { + "type": "string" + } + }, + "code_signing_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "country": { + "type": "array", + "description": "If set, Country will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "email_protection_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12." + }, + "enforce_hostnames": { + "type": "boolean", + "description": "If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true." + }, + "ext_key_usage": { + "type": "array", + "description": "A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.", + "items": { + "type": "string" + } + }, + "ext_key_usage_oids": { + "type": "array", + "description": "A comma-separated string or list of extended key usage oids.", + "items": { + "type": "string" + } + }, + "generate_lease": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke \" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault." + }, + "issuer_ref": { + "type": "string", + "description": "Reference to the issuer used to sign requests serviced by this role." + }, + "key_bits": { + "type": "integer", + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519." + }, + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values." + }, + "key_usage": { + "type": "array", + "description": "A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.", + "items": { + "type": "string" + } + }, + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "integer", + "description": "The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.", + "format": "int64" + }, + "no_store": { + "type": "boolean", + "description": "If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\"." + }, + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ." + }, + "not_before_duration": { + "type": "integer", + "description": "The duration in seconds before now which the certificate needs to be backdated by.", + "format": "int64" + }, + "organization": { + "type": "array", + "description": "If set, O (Organization) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ou": { + "type": "array", + "description": "If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "policy_identifiers": { + "type": "array", + "description": "A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].", + "items": { + "type": "string" + } + }, + "postal_code": { + "type": "array", + "description": "If set, Postal Code will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "province": { + "type": "array", + "description": "If set, Province will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "require_cn": { + "type": "boolean", + "description": "If set to false, makes the 'common_name' field optional while generating a certificate." + }, + "server_flag": { + "type": "boolean", + "description": "If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.", + "default": true + }, + "signature_bits": { + "type": "integer", + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves)." + }, + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value in certificates issued by this role.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "integer", + "description": "The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.", + "format": "int64" + }, + "use_csr_common_name": { + "type": "boolean", + "description": "If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true." + }, + "use_csr_sans": { + "type": "boolean", + "description": "If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true." + }, + "use_pss": { + "type": "boolean", + "description": "Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false." + } + } + }, + "PkiWriteRolesRoleAcmeAccountKidRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeAuthorizationAuth_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeChallengeAuth_idChallenge_typeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeNewAccountRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeNewOrderRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeOrderOrder_idCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeOrderOrder_idFinalizeRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeOrderOrder_idRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeOrdersRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PkiWriteRolesRoleAcmeRevokeCertRequest": { + "type": "object", + "properties": { + "payload": { + "type": "string", + "description": "ACME request 'payload' value" + }, + "protected": { + "type": "string", + "description": "ACME request 'protected' value" + }, + "signature": { + "type": "string", + "description": "ACME request 'signature' value" + } + } + }, + "PluginsCatalogListPluginsResponse": { + "type": "object", + "properties": { + "detailed": { + "type": "object", + "format": "map" + } + } + }, + "PluginsCatalogListPluginsWithTypeResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "description": "List of plugin names in the catalog", + "items": { + "type": "string" + } + } + } + }, + "PluginsCatalogReadPluginConfigurationResponse": { + "type": "object", + "properties": { + "args": { + "type": "array", + "description": "The args passed to plugin command.", + "items": { + "type": "string" + } + }, + "builtin": { + "type": "boolean" + }, + "command": { + "type": "string", + "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." + }, + "deprecation_status": { + "type": "string" + }, + "name": { + "type": "string", + "description": "The name of the plugin" + }, + "oci_image": { + "type": "string", + "description": "The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine." + }, + "sha256": { + "type": "string", + "description": "The SHA256 sum of the executable or container to be run. This should be HEX encoded." + }, + "version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + } + } + }, + "PluginsCatalogReadPluginConfigurationWithTypeResponse": { + "type": "object", + "properties": { + "args": { + "type": "array", + "description": "The args passed to plugin command.", + "items": { + "type": "string" + } + }, + "builtin": { + "type": "boolean" + }, + "command": { + "type": "string", + "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." + }, + "deprecation_status": { + "type": "string" + }, + "name": { + "type": "string", + "description": "The name of the plugin" + }, + "oci_image": { + "type": "string", + "description": "The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine." + }, + "sha256": { + "type": "string", + "description": "The SHA256 sum of the executable or container to be run. This should be HEX encoded." + }, + "version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + } + } + }, + "PluginsCatalogRegisterPluginRequest": { + "type": "object", + "properties": { + "args": { + "type": "array", + "description": "The args passed to plugin command.", + "items": { + "type": "string" + } + }, + "command": { + "type": "string", + "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." + }, + "env": { + "type": "array", + "description": "The environment variables passed to plugin command. Each entry is of the form \"key=value\".", + "items": { + "type": "string" + } + }, + "oci_image": { + "type": "string", + "description": "The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine." + }, + "sha256": { + "type": "string", + "description": "The SHA256 sum of the executable or container to be run. This should be HEX encoded." + }, + "version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + } + } + }, + "PluginsCatalogRegisterPluginWithTypeRequest": { + "type": "object", + "properties": { + "args": { + "type": "array", + "description": "The args passed to plugin command.", + "items": { + "type": "string" + } + }, + "command": { + "type": "string", + "description": "The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory." + }, + "env": { + "type": "array", + "description": "The environment variables passed to plugin command. Each entry is of the form \"key=value\".", + "items": { + "type": "string" + } + }, + "oci_image": { + "type": "string", + "description": "The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine." + }, + "sha256": { + "type": "string", + "description": "The SHA256 sum of the executable or container to be run. This should be HEX encoded." + }, + "version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + } + } + }, + "PluginsReloadBackendsRequest": { + "type": "object", + "properties": { + "mounts": { + "type": "array", + "description": "The mount paths of the plugin backends to reload.", + "items": { + "type": "string" + } + }, + "plugin": { + "type": "string", + "description": "The name of the plugin to reload, as registered in the plugin catalog." + }, + "scope": { + "type": "string" + } + } + }, + "PluginsReloadBackendsResponse": { + "type": "object", + "properties": { + "reload_id": { + "type": "string" + } + } + }, + "PluginsRuntimesCatalogListPluginsRuntimesResponse": { + "type": "object", + "properties": { + "runtimes": { + "type": "array", + "description": "List of all plugin runtimes in the catalog", + "items": { + "type": "object" + } + } + } + }, + "PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse": { + "type": "object", + "properties": { + "cgroup_parent": { + "type": "string", + "description": "Optional