secrets tune
The secrets tune
command tunes the configuration options for the secrets
engine at the given PATH. The argument corresponds to the PATH where the secrets
engine is enabled, not the type.
Examples
Before tuning the secret mount, view the current configuration of the mount enabled at "pki/":
$ vault read sys/mounts/pki/tuneKey Value--- -----default_lease_ttl 12hdescription Example PKI mountforce_no_cache falsemax_lease_ttl 24h
Tune the default lease, exclude common_name
and serial_number
from being HMAC'd in the audit log for the PKI secrets engine:
$ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/Success! Tuned the secrets engine at: pki/ $ vault read sys/mounts/pki/tuneKey Value--- -----audit_non_hmac_request_keys [common_name]audit_non_hmac_response_keys [serial_number]default_lease_ttl 18hdescription Example PKI mountforce_no_cache falsemax_lease_ttl 24h
Specify multiple audit non-hmac request keys:
$ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
Usage
The following flags are available in addition to the standard set of flags included on all commands.
-allowed-response-headers
(string: "")
- response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-audit-non-hmac-request-keys
(string: "")
- Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-audit-non-hmac-response-keys
(string: "")
- Key that will not be HMAC'd by audit devices in the response data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-default-lease-ttl
(duration: "")
- The default lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured default lease TTL, or a previously configured value for the secrets engine.-description
(string: "")
- Specifies the description of the mount. This overrides the current stored value, if any.-listing-visibility
(string: "")
- The flag to toggle whether to show the mount in the UI-specific listing endpoint. Valid values are"unauth"
or"hidden"
. Passing empty string leaves the current setting unchanged.-max-lease-ttl
(duration: "")
- The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets engine. This value is allowed to override the server's global max TTL; it can be longer or shorter.-passthrough-request-headers
(string: "")
- request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-allowed-managed-keys
(string: "")
- Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified either by providing the key names as a comma separated string or by providing this option multiple times, each time with 1 key.