secrets tune
The secrets tune
command tunes the configuration options for the secrets
engine at the given PATH. The argument corresponds to the PATH where the secrets
engine is enabled, not the type.
Examples
Before tuning the secret mount, view the current configuration of the mount enabled at "pki/":
$ vault read sys/mounts/pki/tuneKey Value--- -----default_lease_ttl 12hdescription Example PKI mountforce_no_cache falsemax_lease_ttl 24h
Tune the default lease, exclude common_name
and serial_number
from being HMAC'd in the audit log for the PKI secrets engine:
$ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/Success! Tuned the secrets engine at: pki/ $ vault read sys/mounts/pki/tuneKey Value--- -----audit_non_hmac_request_keys [common_name]audit_non_hmac_response_keys [serial_number]default_lease_ttl 18hdescription Example PKI mountforce_no_cache falsemax_lease_ttl 24h
Specify multiple audit non-hmac request keys:
$ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
Usage
The following flags are available in addition to the standard set of flags included on all commands.
-allowed-response-headers
(string: "")
- response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-audit-non-hmac-request-keys
(string: "")
- Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-audit-non-hmac-response-keys
(string: "")
- Key that will not be HMAC'd by audit devices in the response data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-default-lease-ttl
(duration: "")
- The default lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured default lease TTL, or a previously configured value for the secrets engine. Uses duration format strings.-description
(string: "")
- Specifies the description of the mount. This overrides the current stored value, if any.-listing-visibility
(string: "")
- The flag to toggle whether to show the mount in the UI-specific listing endpoint. Valid values are"unauth"
or"hidden"
. Passing empty string leaves the current setting unchanged.-max-lease-ttl
(duration: "")
- The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets engine. This value is allowed to override the server's global max TTL; it can be longer or shorter. Uses duration format strings.-passthrough-request-headers
(string: "")
- request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-allowed-managed-keys
(string: "")
- Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.-delegated-auth-accessors
(string: "")
- An authorized accessor the auth backend can delegate authentication to. To allow multiple accessors, provide thedelegated-auth-accessors
multiple times, each time with 1 accessor.-plugin-version
(string: "")
- Configures the semantic version of the plugin to use. The new version will not start running until the mount is reloaded.