parent cgroup for the container" + }, + "cpu_nanos": { + "type": "integer", + "description": "The limit of runtime CPU in nanos", + "format": "int64" + }, + "memory_bytes": { + "type": "integer", + "description": "The limit of runtime memory in bytes", + "format": "int64" + }, + "name": { + "type": "string", + "description": "The name of the plugin runtime" + }, + "oci_runtime": { + "type": "string", + "description": "The OCI-compatible runtime (default \"runsc\")" + }, + "type": { + "type": "string", + "description": "The type of the plugin runtime" + } + } + }, + "PluginsRuntimesCatalogRegisterPluginRuntimeRequest": { + "type": "object", + "properties": { + "cgroup_parent": { + "type": "string", + "description": "Optional parent cgroup for the container" + }, + "cpu_nanos": { + "type": "integer", + "description": "The limit of runtime CPU in nanos", + "format": "int64" + }, + "memory_bytes": { + "type": "integer", + "description": "The limit of runtime memory in bytes", + "format": "int64" + }, + "oci_runtime": { + "type": "string", + "description": "The OCI-compatible runtime (default \"runsc\")" + } + } + }, + "PoliciesGeneratePasswordFromPasswordPolicyResponse": { + "type": "object", + "properties": { + "password": { + "type": "string" + } + } + }, + "PoliciesListAclPolicies2Response": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "policies": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "PoliciesListAclPolicies3Response": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "policies": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "PoliciesListAclPoliciesResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "policies": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "PoliciesReadAclPolicy2Response": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "policy": { + "type": "string" + }, + "rules": { + "type": "string" + } + } + }, + "PoliciesReadAclPolicyResponse": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "policy": { + "type": "string" + }, + "rules": { + "type": "string" + } + } + }, + "PoliciesReadPasswordPolicyResponse": { + "type": "object", + "properties": { + "policy": { + "type": "string" + } + } + }, + "PoliciesWriteAclPolicy2Request": { + "type": "object", + "properties": { + "policy": { + "type": "string", + "description": "The rules of the policy." + }, + "rules": { + "type": "string", + "description": "The rules of the policy.", + "deprecated": true + } + } + }, + "PoliciesWriteAclPolicyRequest": { + "type": "object", + "properties": { + "policy": { + "type": "string", + "description": "The rules of the policy." + } + } + }, + "PoliciesWritePasswordPolicyRequest": { + "type": "object", + "properties": { + "policy": { + "type": "string", + "description": "The password policy" + } + } + }, + "QueryTokenAccessorCapabilitiesRequest": { + "type": "object", + "properties": { + "accessor": { + "type": "string", + "description": "Accessor of the token for which capabilities are being queried." + }, + "path": { + "type": "array", + "description": "Use 'paths' instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "paths": { + "type": "array", + "description": "Paths on which capabilities are being queried.", + "items": { + "type": "string" + } + } + } + }, + "QueryTokenCapabilitiesRequest": { + "type": "object", + "properties": { + "path": { + "type": "array", + "description": "Use 'paths' instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "paths": { + "type": "array", + "description": "Paths on which capabilities are being queried.", + "items": { + "type": "string" + } + }, + "token": { + "type": "string", + "description": "Token for which capabilities are being queried." + } + } + }, + "QueryTokenSelfCapabilitiesRequest": { + "type": "object", + "properties": { + "path": { + "type": "array", + "description": "Use 'paths' instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "paths": { + "type": "array", + "description": "Paths on which capabilities are being queried.", + "items": { + "type": "string" + } + }, + "token": { + "type": "string", + "description": "Token for which capabilities are being queried." + } + } + }, + "RabbitMqConfigureConnectionRequest": { + "type": "object", + "properties": { + "connection_uri": { + "type": "string", + "description": "RabbitMQ Management URI" + }, + "password": { + "type": "string", + "description": "Password of the provided RabbitMQ management user" + }, + "password_policy": { + "type": "string", + "description": "Name of the password policy to use to generate passwords for dynamic credentials." + }, + "username": { + "type": "string", + "description": "Username of a RabbitMQ management administrator" + }, + "username_template": { + "type": "string", + "description": "Template describing how dynamic usernames are generated." + }, + "verify_connection": { + "type": "boolean", + "description": "If set, connection_uri is verified by actually connecting to the RabbitMQ management API", + "default": true + } + } + }, + "RabbitMqConfigureLeaseRequest": { + "type": "object", + "properties": { + "max_ttl": { + "type": "string", + "description": "Duration after which the issued credentials should not be allowed to be renewed", + "format": "duration", + "default": 0 + }, + "ttl": { + "type": "string", + "description": "Duration before which the issued credentials needs renewal", + "format": "duration", + "default": 0 + } + } + }, + "RabbitMqWriteRoleRequest": { + "type": "object", + "properties": { + "tags": { + "type": "string", + "description": "Comma-separated list of tags for this role." + }, + "vhost_topics": { + "type": "string", + "description": "A nested map of virtual hosts and exchanges to topic permissions." + }, + "vhosts": { + "type": "string", + "description": "A map of virtual hosts to permissions." + } + } + }, + "RadiusConfigureRequest": { + "type": "object", + "properties": { + "dial_timeout": { + "type": "string", + "description": "Number of seconds before connect times out (default: 10)", + "format": "duration", + "default": 10, + "x-vault-displayAttrs": { + "value": 10 + } + }, + "host": { + "type": "string", + "description": "RADIUS server host", + "x-vault-displayAttrs": { + "name": "Host" + } + }, + "nas_identifier": { + "type": "string", + "description": "RADIUS NAS Identifier field (optional)", + "default": "", + "x-vault-displayAttrs": { + "name": "NAS Identifier" + } + }, + "nas_port": { + "type": "integer", + "description": "RADIUS NAS port field (default: 10)", + "default": 10, + "x-vault-displayAttrs": { + "name": "NAS Port", + "value": 10 + } + }, + "port": { + "type": "integer", + "description": "RADIUS server port (default: 1812)", + "default": 1812, + "x-vault-displayAttrs": { + "value": 1812 + } + }, + "read_timeout": { + "type": "string", + "description": "Number of seconds before response times out (default: 10)", + "format": "duration", + "default": 10, + "x-vault-displayAttrs": { + "value": 10 + } + }, + "secret": { + "type": "string", + "description": "Secret shared with the RADIUS server" + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "unregistered_user_policies": { + "type": "string", + "description": "Comma-separated list of policies to grant upon successful RADIUS authentication of an unregistered user (default: empty)", + "default": "", + "x-vault-displayAttrs": { + "name": "Policies for unregistered users", + "description": "List of policies to grant upon successful RADIUS authentication of an unregistered user (default: empty)" + } + } + } + }, + "RadiusLoginRequest": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password for this user." + }, + "username": { + "type": "string", + "description": "Username to be used for login. (POST request body)" + } + } + }, + "RadiusLoginWithUsernameRequest": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password for this user." + }, + "username": { + "type": "string", + "description": "Username to be used for login. (POST request body)" + } + } + }, + "RadiusWriteUserRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated to the user.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies associated to the user." + } + } + } + }, + "RateLimitQuotasConfigureRequest": { + "type": "object", + "properties": { + "enable_rate_limit_audit_logging": { + "type": "boolean", + "description": "If set, starts audit logging of requests that get rejected due to rate limit quota rule violations." + }, + "enable_rate_limit_response_headers": { + "type": "boolean", + "description": "If set, additional rate limit quota HTTP headers will be added to responses." + }, + "rate_limit_exempt_paths": { + "type": "array", + "description": "Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.", + "items": { + "type": "string" + } + } + } + }, + "RateLimitQuotasReadConfigurationResponse": { + "type": "object", + "properties": { + "enable_rate_limit_audit_logging": { + "type": "boolean" + }, + "enable_rate_limit_response_headers": { + "type": "boolean" + }, + "rate_limit_exempt_paths": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "RateLimitQuotasReadResponse": { + "type": "object", + "properties": { + "block_interval": { + "type": "integer" + }, + "inheritable": { + "type": "boolean" + }, + "interval": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "path": { + "type": "string" + }, + "rate": { + "type": "number", + "format": "float" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "RateLimitQuotasWriteRequest": { + "type": "object", + "properties": { + "block_interval": { + "type": "string", + "description": "If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.", + "format": "duration" + }, + "inheritable": { + "type": "boolean", + "description": "Whether all child namespaces can inherit this namespace quota." + }, + "interval": { + "type": "string", + "description": "The duration to enforce rate limiting for (default '1s').", + "format": "duration" + }, + "path": { + "type": "string", + "description": "Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1." + }, + "rate": { + "type": "number", + "description": "The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.", + "format": "float" + }, + "role": { + "type": "string", + "description": "Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles." + }, + "type": { + "type": "string", + "description": "Type of the quota rule." + } + } + }, + "RawReadResponse": { + "type": "object", + "properties": { + "value": { + "type": "string" + } + } + }, + "RawWriteRequest": { + "type": "object", + "properties": { + "compressed": { + "type": "boolean" + }, + "compression_type": { + "type": "string" + }, + "encoding": { + "type": "string" + }, + "value": { + "type": "string" + } + } + }, + "ReadWrappingProperties2Response": { + "type": "object", + "properties": { + "creation_path": { + "type": "string" + }, + "creation_time": { + "type": "string", + "format": "date-time" + }, + "creation_ttl": { + "type": "string", + "format": "duration" + } + } + }, + "ReadWrappingPropertiesRequest": { + "type": "object", + "properties": { + "token": { + "type": "string" + } + } + }, + "ReadWrappingPropertiesResponse": { + "type": "object", + "properties": { + "creation_path": { + "type": "string" + }, + "creation_time": { + "type": "string", + "format": "date-time" + }, + "creation_ttl": { + "type": "string", + "format": "duration" + } + } + }, + "RekeyAttemptInitializeRequest": { + "type": "object", + "properties": { + "backup": { + "type": "boolean", + "description": "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys." + }, + "pgp_keys": { + "type": "array", + "description": "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.", + "items": { + "type": "string" + } + }, + "require_verification": { + "type": "boolean", + "description": "Turns on verification functionality" + }, + "secret_shares": { + "type": "integer", + "description": "Specifies the number of shares to split the unseal key into." + }, + "secret_threshold": { + "type": "integer", + "description": "Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares." + } + } + }, + "RekeyAttemptInitializeResponse": { + "type": "object", + "properties": { + "backup": { + "type": "boolean" + }, + "n": { + "type": "integer" + }, + "nounce": { + "type": "string" + }, + "pgp_fingerprints": { + "type": "array", + "items": { + "type": "string" + } + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "string" + }, + "t": { + "type": "integer" + }, + "verification_nonce": { + "type": "string" + }, + "verification_required": { + "type": "boolean" + } + } + }, + "RekeyAttemptReadProgressResponse": { + "type": "object", + "properties": { + "backup": { + "type": "boolean" + }, + "n": { + "type": "integer" + }, + "nounce": { + "type": "string" + }, + "pgp_fingerprints": { + "type": "array", + "items": { + "type": "string" + } + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "string" + }, + "t": { + "type": "integer" + }, + "verification_nonce": { + "type": "string" + }, + "verification_required": { + "type": "boolean" + } + } + }, + "RekeyAttemptUpdateRequest": { + "type": "object", + "properties": { + "key": { + "type": "string", + "description": "Specifies a single unseal key share." + }, + "nonce": { + "type": "string", + "description": "Specifies the nonce of the rekey attempt." + } + } + }, + "RekeyAttemptUpdateResponse": { + "type": "object", + "properties": { + "backup": { + "type": "boolean" + }, + "complete": { + "type": "boolean" + }, + "keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "keys_base64": { + "type": "array", + "items": { + "type": "string" + } + }, + "n": { + "type": "integer" + }, + "nounce": { + "type": "string" + }, + "pgp_fingerprints": { + "type": "array", + "items": { + "type": "string" + } + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "string" + }, + "t": { + "type": "integer" + }, + "verification_nonce": { + "type": "string" + }, + "verification_required": { + "type": "boolean" + } + } + }, + "RekeyReadBackupKeyResponse": { + "type": "object", + "properties": { + "keys": { + "type": "object", + "format": "map" + }, + "keys_base64": { + "type": "object", + "format": "map" + }, + "nonce": { + "type": "string" + } + } + }, + "RekeyReadBackupRecoveryKeyResponse": { + "type": "object", + "properties": { + "keys": { + "type": "object", + "format": "map" + }, + "keys_base64": { + "type": "object", + "format": "map" + }, + "nonce": { + "type": "string" + } + } + }, + "RekeyVerificationCancelResponse": { + "type": "object", + "properties": { + "n": { + "type": "integer" + }, + "nounce": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "started": { + "type": "string" + }, + "t": { + "type": "integer" + } + } + }, + "RekeyVerificationReadProgressResponse": { + "type": "object", + "properties": { + "n": { + "type": "integer" + }, + "nounce": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "started": { + "type": "string" + }, + "t": { + "type": "integer" + } + } + }, + "RekeyVerificationUpdateRequest": { + "type": "object", + "properties": { + "key": { + "type": "string", + "description": "Specifies a single unseal share key from the new set of shares." + }, + "nonce": { + "type": "string", + "description": "Specifies the nonce of the rekey verification operation." + } + } + }, + "RekeyVerificationUpdateResponse": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "nounce": { + "type": "string" + } + } + }, + "RemountRequest": { + "type": "object", + "properties": { + "from": { + "type": "string", + "description": "The previous mount point." + }, + "to": { + "type": "string", + "description": "The new mount point." + } + } + }, + "RemountResponse": { + "type": "object", + "properties": { + "migration_id": { + "type": "string" + } + } + }, + "RemountStatusResponse": { + "type": "object", + "properties": { + "migration_id": { + "type": "string" + }, + "migration_info": { + "type": "object", + "format": "map" + } + } + }, + "RewrapRequest": { + "type": "object", + "properties": { + "token": { + "type": "string" + } + } + }, + "RootTokenGenerationInitialize2Request": { + "type": "object", + "properties": { + "pgp_key": { + "type": "string", + "description": "Specifies a base64-encoded PGP public key." + } + } + }, + "RootTokenGenerationInitialize2Response": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "encoded_root_token": { + "type": "string" + }, + "encoded_token": { + "type": "string" + }, + "nonce": { + "type": "string" + }, + "otp": { + "type": "string" + }, + "otp_length": { + "type": "integer" + }, + "pgp_fingerprint": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "boolean" + } + } + }, + "RootTokenGenerationInitializeRequest": { + "type": "object", + "properties": { + "pgp_key": { + "type": "string", + "description": "Specifies a base64-encoded PGP public key." + } + } + }, + "RootTokenGenerationInitializeResponse": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "encoded_root_token": { + "type": "string" + }, + "encoded_token": { + "type": "string" + }, + "nonce": { + "type": "string" + }, + "otp": { + "type": "string" + }, + "otp_length": { + "type": "integer" + }, + "pgp_fingerprint": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "boolean" + } + } + }, + "RootTokenGenerationReadProgress2Response": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "encoded_root_token": { + "type": "string" + }, + "encoded_token": { + "type": "string" + }, + "nonce": { + "type": "string" + }, + "otp": { + "type": "string" + }, + "otp_length": { + "type": "integer" + }, + "pgp_fingerprint": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "boolean" + } + } + }, + "RootTokenGenerationReadProgressResponse": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "encoded_root_token": { + "type": "string" + }, + "encoded_token": { + "type": "string" + }, + "nonce": { + "type": "string" + }, + "otp": { + "type": "string" + }, + "otp_length": { + "type": "integer" + }, + "pgp_fingerprint": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "boolean" + } + } + }, + "RootTokenGenerationUpdateRequest": { + "type": "object", + "properties": { + "key": { + "type": "string", + "description": "Specifies a single unseal key share." + }, + "nonce": { + "type": "string", + "description": "Specifies the nonce of the attempt." + } + } + }, + "RootTokenGenerationUpdateResponse": { + "type": "object", + "properties": { + "complete": { + "type": "boolean" + }, + "encoded_root_token": { + "type": "string" + }, + "encoded_token": { + "type": "string" + }, + "nonce": { + "type": "string" + }, + "otp": { + "type": "string" + }, + "otp_length": { + "type": "integer" + }, + "pgp_fingerprint": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "required": { + "type": "integer" + }, + "started": { + "type": "boolean" + } + } + }, + "SealStatusResponse": { + "type": "object", + "properties": { + "build_date": { + "type": "string" + }, + "cluster_id": { + "type": "string" + }, + "cluster_name": { + "type": "string" + }, + "hcp_link_resource_ID": { + "type": "string" + }, + "hcp_link_status": { + "type": "string" + }, + "initialized": { + "type": "boolean" + }, + "migration": { + "type": "boolean" + }, + "n": { + "type": "integer" + }, + "nonce": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "recovery_seal": { + "type": "boolean" + }, + "sealed": { + "type": "boolean" + }, + "storage_type": { + "type": "string" + }, + "t": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "SshConfigureCaRequest": { + "type": "object", + "properties": { + "generate_signing_key": { + "type": "boolean", + "description": "Generate SSH key pair internally rather than use the private_key and public_key fields.", + "default": true + }, + "key_bits": { + "type": "integer", + "description": "Specifies the desired key bits when generating variable-length keys (such as when key_type=\"ssh-rsa\") or which NIST P-curve to use when key_type=\"ec\" (256, 384, or 521).", + "default": 0 + }, + "key_type": { + "type": "string", + "description": "Specifies the desired key type when generating; could be a OpenSSH key type identifier (ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, or ssh-ed25519) or an algorithm (rsa, ec, ed25519).", + "default": "ssh-rsa" + }, + "private_key": { + "type": "string", + "description": "Private half of the SSH key that will be used to sign certificates." + }, + "public_key": { + "type": "string", + "description": "Public half of the SSH key that will be used to sign certificates." + } + } + }, + "SshConfigureZeroAddressRequest": { + "type": "object", + "properties": { + "roles": { + "type": "array", + "description": "[Required] Comma separated list of role names which allows credentials to be requested for any IP address. CIDR blocks previously registered under these roles will be ignored.", + "items": { + "type": "string" + } + } + } + }, + "SshGenerateCredentialsRequest": { + "type": "object", + "properties": { + "ip": { + "type": "string", + "description": "[Required] IP of the remote host" + }, + "username": { + "type": "string", + "description": "[Optional] Username in remote host" + } + } + }, + "SshIssueCertificateRequest": { + "type": "object", + "properties": { + "cert_type": { + "type": "string", + "description": "Type of certificate to be created; either \"user\" or \"host\".", + "default": "user" + }, + "critical_options": { + "type": "object", + "description": "Critical options that the certificate should be signed for.", + "format": "map" + }, + "extensions": { + "type": "object", + "description": "Extensions that the certificate should be signed for.", + "format": "map" + }, + "key_bits": { + "type": "integer", + "description": "Specifies the number of bits to use for the generated keys.", + "default": 0 + }, + "key_id": { + "type": "string", + "description": "Key id that the created certificate should have. If not specified, the display name of the token will be used." + }, + "key_type": { + "type": "string", + "description": "Specifies the desired key type; must be `rsa`, `ed25519` or `ec`", + "default": "rsa" + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL.", + "format": "duration" + }, + "valid_principals": { + "type": "string", + "description": "Valid principals, either usernames or hostnames, that the certificate should be signed for." + } + } + }, + "SshListRolesByIpRequest": { + "type": "object", + "properties": { + "ip": { + "type": "string", + "description": "[Required] IP address of remote host" + } + } + }, + "SshSignCertificateRequest": { + "type": "object", + "properties": { + "cert_type": { + "type": "string", + "description": "Type of certificate to be created; either \"user\" or \"host\".", + "default": "user" + }, + "critical_options": { + "type": "object", + "description": "Critical options that the certificate should be signed for.", + "format": "map" + }, + "extensions": { + "type": "object", + "description": "Extensions that the certificate should be signed for.", + "format": "map" + }, + "key_id": { + "type": "string", + "description": "Key id that the created certificate should have. If not specified, the display name of the token will be used." + }, + "public_key": { + "type": "string", + "description": "SSH public key that should be signed." + }, + "ttl": { + "type": "string", + "description": "The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL.", + "format": "duration" + }, + "valid_principals": { + "type": "string", + "description": "Valid principals, either usernames or hostnames, that the certificate should be signed for." + } + } + }, + "SshVerifyOtpRequest": { + "type": "object", + "properties": { + "otp": { + "type": "string", + "description": "[Required] One-Time-Key that needs to be validated" + } + } + }, + "SshWriteRoleRequest": { + "type": "object", + "properties": { + "algorithm_signer": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512, default, or the empty string.", + "enum": [ + "", + "default", + "ssh-rsa", + "rsa-sha2-256", + "rsa-sha2-512" + ], + "x-vault-displayAttrs": { + "name": "Signing Algorithm" + } + }, + "allow_bare_domains": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat." + }, + "allow_host_certificates": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.", + "default": false + }, + "allow_subdomains": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\"." + }, + "allow_user_certificates": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.", + "default": false + }, + "allow_user_key_ids": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.", + "x-vault-displayAttrs": { + "name": "Allow User Key IDs" + } + }, + "allowed_critical_options": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string." + }, + "allowed_domains": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it." + }, + "allowed_domains_template": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.", + "default": false + }, + "allowed_extensions": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. An empty list means that no extension overrides are allowed by an end-user; explicitly specify '*' to allow any extensions to be set." + }, + "allowed_user_key_lengths": { + "type": "object", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, allows the enforcement of key types and minimum key sizes to be signed.", + "format": "map" + }, + "allowed_users": { + "type": "string", + "description": "[Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user." + }, + "allowed_users_template": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, Allowed users can be specified using identity template policies. Non-templated users are also permitted.", + "default": false + }, + "cidr_list": { + "type": "string", + "description": "[Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.", + "x-vault-displayAttrs": { + "name": "CIDR List" + } + }, + "default_critical_options": { + "type": "object", + "description": "[Not applicable for OTP type] [Optional for CA type] Critical options certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by \"allowed_critical_options\". Defaults to none.", + "format": "map" + }, + "default_extensions": { + "type": "object", + "description": "[Not applicable for OTP type] [Optional for CA type] Extensions certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by \"allowed_extensions\". Defaults to none.", + "format": "map" + }, + "default_extensions_template": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, Default extension values can be specified using identity template policies. Non-templated extension values are also permitted.", + "default": false + }, + "default_user": { + "type": "string", + "description": "[Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.", + "x-vault-displayAttrs": { + "name": "Default Username" + } + }, + "default_user_template": { + "type": "boolean", + "description": "[Not applicable for OTP type] [Optional for CA type] If set, Default user can be specified using identity template policies. Non-templated users are also permitted.", + "default": false + }, + "exclude_cidr_list": { + "type": "string", + "description": "[Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.", + "x-vault-displayAttrs": { + "name": "Exclude CIDR List" + } + }, + "key_id_format": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.", + "x-vault-displayAttrs": { + "name": "Key ID Format" + } + }, + "key_type": { + "type": "string", + "description": "[Required for all types] Type of key used to login to hosts. It can be either 'otp' or 'ca'. 'otp' type requires agent to be installed in remote hosts.", + "enum": [ + "otp", + "ca" + ], + "x-vault-displayAttrs": { + "value": "ca" + } + }, + "max_ttl": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Max TTL" + } + }, + "not_before_duration": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] The duration that the SSH certificate should be backdated by at issuance.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "name": "Not before duration", + "value": 30 + } + }, + "port": { + "type": "integer", + "description": "[Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.", + "x-vault-displayAttrs": { + "value": 22 + } + }, + "ttl": { + "type": "string", + "description": "[Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } + } + } + }, + "StandardListResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "TerraformCloudConfigureRequest": { + "type": "object", + "properties": { + "address": { + "type": "string", + "description": "The address to access Terraform Cloud or Enterprise. Default is \"https://app.terraform.io\".", + "default": "https://app.terraform.io" + }, + "base_path": { + "type": "string", + "description": "The base path for the Terraform Cloud or Enterprise API. Default is \"/api/v2/\".", + "default": "/api/v2/" + }, + "token": { + "type": "string", + "description": "The token to access Terraform Cloud", + "x-vault-displayAttrs": { + "name": "Token", + "sensitive": true + } + } + }, + "required": [ + "token" + ] + }, + "TerraformCloudWriteRoleRequest": { + "type": "object", + "properties": { + "max_ttl": { + "type": "string", + "description": "Maximum time for role. If not set or set to 0, will use system default.", + "format": "duration" + }, + "organization": { + "type": "string", + "description": "Name of the Terraform Cloud or Enterprise organization" + }, + "team_id": { + "type": "string", + "description": "ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)" + }, + "ttl": { + "type": "string", + "description": "Default lease for generated credentials. If not set or set to 0, will use system default.", + "format": "duration" + }, + "user_id": { + "type": "string", + "description": "ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)" + } + } + }, + "TokenCreateAgainstRoleRequest": { + "type": "object", + "properties": { + "display_name": { + "type": "string", + "description": "Name to associate with this token" + }, + "entity_alias": { + "type": "string", + "description": "Name of the entity alias to associate with this token" + }, + "explicit_max_ttl": { + "type": "string", + "description": "Explicit Max TTL of this token" + }, + "id": { + "type": "string", + "description": "Value for the token" + }, + "lease": { + "type": "string", + "description": "Use 'ttl' instead", + "deprecated": true + }, + "meta": { + "type": "object", + "description": "Arbitrary key=value metadata to associate with the token", + "format": "kvpairs" + }, + "no_default_policy": { + "type": "boolean", + "description": "Do not include default policy for this token" + }, + "no_parent": { + "type": "boolean", + "description": "Create the token with no parent" + }, + "num_uses": { + "type": "integer", + "description": "Max number of uses for this token" + }, + "period": { + "type": "string", + "description": "Renew period" + }, + "policies": { + "type": "array", + "description": "List of policies for the token", + "items": { + "type": "string" + } + }, + "renewable": { + "type": "boolean", + "description": "Allow token to be renewed past its initial TTL up to system/mount maximum TTL", + "default": true + }, + "ttl": { + "type": "string", + "description": "Time to live for this token" + }, + "type": { + "type": "string", + "description": "Token type" + } + } + }, + "TokenCreateOrphanRequest": { + "type": "object", + "properties": { + "display_name": { + "type": "string", + "description": "Name to associate with this token" + }, + "entity_alias": { + "type": "string", + "description": "Name of the entity alias to associate with this token" + }, + "explicit_max_ttl": { + "type": "string", + "description": "Explicit Max TTL of this token" + }, + "id": { + "type": "string", + "description": "Value for the token" + }, + "lease": { + "type": "string", + "description": "Use 'ttl' instead", + "deprecated": true + }, + "meta": { + "type": "object", + "description": "Arbitrary key=value metadata to associate with the token", + "format": "kvpairs" + }, + "no_default_policy": { + "type": "boolean", + "description": "Do not include default policy for this token" + }, + "no_parent": { + "type": "boolean", + "description": "Create the token with no parent" + }, + "num_uses": { + "type": "integer", + "description": "Max number of uses for this token" + }, + "period": { + "type": "string", + "description": "Renew period" + }, + "policies": { + "type": "array", + "description": "List of policies for the token", + "items": { + "type": "string" + } + }, + "renewable": { + "type": "boolean", + "description": "Allow token to be renewed past its initial TTL up to system/mount maximum TTL", + "default": true + }, + "ttl": { + "type": "string", + "description": "Time to live for this token" + }, + "type": { + "type": "string", + "description": "Token type" + } + } + }, + "TokenCreateRequest": { + "type": "object", + "properties": { + "display_name": { + "type": "string", + "description": "Name to associate with this token" + }, + "entity_alias": { + "type": "string", + "description": "Name of the entity alias to associate with this token" + }, + "explicit_max_ttl": { + "type": "string", + "description": "Explicit Max TTL of this token" + }, + "id": { + "type": "string", + "description": "Value for the token" + }, + "lease": { + "type": "string", + "description": "Use 'ttl' instead", + "deprecated": true + }, + "meta": { + "type": "object", + "description": "Arbitrary key=value metadata to associate with the token", + "format": "kvpairs" + }, + "no_default_policy": { + "type": "boolean", + "description": "Do not include default policy for this token" + }, + "no_parent": { + "type": "boolean", + "description": "Create the token with no parent" + }, + "num_uses": { + "type": "integer", + "description": "Max number of uses for this token" + }, + "period": { + "type": "string", + "description": "Renew period" + }, + "policies": { + "type": "array", + "description": "List of policies for the token", + "items": { + "type": "string" + } + }, + "renewable": { + "type": "boolean", + "description": "Allow token to be renewed past its initial TTL up to system/mount maximum TTL", + "default": true + }, + "ttl": { + "type": "string", + "description": "Time to live for this token" + }, + "type": { + "type": "string", + "description": "Token type" + } + } + }, + "TokenLookUpAccessorRequest": { + "type": "object", + "properties": { + "accessor": { + "type": "string", + "description": "Accessor of the token to look up (request body)" + } + } + }, + "TokenLookUpRequest": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "Token to lookup" + } + } + }, + "TokenLookUpSelf2Request": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "Token to look up (unused, does not need to be set)" + } + } + }, + "TokenRenewAccessorRequest": { + "type": "object", + "properties": { + "accessor": { + "type": "string", + "description": "Accessor of the token to renew (request body)" + }, + "increment": { + "type": "string", + "description": "The desired increment in seconds to the token expiration", + "format": "duration", + "default": 0 + } + } + }, + "TokenRenewRequest": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the token expiration", + "format": "duration", + "default": 0 + }, + "token": { + "type": "string", + "description": "Token to renew (request body)" + } + } + }, + "TokenRenewSelfRequest": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "description": "The desired increment in seconds to the token expiration", + "format": "duration", + "default": 0 + }, + "token": { + "type": "string", + "description": "Token to renew (unused, does not need to be set)" + } + } + }, + "TokenRevokeAccessorRequest": { + "type": "object", + "properties": { + "accessor": { + "type": "string", + "description": "Accessor of the token (request body)" + } + } + }, + "TokenRevokeOrphanRequest": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "Token to revoke (request body)" + } + } + }, + "TokenRevokeRequest": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "Token to revoke (request body)" + } + } + }, + "TokenWriteRoleRequest": { + "type": "object", + "properties": { + "allowed_entity_aliases": { + "type": "array", + "description": "String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing.", + "items": { + "type": "string" + } + }, + "allowed_policies": { + "type": "array", + "description": "If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names.", + "items": { + "type": "string" + } + }, + "allowed_policies_glob": { + "type": "array", + "description": "If set, tokens can be created with any subset of glob matched policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy name globs.", + "items": { + "type": "string" + } + }, + "bound_cidrs": { + "type": "array", + "description": "Use 'token_bound_cidrs' instead.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "disallowed_policies": { + "type": "array", + "description": "If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names.", + "items": { + "type": "string" + } + }, + "disallowed_policies_glob": { + "type": "array", + "description": "If set, successful token creation via this role will require that no requested policies glob match any of policies in this list. The parameter is a comma-delimited string of policy name globs.", + "items": { + "type": "string" + } + }, + "explicit_max_ttl": { + "type": "string", + "description": "Use 'token_explicit_max_ttl' instead.", + "format": "duration", + "deprecated": true + }, + "orphan": { + "type": "boolean", + "description": "If true, tokens created via this role will be orphan tokens (have no parent)" + }, + "path_suffix": { + "type": "string", + "description": "If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w" + }, + "period": { + "type": "string", + "description": "Use 'token_period' instead.", + "format": "duration", + "deprecated": true + }, + "renewable": { + "type": "boolean", + "description": "Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".", + "default": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + } + } + }, + "TotpCreateKeyRequest": { + "type": "object", + "properties": { + "account_name": { + "type": "string", + "description": "The name of the account associated with the key. Required if generate is true." + }, + "algorithm": { + "type": "string", + "description": "The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.", + "default": "SHA1" + }, + "digits": { + "type": "integer", + "description": "The number of digits in the generated TOTP token. This value can either be 6 or 8.", + "default": 6 + }, + "exported": { + "type": "boolean", + "description": "Determines if a QR code and url are returned upon generating a key. Only used if generate is true.", + "default": true + }, + "generate": { + "type": "boolean", + "description": "Determines if a key should be generated by Vault or if a key is being passed from another service.", + "default": false + }, + "issuer": { + "type": "string", + "description": "The name of the key's issuing organization. Required if generate is true." + }, + "key": { + "type": "string", + "description": "The shared master key used to generate a TOTP token. Only used if generate is false." + }, + "key_size": { + "type": "integer", + "description": "Determines the size in bytes of the generated key. Only used if generate is true.", + "default": 20 + }, + "period": { + "type": "string", + "description": "The length of time used to generate a counter for the TOTP token calculation.", + "format": "duration", + "default": 30 + }, + "qr_size": { + "type": "integer", + "description": "The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.", + "default": 200 + }, + "skew": { + "type": "integer", + "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true.", + "default": 1 + }, + "url": { + "type": "string", + "description": "A TOTP url string containing all of the parameters for key setup. Only used if generate is false." + } + } + }, + "TotpValidateCodeRequest": { + "type": "object", + "properties": { + "code": { + "type": "string", + "description": "TOTP code to be validated." + } + } + }, + "TransitConfigureCacheRequest": { + "type": "object", + "properties": { + "size": { + "type": "integer", + "description": "Size of cache, use 0 for an unlimited cache size, defaults to 0", + "default": 0 + } + } + }, + "TransitConfigureKeyRequest": { + "type": "object", + "properties": { + "allow_plaintext_backup": { + "type": "boolean", + "description": "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled." + }, + "auto_rotate_period": { + "type": "string", + "description": "Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.", + "format": "duration" + }, + "deletion_allowed": { + "type": "boolean", + "description": "Whether to allow deletion of the key" + }, + "exportable": { + "type": "boolean", + "description": "Enables export of the key. Once set, this cannot be disabled." + }, + "min_decryption_version": { + "type": "integer", + "description": "If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification." + }, + "min_encryption_version": { + "type": "integer", + "description": "If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed." + } + } + }, + "TransitConfigureKeysRequest": { + "type": "object", + "properties": { + "disable_upsert": { + "type": "boolean", + "description": "Whether to allow automatic upserting (creation) of keys on the encrypt endpoint." + } + } + }, + "TransitCreateKeyRequest": { + "type": "object", + "properties": { + "allow_plaintext_backup": { + "type": "boolean", + "description": "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled." + }, + "auto_rotate_period": { + "type": "string", + "description": "Amount of time the key should live before being automatically rotated. A value of 0 (default) disables automatic rotation for the key.", + "format": "duration", + "default": 0 + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context." + }, + "convergent_encryption": { + "type": "boolean", + "description": "Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security." + }, + "derived": { + "type": "boolean", + "description": "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations." + }, + "exportable": { + "type": "boolean", + "description": "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported." + }, + "key_size": { + "type": "integer", + "description": "The key size in bytes for the algorithm. Only applies to HMAC and must be no fewer than 32 bytes and no more than 512", + "default": 0 + }, + "managed_key_id": { + "type": "string", + "description": "The UUID of the managed key to use for this transit key" + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use for this transit key" + }, + "type": { + "type": "string", + "description": "The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-3072\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".", + "default": "aes256-gcm96" + } + } + }, + "TransitDecryptRequest": { + "type": "object", + "properties": { + "associated_data": { + "type": "string", + "description": "When using an AEAD cipher mode, such as AES-GCM, this parameter allows passing associated data (AD/AAD) into the encryption function; this data must be passed on subsequent decryption requests but can be transited in plaintext. On successful decryption, both the ciphertext and the associated data are attested not to have been tampered with." + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items to be decrypted in a single batch. When this parameter is set, if the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.", + "items": { + "type": "object" + } + }, + "ciphertext": { + "type": "string", + "description": "The ciphertext to decrypt, provided as returned by encrypt." + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled." + }, + "nonce": { + "type": "string", + "description": "Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+." + }, + "partial_failure_response_code": { + "type": "integer", + "description": "Ordinarily, if a batch item fails to decrypt due to a bad input, but other batch items succeed, the HTTP response code is 400 (Bad Request). Some applications may want to treat partial failures differently. Providing the parameter returns the given response code integer instead of a 400 in this case. If all values fail HTTP 400 is still returned." + } + } + }, + "TransitEncryptRequest": { + "type": "object", + "properties": { + "associated_data": { + "type": "string", + "description": "When using an AEAD cipher mode, such as AES-GCM, this parameter allows passing associated data (AD/AAD) into the encryption function; this data must be passed on subsequent decryption requests but can be transited in plaintext. On successful decryption, both the ciphertext and the associated data are attested not to have been tampered with." + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items to be encrypted in a single batch. When this parameter is set, if the parameters 'plaintext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.", + "items": { + "type": "object" + } + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled" + }, + "convergent_encryption": { + "type": "boolean", + "description": "This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security." + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + }, + "nonce": { + "type": "string", + "description": "Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**." + }, + "partial_failure_response_code": { + "type": "integer", + "description": "Ordinarily, if a batch item fails to encrypt due to a bad input, but other batch items succeed, the HTTP response code is 400 (Bad Request). Some applications may want to treat partial failures differently. Providing the parameter returns the given response code integer instead of a 400 in this case. If all values fail HTTP 400 is still returned." + }, + "plaintext": { + "type": "string", + "description": "Base64 encoded plaintext value to be encrypted" + }, + "type": { + "type": "string", + "description": "This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".", + "default": "aes256-gcm96" + } + } + }, + "TransitGenerateCsrForKeyRequest": { + "type": "object", + "properties": { + "csr": { + "type": "string", + "description": "PEM encoded CSR template. The information attributes will be used as a basis for the CSR with the key in transit. If not set, an empty CSR is returned." + }, + "version": { + "type": "integer", + "description": "Optional version of key, 'latest' if not set" + } + } + }, + "TransitGenerateDataKeyRequest": { + "type": "object", + "properties": { + "bits": { + "type": "integer", + "description": "Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.", + "default": 256 + }, + "context": { + "type": "string", + "description": "Context for key derivation. Required for derived keys." + }, + "key_version": { + "type": "integer", + "description": "The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + }, + "nonce": { + "type": "string", + "description": "Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)" + } + } + }, + "TransitGenerateHmacRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items to be processed in a single batch. When this parameter is set, if the parameter 'input' is also set, it will be ignored. Any batch output will preserve the order of the batch input.", + "items": { + "type": "object" + } + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + } + } + }, + "TransitGenerateHmacWithAlgorithmRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items to be processed in a single batch. When this parameter is set, if the parameter 'input' is also set, it will be ignored. Any batch output will preserve the order of the batch input.", + "items": { + "type": "object" + } + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + } + } + }, + "TransitGenerateRandomRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "TransitGenerateRandomWithBytesRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "TransitGenerateRandomWithSourceAndBytesRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "TransitGenerateRandomWithSourceRequest": { + "type": "object", + "properties": { + "bytes": { + "type": "integer", + "description": "The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).", + "default": 32 + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".", + "default": "base64" + } + } + }, + "TransitHashRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", + "default": "hex" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + } + } + }, + "TransitHashWithAlgorithmRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".", + "default": "sha2-256" + }, + "format": { + "type": "string", + "description": "Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".", + "default": "hex" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + } + } + }, + "TransitImportKeyRequest": { + "type": "object", + "properties": { + "allow_plaintext_backup": { + "type": "boolean", + "description": "Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled." + }, + "allow_rotation": { + "type": "boolean", + "description": "True if the imported key may be rotated within Vault; false otherwise." + }, + "auto_rotate_period": { + "type": "string", + "description": "Amount of time the key should live before being automatically rotated. A value of 0 (default) disables automatic rotation for the key.", + "format": "duration", + "default": 0 + }, + "ciphertext": { + "type": "string", + "description": "The base64-encoded ciphertext of the keys. The AES key should be encrypted using OAEP with the wrapping key and then concatenated with the import key, wrapped by the AES key." + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context." + }, + "derived": { + "type": "boolean", + "description": "Enables key derivation mode. This allows for per-transaction unique keys for encryption operations." + }, + "exportable": { + "type": "boolean", + "description": "Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported." + }, + "hash_function": { + "type": "string", + "description": "The hash function used as a random oracle in the OAEP wrapping of the user-generated, ephemeral AES key. Can be one of \"SHA1\", \"SHA224\", \"SHA256\" (default), \"SHA384\", or \"SHA512\"", + "default": "SHA256" + }, + "public_key": { + "type": "string", + "description": "The plaintext PEM public key to be imported. If \"ciphertext\" is set, this field is ignored." + }, + "type": { + "type": "string", + "description": "The type of key being imported. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-3072\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".", + "default": "aes256-gcm96" + } + } + }, + "TransitImportKeyVersionRequest": { + "type": "object", + "properties": { + "ciphertext": { + "type": "string", + "description": "The base64-encoded ciphertext of the keys. The AES key should be encrypted using OAEP with the wrapping key and then concatenated with the import key, wrapped by the AES key." + }, + "hash_function": { + "type": "string", + "description": "The hash function used as a random oracle in the OAEP wrapping of the user-generated, ephemeral AES key. Can be one of \"SHA1\", \"SHA224\", \"SHA256\" (default), \"SHA384\", or \"SHA512\"", + "default": "SHA256" + }, + "public_key": { + "type": "string", + "description": "The plaintext public key to be imported. If \"ciphertext\" is set, this field is ignored." + }, + "version": { + "type": "integer", + "description": "Key version to be updated, if left empty, a new version will be created unless a private key is specified and the 'Latest' key is missing a private key." + } + } + }, + "TransitRestoreAndRenameKeyRequest": { + "type": "object", + "properties": { + "backup": { + "type": "string", + "description": "Backed up key data to be restored. This should be the output from the 'backup/' endpoint." + }, + "force": { + "type": "boolean", + "description": "If set and a key by the given name exists, force the restore operation and override the key.", + "default": false + } + } + }, + "TransitRestoreKeyRequest": { + "type": "object", + "properties": { + "backup": { + "type": "string", + "description": "Backed up key data to be restored. This should be the output from the 'backup/' endpoint." + }, + "force": { + "type": "boolean", + "description": "If set and a key by the given name exists, force the restore operation and override the key.", + "default": false + } + } + }, + "TransitRewrapRequest": { + "type": "object", + "properties": { + "batch_input": { + "type": "array", + "description": "Specifies a list of items to be re-encrypted in a single batch. When this parameter is set, if the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.", + "items": { + "type": "object" + } + }, + "ciphertext": { + "type": "string", + "description": "Ciphertext value to rewrap" + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required for derived keys." + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + }, + "nonce": { + "type": "string", + "description": "Nonce for when convergent encryption is used" + } + } + }, + "TransitRotateKeyRequest": { + "type": "object", + "properties": { + "managed_key_id": { + "type": "string", + "description": "The UUID of the managed key to use for the new version of this transit key" + }, + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use for the new version of this transit key" + } + } + }, + "TransitSetCertificateForKeyRequest": { + "type": "object", + "properties": { + "certificate_chain": { + "type": "string", + "description": "PEM encoded certificate chain. It should be composed by one or more concatenated PEM blocks and ordered starting from the end-entity certificate." + }, + "version": { + "type": "integer", + "description": "Optional version of key, 'latest' if not set" + } + }, + "required": [ + "certificate_chain" + ] + }, + "TransitSignRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Deprecated: use \"hash_algorithm\" instead.", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items for processing. When this parameter is set, any supplied 'input' or 'context' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input", + "items": { + "type": "object" + } + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys." + }, + "hash_algorithm": { + "type": "string", + "description": "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types, including ed25519. Using none requires setting prehashed=true and signature_algorithm=pkcs1v15, yielding a PKCSv1_5_NoOID instead of the usual PKCSv1_5_DERnull signature.", + "default": "sha2-256" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + }, + "marshaling_algorithm": { + "type": "string", + "description": "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\".", + "default": "asn1" + }, + "prehashed": { + "type": "boolean", + "description": "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter." + }, + "salt_length": { + "type": "string", + "description": "The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.", + "default": "auto" + }, + "signature_algorithm": { + "type": "string", + "description": "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'" + } + } + }, + "TransitSignWithAlgorithmRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Deprecated: use \"hash_algorithm\" instead.", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items for processing. When this parameter is set, any supplied 'input' or 'context' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input", + "items": { + "type": "object" + } + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys." + }, + "hash_algorithm": { + "type": "string", + "description": "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types, including ed25519. Using none requires setting prehashed=true and signature_algorithm=pkcs1v15, yielding a PKCSv1_5_NoOID instead of the usual PKCSv1_5_DERnull signature.", + "default": "sha2-256" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data" + }, + "key_version": { + "type": "integer", + "description": "The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key." + }, + "marshaling_algorithm": { + "type": "string", + "description": "The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\".", + "default": "asn1" + }, + "prehashed": { + "type": "boolean", + "description": "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter." + }, + "salt_length": { + "type": "string", + "description": "The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.", + "default": "auto" + }, + "signature_algorithm": { + "type": "string", + "description": "The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'" + } + } + }, + "TransitTrimKeyRequest": { + "type": "object", + "properties": { + "min_available_version": { + "type": "integer", + "description": "The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero." + } + } + }, + "TransitVerifyRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Deprecated: use \"hash_algorithm\" instead.", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items for processing. When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input", + "items": { + "type": "object" + } + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys." + }, + "hash_algorithm": { + "type": "string", + "description": "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types. See note about none on signing path.", + "default": "sha2-256" + }, + "hmac": { + "type": "string", + "description": "The HMAC, including vault header/key version" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data to verify" + }, + "marshaling_algorithm": { + "type": "string", + "description": "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\".", + "default": "asn1" + }, + "prehashed": { + "type": "boolean", + "description": "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter." + }, + "salt_length": { + "type": "string", + "description": "The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.", + "default": "auto" + }, + "signature": { + "type": "string", + "description": "The signature, including vault header/key version" + }, + "signature_algorithm": { + "type": "string", + "description": "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'" + } + } + }, + "TransitVerifyWithAlgorithmRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Deprecated: use \"hash_algorithm\" instead.", + "default": "sha2-256" + }, + "batch_input": { + "type": "array", + "description": "Specifies a list of items for processing. When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input", + "items": { + "type": "object" + } + }, + "context": { + "type": "string", + "description": "Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys." + }, + "hash_algorithm": { + "type": "string", + "description": "Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types. See note about none on signing path.", + "default": "sha2-256" + }, + "hmac": { + "type": "string", + "description": "The HMAC, including vault header/key version" + }, + "input": { + "type": "string", + "description": "The base64-encoded input data to verify" + }, + "marshaling_algorithm": { + "type": "string", + "description": "The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\".", + "default": "asn1" + }, + "prehashed": { + "type": "boolean", + "description": "Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter." + }, + "salt_length": { + "type": "string", + "description": "The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.", + "default": "auto" + }, + "signature": { + "type": "string", + "description": "The signature, including vault header/key version" + }, + "signature_algorithm": { + "type": "string", + "description": "The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'" + } + } + }, + "UiHeadersConfigureRequest": { + "type": "object", + "properties": { + "multivalue": { + "type": "boolean", + "description": "Returns multiple values if true" + }, + "values": { + "type": "array", + "description": "The values to set the header.", + "items": { + "type": "string" + } + } + } + }, + "UiHeadersListResponse": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "description": "Lists of configured UI headers. Omitted if list is empty", + "items": { + "type": "string" + } + } + } + }, + "UiHeadersReadConfigurationResponse": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "returns the first header value when `multivalue` request parameter is false" + }, + "values": { + "type": "array", + "description": "returns all header values when `multivalue` request parameter is true", + "items": { + "type": "string" + } + } + } + }, + "UnsealRequest": { + "type": "object", + "properties": { + "key": { + "type": "string", + "description": "Specifies a single unseal key share. This is required unless reset is true." + }, + "reset": { + "type": "boolean", + "description": "Specifies if previously-provided unseal keys are discarded and the unseal process is reset." + } + } + }, + "UnsealResponse": { + "type": "object", + "properties": { + "build_date": { + "type": "string" + }, + "cluster_id": { + "type": "string" + }, + "cluster_name": { + "type": "string" + }, + "hcp_link_resource_ID": { + "type": "string" + }, + "hcp_link_status": { + "type": "string" + }, + "initialized": { + "type": "boolean" + }, + "migration": { + "type": "boolean" + }, + "n": { + "type": "integer" + }, + "nonce": { + "type": "string" + }, + "progress": { + "type": "integer" + }, + "recovery_seal": { + "type": "boolean" + }, + "sealed": { + "type": "boolean" + }, + "storage_type": { + "type": "string" + }, + "t": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "UnwrapRequest": { + "type": "object", + "properties": { + "token": { + "type": "string" + } + } + }, + "UserpassLoginRequest": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password for this user." + } + } + }, + "UserpassResetPasswordRequest": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password for this user." + } + } + }, + "UserpassUpdatePoliciesRequest": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies that will apply to the generated token for this user." + } + } + } + }, + "UserpassWriteUserRequest": { + "type": "object", + "properties": { + "bound_cidrs": { + "type": "array", + "description": "Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "password": { + "type": "string", + "description": "Password for this user.", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "policies": { + "type": "array", + "description": "Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.", + "items": { + "type": "string" + }, + "deprecated": true + }, + "token_bound_cidrs": { + "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" + } + }, + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" + } + }, + "token_max_ttl": { + "type": "string", + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } + }, + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } + }, + "token_num_uses": { + "type": "integer", + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } + }, + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } + }, + "token_policies": { + "type": "array", + "description": "Comma-separated list of policies", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" + } + }, + "token_ttl": { + "type": "string", + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } + }, + "token_type": { + "type": "string", + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true + } + } + }, + "VersionHistoryResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "format": "kvpairs" + }, + "keys": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } +}