From fe3daa411ae09f57c38e648f9a9eec54c073b6ca Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Thu, 22 Sep 2022 10:11:04 -0500 Subject: [PATCH] website: content updates for developer (#17035) * Chore (dev portal): update learn nav data links (#15515) * Update docs-nav-data.json * Update docs-nav-data.json * website: fixes internal redirects (#15750) * chore: remove duplicate overview item (#15805) * Use `badge` for `` tags in nav data JSON files (#15928) * Replacing tags with badge * Adding type and color to badges * fix broken links in vault docs (#15976) * website: Update old learn links to redirect locations (#16047) * update previews to render developer UI * update redirects * adjust content so it is backwards compat Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com> Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com> Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com> --- website/Makefile | 3 +- website/content/api-docs/auth/jwt.mdx | 2 +- website/content/api-docs/index.mdx | 2 +- website/content/api-docs/relatedtools.mdx | 3 +- website/content/api-docs/secret/azure.mdx | 2 +- website/content/api-docs/secret/cassandra.mdx | 6 +- website/content/api-docs/secret/consul.mdx | 4 +- .../api-docs/secret/databases/cassandra.mdx | 2 +- .../api-docs/secret/databases/couchbase.mdx | 2 +- .../api-docs/secret/databases/elasticdb.mdx | 2 +- .../api-docs/secret/databases/hanadb.mdx | 2 +- .../api-docs/secret/databases/influxdb.mdx | 2 +- .../api-docs/secret/databases/mongodb.mdx | 2 +- .../secret/databases/mongodbatlas.mdx | 2 +- .../api-docs/secret/databases/mssql.mdx | 2 +- .../api-docs/secret/databases/mysql-maria.mdx | 2 +- .../api-docs/secret/databases/oracle.mdx | 2 +- .../api-docs/secret/databases/postgresql.mdx | 2 +- .../api-docs/secret/databases/redshift.mdx | 2 +- .../api-docs/secret/databases/snowflake.mdx | 2 +- website/content/api-docs/secret/gcp.mdx | 2 +- .../api-docs/secret/identity/mfa/duo.mdx | 12 +- .../api-docs/secret/identity/mfa/index.mdx | 12 +- .../api-docs/secret/identity/mfa/okta.mdx | 10 +- .../api-docs/secret/identity/mfa/pingid.mdx | 10 +- .../api-docs/secret/identity/mfa/totp.mdx | 20 +-- website/content/api-docs/secret/kv/index.mdx | 4 +- website/content/api-docs/secret/kv/kv-v2.mdx | 2 +- website/content/api-docs/secret/nomad.mdx | 2 +- website/content/api-docs/secret/terraform.mdx | 2 +- website/content/api-docs/secret/transit.mdx | 2 +- website/content/api-docs/system/mfa/index.mdx | 8 +- website/content/api-docs/system/mounts.mdx | 5 +- website/content/docs/audit/index.mdx | 2 +- website/content/docs/auth/azure.mdx | 2 +- website/content/docs/auth/jwt/index.mdx | 86 ++++++------ .../docs/commands/operator/generate-root.mdx | 2 +- .../content/docs/commands/operator/rekey.mdx | 4 +- .../docs/concepts/client-count/faq.mdx | 4 +- website/content/docs/concepts/dev-server.mdx | 2 +- .../concepts/integrated-storage/autopilot.mdx | 2 - website/content/docs/concepts/policies.mdx | 38 +++--- website/content/docs/concepts/storage.mdx | 4 +- website/content/docs/concepts/tokens.mdx | 24 ++-- website/content/docs/configuration/index.mdx | 2 +- .../content/docs/configuration/sentinel.mdx | 2 +- .../service-registration/consul.mdx | 2 +- .../service-registration/index.mdx | 2 +- .../docs/configuration/storage/index.mdx | 2 +- .../content/docs/enterprise/license/faq.mdx | 2 +- website/content/docs/faq/ssct.mdx | 2 +- website/content/docs/index.mdx | 2 +- website/content/docs/internals/limits.mdx | 2 +- website/content/docs/internals/telemetry.mdx | 24 +++- website/content/docs/partnerships.mdx | 20 +-- .../content/docs/platform/k8s/helm/index.mdx | 2 +- .../docs/platform/k8s/helm/terraform.mdx | 2 +- website/content/docs/release-notes/1.10.0.mdx | 2 +- website/content/docs/release-notes/1.9.0.mdx | 4 +- website/content/docs/secrets/consul.mdx | 2 +- .../docs/secrets/databases/elasticdb.mdx | 124 +++++++++--------- .../content/docs/secrets/databases/index.mdx | 6 +- .../docs/secrets/databases/mysql-maria.mdx | 90 ++++++------- .../docs/secrets/identity/oidc-provider.mdx | 8 +- website/content/docs/secrets/nomad.mdx | 4 +- .../docs/secrets/pki/considerations.mdx | 2 +- website/content/docs/secrets/terraform.mdx | 6 +- website/content/docs/what-is-vault.mdx | 2 +- website/data/api-docs-nav-data.json | 41 ++++-- website/data/docs-nav-data.json | 56 ++++++-- website/scripts/website-build.sh | 4 +- website/scripts/website-start.sh | 4 +- 72 files changed, 411 insertions(+), 319 deletions(-) diff --git a/website/Makefile b/website/Makefile index 5e2815dec8a01..a2f37a3127cbd 100644 --- a/website/Makefile +++ b/website/Makefile @@ -13,7 +13,8 @@ DOCKER_RUN_FLAGS=-it \ --volume "$(PWD)/redirects.js:/app/redirects.js" \ --volume "next-dir:/app/website-preview/.next" \ --volume "$(PWD)/.env:/app/.env" \ - -e "REPO=vault" + -e "REPO=vault" \ + -e "PREVIEW_MODE=io" # Default: run this if working on the website locally to run in watch mode. .PHONY: website diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx index 71bf3cc55b251..a2901f6077766 100644 --- a/website/content/api-docs/auth/jwt.mdx +++ b/website/content/api-docs/auth/jwt.mdx @@ -303,7 +303,7 @@ Obtain an authorization URL from Vault to start an OIDC login flow. - `role` `(string: )` - Name of the role against which the login is being attempted. Defaults to configured `default_role` if not provided. - `redirect_uri` `(string: )` - Path to the callback to complete the login. This will be - of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault + of the form, "https://.../oidc/callback" where the leading portion is dependent on your Vault server location, port, and the mount of the JWT plugin. This must be configured with Vault and the provider. See [Redirect URIs](/docs/auth/jwt#redirect-uris) for more information. - `client_nonce` `(string: )` - Optional client-provided nonce that diff --git a/website/content/api-docs/index.mdx b/website/content/api-docs/index.mdx index e26a00bd9cc38..c7d2b275e1ef9 100644 --- a/website/content/api-docs/index.mdx +++ b/website/content/api-docs/index.mdx @@ -196,7 +196,7 @@ To retrieve the help for any API within Vault, including mounted backends, auth methods, etc. then append `?help=1` to any URL. If you have valid permission to access the path, then the help text will be return a markdown-formatted block in the `help` attribute of the response. -Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi) in Vault, you will get back a small +Additionally, with the [OpenAPI generation](/api-docs/system/internal-specs-openapi) in Vault, you will get back a small OpenAPI document in the `openapi` attribute. This document is relevant for the path you're looking up and any paths under it - also note paths in the OpenAPI document are relative to the initial path queried. Example request: diff --git a/website/content/api-docs/relatedtools.mdx b/website/content/api-docs/relatedtools.mdx index 31de81c43c59e..c64c154d86155 100644 --- a/website/content/api-docs/relatedtools.mdx +++ b/website/content/api-docs/relatedtools.mdx @@ -8,7 +8,7 @@ description: Short list of third-party tools that work with or are related to Va ## Hashicorp Tools -- The [Terraform Vault provider](https://www.terraform.io/docs/providers/vault/index.html) can read from, write to, and configure Vault from [HashiCorp Terraform](https://www.terraform.io/) +- The [Terraform Vault provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) can read from, write to, and configure Vault from [HashiCorp Terraform](https://www.terraform.io/) - [consul-template](https://github.com/hashicorp/consul-template) is a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data - [envconsul](https://github.com/hashicorp/envconsul) allows you to read and set environmental variables for processes from Consul and Vault data - The [vault-ssh-helper](https://github.com/hashicorp/vault-ssh-helper) can be used to enable one-time passwords for SSH authentication via Vault @@ -31,7 +31,6 @@ The following list of tools is maintained by the community of Vault users; Hashi - [Docker credential helper](https://github.com/morningconsult/docker-credential-vault-login) - A program that automatically reads Docker credentials from your Vault server and passes them to the Docker daemon to authenticate to your Docker registry when pulling an image - [Cruise Daytona](https://github.com/cruise-automation/daytona) - An alternative implementation of the Vault client CLI for services and containers. Its core features are the ability to automate authentication, fetching of secrets, and automated token renewal. Support for AWS, GCP, & Kubernetes Vault Auth Backends. - [Vault-CRD](https://vault.koudingspawn.de/) - Synchronize secrets stored in HashiCorp Vault to Kubernetes Secrets for better GitOps without secrets stored in git manifest files. -- [nc-vault-env](https://github.com/namecheap/nc-vault-env) - JS CLI tool that fetches secrets in parallel, puts them into the environment and then `exec`s the process that needs them. Supports auth token renewal, multiple auth backends, verbose logging and dummy mode. - [vsh](https://github.com/fishi0x01/vsh) - Interactive shell with tab-completion. Allows recursive operations on paths. Allows migration of secrets between both KV versions. - [HashiBox](https://github.com/nunchistudio/hashibox) - Vagrant environment to simulate highly-available cloud with Consul, Nomad, Vault, and optional support for Waypoint. OSS & Enterprise supported. - [vkv](https://github.com/FalcoSuessgott/vkv) - Recursively list key-values entries from Vaults KV2 engine in various formats. diff --git a/website/content/api-docs/secret/azure.mdx b/website/content/api-docs/secret/azure.mdx index 3cee9179b8a6b..4ffc23e77b15c 100644 --- a/website/content/api-docs/secret/azure.mdx +++ b/website/content/api-docs/secret/azure.mdx @@ -360,7 +360,7 @@ $ vault read azure/creds/my-role ## Revoking/Renewing Secrets -See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases. +See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases. [docs]: /docs/secrets/azure [roles]: /docs/secrets/azure#roles diff --git a/website/content/api-docs/secret/cassandra.mdx b/website/content/api-docs/secret/cassandra.mdx index 229c804bfed4e..1cd829e598e39 100644 --- a/website/content/api-docs/secret/cassandra.mdx +++ b/website/content/api-docs/secret/cassandra.mdx @@ -11,12 +11,12 @@ description: This is the API documentation for the Vault Cassandra secrets engin ~> **Deprecation Note:** This backend is deprecated in favor of the combined databases backend added in v0.7.1. See the API documentation for the new implementation of this backend at -[Cassandra database plugin HTTP API](/api/secret/databases/cassandra). +[Cassandra database plugin HTTP API](/api-docs/secret/databases/cassandra). This is the API documentation for the Vault Cassandra secrets engine. For general information about the usage and operation of the Cassandra backend, please see the -[Vault Cassandra backend documentation](/docs/secrets/cassandra). +[Vault Cassandra backend documentation](/docs/secrets/databases/cassandra). This documentation assumes the Cassandra backend is mounted at the `/cassandra` path in Vault. Since it is possible to enable secrets engines at any location, @@ -197,7 +197,7 @@ $ curl \ This endpoint deletes the role definition. -| Method | Path | +| Method | Path | | | :------- | :----------------------- | --------------- | | `DELETE` | `/cassandra/roles/:name` | `204 (no body)` | diff --git a/website/content/api-docs/secret/consul.mdx b/website/content/api-docs/secret/consul.mdx index 4962a2f1cf148..c7dabed184c1f 100644 --- a/website/content/api-docs/secret/consul.mdx +++ b/website/content/api-docs/secret/consul.mdx @@ -160,11 +160,11 @@ To create a client token with service identities attached: - `token_type` DEPRECATED (1.11) `(string: "client")` - Specifies the type of token to create when using this role. Valid values are `"client"` or `"management"`. If a `"management"` token, the `policy` parameter is not required. Defaults to `"client`". [Deprecated from Consul as of 1.4 and - removed as of Consul 1.11.](https://www.consul.io/api/acl/legacy) + removed as of Consul 1.11.](https://www.consul.io/api-docs/acl/legacy) - `policy` DEPRECATED (1.11) `(string: "")` – Specifies the base64-encoded ACL policy. This is required unless the `token_type` is `"management"`. [Deprecated from Consul as of 1.4 and - removed as of Consul 1.11.](https://www.consul.io/api/acl/legacy) + removed as of Consul 1.11.](https://www.consul.io/api-docs/acl/legacy) - `policies` DEPRECATED (1.11) `(list: )` - Same as `consul_policies`. Deprecated in favor of using `consul_policies`. diff --git a/website/content/api-docs/secret/databases/cassandra.mdx b/website/content/api-docs/secret/databases/cassandra.mdx index fa3cb5cfa3657..a5762ce0f4018 100644 --- a/website/content/api-docs/secret/databases/cassandra.mdx +++ b/website/content/api-docs/secret/databases/cassandra.mdx @@ -173,7 +173,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/couchbase.mdx b/website/content/api-docs/secret/databases/couchbase.mdx index 0ab5717f411a2..86f5f81f55bd2 100644 --- a/website/content/api-docs/secret/databases/couchbase.mdx +++ b/website/content/api-docs/secret/databases/couchbase.mdx @@ -102,7 +102,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/elasticdb.mdx b/website/content/api-docs/secret/databases/elasticdb.mdx index 8a10e0238611c..ac2e22afd1802 100644 --- a/website/content/api-docs/secret/databases/elasticdb.mdx +++ b/website/content/api-docs/secret/databases/elasticdb.mdx @@ -68,7 +68,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/hanadb.mdx b/website/content/api-docs/secret/databases/hanadb.mdx index 031a30a0aa3f1..fe93354473a2c 100644 --- a/website/content/api-docs/secret/databases/hanadb.mdx +++ b/website/content/api-docs/secret/databases/hanadb.mdx @@ -79,7 +79,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/influxdb.mdx b/website/content/api-docs/secret/databases/influxdb.mdx index 734d64dd6a074..755857d353da3 100644 --- a/website/content/api-docs/secret/databases/influxdb.mdx +++ b/website/content/api-docs/secret/databases/influxdb.mdx @@ -107,7 +107,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/mongodb.mdx b/website/content/api-docs/secret/databases/mongodb.mdx index d90f6aaf784d9..6f0a9e5c5cad9 100644 --- a/website/content/api-docs/secret/databases/mongodb.mdx +++ b/website/content/api-docs/secret/databases/mongodb.mdx @@ -103,7 +103,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/mongodbatlas.mdx b/website/content/api-docs/secret/databases/mongodbatlas.mdx index 9c0611376de70..fb370e319a9b7 100644 --- a/website/content/api-docs/secret/databases/mongodbatlas.mdx +++ b/website/content/api-docs/secret/databases/mongodbatlas.mdx @@ -56,7 +56,7 @@ $ curl \ Statements are configured during Vault role creation and are used by the plugin to determine what is sent to MongoDB Atlas upon user creation, renewal, and -revocation. For more information on configuring roles see the [Role API](/api/secret/databases#create-role) +revocation. For more information on configuring roles see the [Role API](/api-docs/secret/databases#create-role) in the Database Secrets Engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/mssql.mdx b/website/content/api-docs/secret/databases/mssql.mdx index 2989e8db7db96..8a0f7a4bbadcf 100644 --- a/website/content/api-docs/secret/databases/mssql.mdx +++ b/website/content/api-docs/secret/databases/mssql.mdx @@ -109,7 +109,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/mysql-maria.mdx b/website/content/api-docs/secret/databases/mysql-maria.mdx index 2fbbc7d69e118..ba3d8e19d2d77 100644 --- a/website/content/api-docs/secret/databases/mysql-maria.mdx +++ b/website/content/api-docs/secret/databases/mysql-maria.mdx @@ -144,7 +144,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/oracle.mdx b/website/content/api-docs/secret/databases/oracle.mdx index 8d770e067fb50..90cfc2e5f6279 100644 --- a/website/content/api-docs/secret/databases/oracle.mdx +++ b/website/content/api-docs/secret/databases/oracle.mdx @@ -102,7 +102,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/postgresql.mdx b/website/content/api-docs/secret/databases/postgresql.mdx index 95e9f36068db3..bd760d09cbcdf 100644 --- a/website/content/api-docs/secret/databases/postgresql.mdx +++ b/website/content/api-docs/secret/databases/postgresql.mdx @@ -147,7 +147,7 @@ for more information. Below are two small examples. Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/redshift.mdx b/website/content/api-docs/secret/databases/redshift.mdx index 5ff8f8d5474c4..61d9671dca2d3 100644 --- a/website/content/api-docs/secret/databases/redshift.mdx +++ b/website/content/api-docs/secret/databases/redshift.mdx @@ -79,7 +79,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/databases/snowflake.mdx b/website/content/api-docs/secret/databases/snowflake.mdx index a3f6eee683fcd..6296b6439b5b8 100644 --- a/website/content/api-docs/secret/databases/snowflake.mdx +++ b/website/content/api-docs/secret/databases/snowflake.mdx @@ -79,7 +79,7 @@ $ curl \ Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the [Role -API](/api/secret/databases#create-role) in the database secrets engine docs. +API](/api-docs/secret/databases#create-role) in the database secrets engine docs. ### Parameters diff --git a/website/content/api-docs/secret/gcp.mdx b/website/content/api-docs/secret/gcp.mdx index 0ecfbdb4a0009..ba00957ad3672 100644 --- a/website/content/api-docs/secret/gcp.mdx +++ b/website/content/api-docs/secret/gcp.mdx @@ -594,5 +594,5 @@ $ curl \ ## Revoking/Renewing Secrets -See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api/system/leases#revoke-lease) leases. +See docs on how to [renew](/api/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases. Note this only applies to service account keys. diff --git a/website/content/api-docs/secret/identity/mfa/duo.mdx b/website/content/api-docs/secret/identity/mfa/duo.mdx index 647ba0c24f189..bf2d8675c8100 100644 --- a/website/content/api-docs/secret/identity/mfa/duo.mdx +++ b/website/content/api-docs/secret/identity/mfa/duo.mdx @@ -10,7 +10,7 @@ description: >- This endpoint defines an MFA method of type Duo. | Method | Path | -| :----- |:-------------------------------| +| :----- | :----------------------------- | | `POST` | `/identity/mfa/method/duo/:id` | ### Parameters @@ -26,7 +26,9 @@ This endpoint defines an MFA method of type Duo. - `api_hostname` `(string: )` - API hostname for Duo. - `push_info` `(string)` - Push information for Duo. + - + - `use_passcode` `(bool: false)` - If true, the user is reminded to use the passcode upon MFA validation. ### Sample Payload @@ -64,7 +66,7 @@ This endpoint queries the MFA configuration of Duo type for a given method ID. | Method | Path | -| :----- |:-------------------------------| +| :----- | :----------------------------- | | `GET` | `/identity/mfa/method/duo/:id` | ### Parameters @@ -101,10 +103,10 @@ $ curl \ ## Delete Duo MFA Method This endpoint deletes a Duo MFA method. MFA methods can only be deleted if they're not currently in use -by a [login enforcement](/api/secret/identity/mfa/login-enforcement). +by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement). | Method | Path | -| :------- |:-------------------------------| +| :------- | :----------------------------- | | `DELETE` | `/identity/mfa/method/duo/:id` | ### Parameters @@ -126,7 +128,7 @@ $ curl \ This endpoint lists Duo MFA methods that are visible in the current namespace or in parent namespaces. | Method | Path | -|:-------|:---------------------------| +| :----- | :------------------------- | | `LIST` | `/identity/mfa/method/duo` | ### Sample Request diff --git a/website/content/api-docs/secret/identity/mfa/index.mdx b/website/content/api-docs/secret/identity/mfa/index.mdx index 17215df6fe4a8..ab505c62154ac 100644 --- a/website/content/api-docs/secret/identity/mfa/index.mdx +++ b/website/content/api-docs/secret/identity/mfa/index.mdx @@ -9,18 +9,18 @@ description: >- ## Supported MFA types. -- [TOTP](/api/secret/identity/mfa/totp) +- [TOTP](/api-docs/secret/identity/mfa/totp) -- [Okta](/api/secret/identity/mfa/okta) +- [Okta](/api-docs/secret/identity/mfa/okta) -- [Duo](/api/secret/identity/mfa/duo) +- [Duo](/api-docs/secret/identity/mfa/duo) -- [PingID](/api/secret/identity/mfa/pingid) +- [PingID](/api-docs/secret/identity/mfa/pingid) ## Other -- [Login Enforcement](/api/secret/identity/mfa/login-enforcement) -- [MFA Validate](/api/system/mfa/validate) +- [Login Enforcement](/api-docs/secret/identity/mfa/login-enforcement) +- [MFA Validate](/api-docs/system/mfa/validate) While the above endpoints are available in both the open source and Enterprise versions of Vault, they are namespace aware. MFA methods and login enforcements created in one namespace are separate from other diff --git a/website/content/api-docs/secret/identity/mfa/okta.mdx b/website/content/api-docs/secret/identity/mfa/okta.mdx index 4a2ee1f330b97..8e63db5394237 100644 --- a/website/content/api-docs/secret/identity/mfa/okta.mdx +++ b/website/content/api-docs/secret/identity/mfa/okta.mdx @@ -10,7 +10,7 @@ description: >- This endpoint defines an MFA method of type Okta. | Method | Path | -| :----- |:--------------------------------| +| :----- | :------------------------------ | | `POST` | `/identity/mfa/method/okta/:id` | ### Parameters @@ -61,7 +61,7 @@ This endpoint queries the MFA configuration of Okta type for a given method name. | Method | Path | -| :----- |:--------------------------------| +| :----- | :------------------------------ | | `GET` | `/identity/mfa/method/okta/:id` | ### Parameters @@ -96,10 +96,10 @@ $ curl \ ## Delete Okta MFA Method This endpoint deletes a Okta MFA method. The MFA methods can only be deleted if they're not currently in use -by a [login enforcement](/api/secret/identity/mfa/login-enforcement). +by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement). | Method | Path | -| :------- |:--------------------------------| +| :------- | :------------------------------ | | `DELETE` | `/identity/mfa/method/okta/:id` | ### Parameters @@ -121,7 +121,7 @@ $ curl \ This endpoint lists Okta MFA methods that are visible in the current namespace or in parent namespaces. | Method | Path | -|:-------|:----------------------------| +| :----- | :-------------------------- | | `LIST` | `/identity/mfa/method/okta` | ### Sample Request diff --git a/website/content/api-docs/secret/identity/mfa/pingid.mdx b/website/content/api-docs/secret/identity/mfa/pingid.mdx index 7b51cc6292998..d61f2e65a75a9 100644 --- a/website/content/api-docs/secret/identity/mfa/pingid.mdx +++ b/website/content/api-docs/secret/identity/mfa/pingid.mdx @@ -10,7 +10,7 @@ description: >- This endpoint defines an MFA method of type PingID. | Method | Path | -| :----- |:----------------------------------| +| :----- | :-------------------------------- | | `POST` | `/identity/mfa/method/pingid/:id` | ### Parameters @@ -54,7 +54,7 @@ This endpoint queries the MFA configuration of PingID type for a given method name. | Method | Path | -| :----- |:----------------------------------| +| :----- | :-------------------------------- | | `GET` | `/identity/mfa/method/pingid/:id` | ### Parameters @@ -90,10 +90,10 @@ $ curl \ ## Delete PingID MFA Method This endpoint deletes a PingID MFA method. MFA methods can only be deleted if they're not currently in use -by a [login enforcement](/api/secret/identity/mfa/login-enforcement). +by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement). | Method | Path | -| :------- |:----------------------------------| +| :------- | :-------------------------------- | | `DELETE` | `/identity/mfa/method/pingid/:id` | ### Parameters @@ -115,7 +115,7 @@ $ curl \ This endpoint lists PingID MFA methods that are visible in the current namespace or in parent namespaces. | Method | Path | -|:-------|:------------------------------| +| :----- | :---------------------------- | | `LIST` | `/identity/mfa/method/pingid` | ### Sample Request diff --git a/website/content/api-docs/secret/identity/mfa/totp.mdx b/website/content/api-docs/secret/identity/mfa/totp.mdx index 5584ad8ab2578..404c2f609ef54 100644 --- a/website/content/api-docs/secret/identity/mfa/totp.mdx +++ b/website/content/api-docs/secret/identity/mfa/totp.mdx @@ -10,7 +10,7 @@ description: >- This endpoint defines an MFA method of type TOTP. | Method | Path | -| :----- |:--------------------------------| +| :----- | :------------------------------ | | `POST` | `/identity/mfa/method/totp/:id` | ### Parameters @@ -65,7 +65,7 @@ This endpoint queries the MFA configuration of TOTP type for a given method ID. | Method | Path | -| :----- |:--------------------------------| +| :----- | :------------------------------ | | `GET` | `/identity/mfa/method/totp/:id` | ### Parameters @@ -104,10 +104,10 @@ $ curl \ ## Delete TOTP MFA Method This endpoint deletes a TOTP MFA method. MFA methods can only be deleted if they're not currently in use -by a [login enforcement](/api/secret/identity/mfa/login-enforcement). +by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement). | Method | Path | -| :------- |:--------------------------------| +| :------- | :------------------------------ | | `DELETE` | `/identity/mfa/method/totp/:id` | ### Parameters @@ -128,8 +128,8 @@ $ curl \ This endpoint lists TOTP MFA methods that are visible in the current namespace or in parent namespaces. -| Method | Path | -|:-------|:--------------------------------| +| Method | Path | +| :----- | :-------------------------- | | `LIST` | `/identity/mfa/method/totp` | ### Sample Request @@ -162,7 +162,7 @@ doesn't exist already, using the configuration stored under the given MFA method ID. | Method | Path | -|:-------|:-------------------------------------| +| :----- | :----------------------------------- | | `POST` | `/identity/mfa/method/totp/generate` | ### Parameters @@ -204,8 +204,8 @@ This endpoint can be used to generate a TOTP MFA secret. Unlike the `generate` API which stores the generated secret on the entity ID of the calling token, the `admin-generate` API stores the generated secret on the given entity ID. -| Method | Path | -| :----- |:-------------------------------------------------| +| Method | Path | +| :----- | :----------------------------------------- | | `POST` | `/identity/mfa/method/totp/admin-generate` | ### Parameters @@ -255,7 +255,7 @@ and the `generate` or `admin-generate` APIs should be used to regenerate a new secret. | Method | Path | -| :----- |:------------------------------------------| +| :----- | :---------------------------------------- | | `POST` | `/identity/mfa/method/totp/admin-destroy` | ### Parameters diff --git a/website/content/api-docs/secret/kv/index.mdx b/website/content/api-docs/secret/kv/index.mdx index b1bc238b41af0..ea7f37d0c76e5 100644 --- a/website/content/api-docs/secret/kv/index.mdx +++ b/website/content/api-docs/secret/kv/index.mdx @@ -10,6 +10,6 @@ This backend can be run in one of two versions. Each of which have a distinct AP Choose the version below you are running. For more information on the KV secrets engine see the [Vault kv documentation](/docs/secrets/kv). -- [KV Version 1 API](/api/secret/kv/kv-v1) +- [KV Version 1 API](/api-docs/secret/kv/kv-v1) -- [KV Version 2 API](/api/secret/kv/kv-v2) +- [KV Version 2 API](/api-docs/secret/kv/kv-v2) diff --git a/website/content/api-docs/secret/kv/kv-v2.mdx b/website/content/api-docs/secret/kv/kv-v2.mdx index 1b38f171e9959..e9522f0e53a77 100644 --- a/website/content/api-docs/secret/kv/kv-v2.mdx +++ b/website/content/api-docs/secret/kv/kv-v2.mdx @@ -95,7 +95,7 @@ This endpoint retrieves the secret at the specified location. The metadata fields `created_time`, `deletion_time`, `destroyed`, and `version` are version specific. The `custom_metadata` field is part of the secret's key metadata and is included in the response whether or not the calling token has `read` access to -the associated [metadata endpoint](/api/secret/kv/kv-v2#read-secret-metadata). +the associated [metadata endpoint](/api-docs/secret/kv/kv-v2#read-secret-metadata). | Method | Path | | :----- | :------------------------------------------- | diff --git a/website/content/api-docs/secret/nomad.mdx b/website/content/api-docs/secret/nomad.mdx index 7176cece01f3a..2c74c53012d17 100644 --- a/website/content/api-docs/secret/nomad.mdx +++ b/website/content/api-docs/secret/nomad.mdx @@ -188,7 +188,7 @@ updated attributes. - `policies` `(string: "")` – Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. -- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://www.nomadproject.io/guides/acl#acl-tokens). +- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://learn.hashicorp.com/collections/nomad/access-control#acl-tokens). - `type` `(string: "client")` - Specifies the type of token to create when using this role. Valid values are `"client"` or `"management"`. diff --git a/website/content/api-docs/secret/terraform.mdx b/website/content/api-docs/secret/terraform.mdx index 47d433e729a3f..9d9e6893fa236 100644 --- a/website/content/api-docs/secret/terraform.mdx +++ b/website/content/api-docs/secret/terraform.mdx @@ -102,7 +102,7 @@ with the `/rotate-role` endpoint. Please see the [Terraform Cloud API Token documentation for more -information](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html). +information](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens). | Method | Path | | :----- | :---------------------- | diff --git a/website/content/api-docs/secret/transit.mdx b/website/content/api-docs/secret/transit.mdx index f572114da4c9b..c35193b9aadac 100644 --- a/website/content/api-docs/secret/transit.mdx +++ b/website/content/api-docs/secret/transit.mdx @@ -1606,4 +1606,4 @@ $ curl \ }, ``` -[sys-plugin-reload-backend]: /api/system/plugins-reload-backend#reload-plugins +[sys-plugin-reload-backend]: /api-docs/system/plugins-reload-backend#reload-plugins diff --git a/website/content/api-docs/system/mfa/index.mdx b/website/content/api-docs/system/mfa/index.mdx index ccd27391c25be..43311c3d7e64b 100644 --- a/website/content/api-docs/system/mfa/index.mdx +++ b/website/content/api-docs/system/mfa/index.mdx @@ -13,13 +13,13 @@ behaviors in Vault Enterprise MFA. ## Supported MFA types -- [TOTP](/api/system/mfa/totp) +- [TOTP](/api-docs/system/mfa/totp) -- [Okta](/api/system/mfa/okta) +- [Okta](/api-docs/system/mfa/okta) -- [Duo](/api/system/mfa/duo) +- [Duo](/api-docs/system/mfa/duo) -- [PingID](/api/system/mfa/pingid) +- [PingID](/api-docs/system/mfa/pingid) ## Step-up Enterprise MFA diff --git a/website/content/api-docs/system/mounts.mdx b/website/content/api-docs/system/mounts.mdx index c755494781214..789427f423def 100644 --- a/website/content/api-docs/system/mounts.mdx +++ b/website/content/api-docs/system/mounts.mdx @@ -199,7 +199,7 @@ $ curl \ This endpoint disables the mount point specified in the URL. -| Method | Path | +| Method | Path | | | :------- | :------------------ | ------------------ | | `DELETE` | `/sys/mounts/:path` | `204 (empty body)` | @@ -224,7 +224,7 @@ simple as increasing the timeout (in the event of timeout errors). For recovery situations where the secret was manually removed from the secrets backing service, one can force a secrets engine disable in Vault by -performing a [force revoke](https://www.vaultproject.io/api/system/leases#revoke-force) +performing a [force revoke](/api-docs/system/leases) on the mount prefix, followed by a secrets disable when that completes. If the underlying secrets were not manually cleaned up, this method might result in dangling credentials. This is meant for extreme circumstances. @@ -237,7 +237,6 @@ This endpoint returns the configuration of a specific secret engine. | :----- | :------------------ | | `GET` | `/sys/mounts/:path` | - ### Sample Request ```shell-session diff --git a/website/content/docs/audit/index.mdx b/website/content/docs/audit/index.mdx index 749d42910d888..f9def4d045056 100644 --- a/website/content/docs/audit/index.mdx +++ b/website/content/docs/audit/index.mdx @@ -67,7 +67,7 @@ cluster by default, and to performance/DR secondaries for Vault Enterprise clust Before enabling an audit device, ensure that all nodes within the cluster(s) will be able to successfully log to the audit device to avoid Vault being blocked from serving requests. -An audit device can be limited to only within the node's cluster with the [`local`](/api/system/audit#local) parameter. +An audit device can be limited to only within the node's cluster with the [`local`](/api-docs/system/audit#local) parameter. When an audit device is disabled, it will stop receiving logs immediately. The existing logs that it did store are untouched. diff --git a/website/content/docs/auth/azure.mdx b/website/content/docs/auth/azure.mdx index 8e20ec402f068..5646d0f81a84d 100644 --- a/website/content/docs/auth/azure.mdx +++ b/website/content/docs/auth/azure.mdx @@ -24,7 +24,7 @@ workloads, user-assigned identities are recommended. ## Prerequisites: The following documentation assumes that the method has been -[mounted](/docs/plugin) at `auth/azure`. +[mounted](/docs/plugins) at `auth/azure`. - A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens. - Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service) diff --git a/website/content/docs/auth/jwt/index.mdx b/website/content/docs/auth/jwt/index.mdx index 313598f9da353..a616947ff806d 100644 --- a/website/content/docs/auth/jwt/index.mdx +++ b/website/content/docs/auth/jwt/index.mdx @@ -140,15 +140,20 @@ EOF ``` - Monitor Vault's log output. Important information about OIDC validation failures will be emitted. + - Ensure Redirect URIs are correct in Vault and on the provider. They need to match exactly. Check: http/https, 127.0.0.1/localhost, port numbers, whether trailing slashes are present. + - Start simple. The only claim configuration a role requires is `user_claim`. After authentication is known to work, you can add additional claims bindings and metadata copying. + - `bound_audiences` is optional for OIDC roles and typically not required. OIDC providers will use the client_id as the audience and OIDC validation expects this. + - Check your provider for what scopes are required in order to receive all of the information you need. The scopes "profile" and "groups" often need to be requested, and can be added by setting `oidc_scopes="profile,groups"` on the role. + - If you're seeing claim-related errors in logs, review the provider's docs very carefully to see how they're naming and structuring their claims. Depending on the provider, you may be able to construct a simple `curl` implicit grant request to obtain a JWT that you can inspect. An example @@ -161,6 +166,7 @@ EOF be helpful when debugging provider setup and verifying that the received claims are what you expect. Since claims data is logged verbatim and may contain sensitive information, this option should not be used in production. + - Azure requires some additional configuration when a user is a member of more than 200 groups, described in [Azure-specific handling configuration](/docs/auth/jwt/oidc-providers/azuread#optional-azure-specific-configuration) @@ -231,46 +237,46 @@ Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool. -1. Enable the JWT auth method. Either the "jwt" or "oidc" name may be used. The - backend will be mounted at the chosen name. - - ```text - $ vault auth enable jwt - or - $ vault auth enable oidc - ``` - -1. Use the `/config` endpoint to configure Vault. To support JWT roles, either local keys, a JWKS URL, or an OIDC - Discovery URL must be present. For OIDC roles, OIDC Discovery URL, OIDC Client ID and OIDC Client Secret are required. For the - list of available configuration options, please see the [API documentation](/api-docs/auth/jwt). - - ```text - $ vault write auth/jwt/config \ - oidc_discovery_url="https://myco.auth0.com/" \ - oidc_client_id="m5i8bj3iofytj" \ - oidc_client_secret="f4ubv72nfiu23hnsj" \ - default_role="demo" - ``` - -1. Create a named role: - - ```text - vault write auth/jwt/role/demo \ - allowed_redirect_uris="http://localhost:8250/oidc/callback" \ - bound_subject="r3qX9DljwFIWhsiqwFiu38209F10atW6@clients" \ - bound_audiences="https://vault.plugin.auth.jwt.test" \ - user_claim="https://vault/user" \ - groups_claim="https://vault/groups" \ - policies=webapps \ - ttl=1h - ``` - - This role authorizes JWTs with the given subject and audience claims, gives - it the `webapps` policy, and uses the given user/groups claims to set up - Identity aliases. - - For the complete list of configuration options, please see the API - documentation. +1. Enable the JWT auth method. Either the "jwt" or "oidc" name may be used. The + backend will be mounted at the chosen name. + + ```text + $ vault auth enable jwt + or + $ vault auth enable oidc + ``` + +1. Use the `/config` endpoint to configure Vault. To support JWT roles, either local keys, a JWKS URL, or an OIDC + Discovery URL must be present. For OIDC roles, OIDC Discovery URL, OIDC Client ID and OIDC Client Secret are required. For the + list of available configuration options, please see the [API documentation](/api-docs/auth/jwt). + + ```text + $ vault write auth/jwt/config \ + oidc_discovery_url="https://myco.auth0.com/" \ + oidc_client_id="m5i8bj3iofytj" \ + oidc_client_secret="f4ubv72nfiu23hnsj" \ + default_role="demo" + ``` + +1. Create a named role: + + ```text + vault write auth/jwt/role/demo \ + allowed_redirect_uris="http://localhost:8250/oidc/callback" \ + bound_subject="r3qX9DljwFIWhsiqwFiu38209F10atW6@clients" \ + bound_audiences="https://vault.plugin.auth.jwt.test" \ + user_claim="https://vault/user" \ + groups_claim="https://vault/groups" \ + policies=webapps \ + ttl=1h + ``` + + This role authorizes JWTs with the given subject and audience claims, gives + it the `webapps` policy, and uses the given user/groups claims to set up + Identity aliases. + + For the complete list of configuration options, please see the API + documentation. ### Bound Claims diff --git a/website/content/docs/commands/operator/generate-root.mdx b/website/content/docs/commands/operator/generate-root.mdx index 3584eb2391a40..c40e6c785c702 100644 --- a/website/content/docs/commands/operator/generate-root.mdx +++ b/website/content/docs/commands/operator/generate-root.mdx @@ -27,7 +27,7 @@ An unseal key may be provided directly on the command line as an argument to the command. If key is specified as "-", the command will read from stdin. If a TTY is available, the command will prompt for text. -Please see the [generate root guide](/guides/operations/generate-root) for +Please see the [generate root guide](https://learn.hashicorp.com/tutorials/vault/generate-root) for step-by-step instructions. ## Examples diff --git a/website/content/docs/commands/operator/rekey.mdx b/website/content/docs/commands/operator/rekey.mdx index e171490f86d64..a1a6eb67cb01e 100644 --- a/website/content/docs/commands/operator/rekey.mdx +++ b/website/content/docs/commands/operator/rekey.mdx @@ -21,7 +21,7 @@ An unseal key may be provided directly on the command line as an argument to the command. If key is specified as "-", the command will read from stdin. If a TTY is available, the command will prompt for text. -Please see the [rotating and rekeying](/guides/operations/rekeying-and-rotating) for +Please see the [rotating and rekeying](https://learn.hashicorp.com/tutorials/vault/rekeying-and-rotating) for step-by-step instructions. ## Examples @@ -154,7 +154,7 @@ flags](/docs/commands) included on all commands. - `-backup` `(bool: false)` - Store a backup of the current PGP encrypted unseal keys in Vault's core. The encrypted values can be recovered in the event of failure or discarded after success. See the -backup-delete and - -backup-retrieve options for more information. This option only applies when + \-backup-retrieve options for more information. This option only applies when the existing unseal keys were PGP encrypted. - `-backup-delete` `(bool: false)` - Delete any stored backup unseal keys. diff --git a/website/content/docs/concepts/client-count/faq.mdx b/website/content/docs/concepts/client-count/faq.mdx index e57525afe5888..8f72e845e5ac0 100644 --- a/website/content/docs/concepts/client-count/faq.mdx +++ b/website/content/docs/concepts/client-count/faq.mdx @@ -89,7 +89,7 @@ Although client counts have been available via the usage metrics UI since Vault - Changed the non-entity token computation logic to deduplicate non-entity tokens, reducing the overall client count. Moving forward, non-entity tokens, where there is no entity to map tokens, Vault will use the contents of the token to generate a unique client identifier based on the namespace ID and associated policies. The clientID will prevent duplicating the same token in the overall client count when the token is used again during the billing period. - Changed the tracking of non-entity tokens to complete on access instead of creation. - Changed the computation logic to not include root tokens in the client count aggregate. - - Changed the local auth mount computation logic such that local auth mounts count towards clients but not as non-entity tokens. Prior to Vault 1.9, local auth mounts counted towards non-entity tokens. Refer to the [What is a Client?](docs/concepts/client-count) documentation to learn more. + - Changed the local auth mount computation logic such that local auth mounts count towards clients but not as non-entity tokens. Prior to Vault 1.9, local auth mounts counted towards non-entity tokens. Refer to the [What is a Client?](/docs/concepts/client-count) documentation to learn more. - Added ability to display clients per namespace (top 10, descending order) in the UI and export data for all namespaces. Prior to Vault 1.9, you could not view view the split of clients per namespace on the UI, nor could you export this data via the UI. - Added ability to display clients earlier than a month (within ten minutes of enabling the feature) in the UI. Prior to Vault 1.9, after enabling the counting of clients, you had to wait for a month to view the client aggregates in the UI. - Changed functionality to disallow creating two aliases from the same auth mount under a single entity. For more information, refer to the question [Starting in Vault 1.9, Vault does not allow creating two aliases from the same auth mount under a single entity. What changed and how does this impact client counting?](#q-starting-in-vault-1-9-vault-does-not-allow-creating-two-aliases-from-the-same-auth-mount-under-a-single-entity-what-changed-and-how-does-this-impact-client-counting) @@ -257,7 +257,7 @@ However, creating a new token across a parent/child namespace boundary could res ### Q: How does the Nomad Vault integration affect client counts? -The [Nomad Vault integration](https://www.nomadproject.io/docs/integrations/vault-integration#token-role-based-integration) uses [token roles](https://www.nomadproject.io/docs/integrations/vault-integration#vault-token-role-configuration). A single token role creates tokens for many Nomad jobs. If no [explicit identity aliases](/api-docs/auth/token#entity_alias) are provided (which is not currently supported in the integration), this would create a non-entity token for every running instance of a Nomad job. +The [Nomad Vault integration](https://www.nomadproject.io/docs/integrations/vault-integration#token-role-based-integration) uses [token roles](https://www.nomadproject.io/docs/integrations/vault-integration#vault-token-role-configuration#vault-token-role-configuration). A single token role creates tokens for many Nomad jobs. If no [explicit identity aliases](/api-docs/auth/token#entity_alias) are provided (which is not currently supported in the integration), this would create a non-entity token for every running instance of a Nomad job. Prior to Vault 1.9, the Nomad Vault integration caused duplicate clients, resulting in an elevated client count. Post Vault 1.9, with the introduction of the deduplication logic, the number of clients created by the integration is reduced. For more information on improvements made to client count in Vault 1.9, refer to the question [Which version of Vault reflects the most accurate count of clients with Vault?](#q-which-vault-version-reflects-the-most-accurate-client-counts). ### Q: Starting in Vault 1.7, Vault does not allow creating two aliases from the same auth mount under a single entity. What changed and how does this impact client counting? diff --git a/website/content/docs/concepts/dev-server.mdx b/website/content/docs/concepts/dev-server.mdx index 2f945e394b071..6688a28746d7a 100644 --- a/website/content/docs/concepts/dev-server.mdx +++ b/website/content/docs/concepts/dev-server.mdx @@ -50,7 +50,7 @@ flags or by specifying a configuration file): The dev server should be used for experimentation with Vault features, such as different auth methods, secrets engines, audit devices, etc. -If you're new to Vault, you may want to pick up with [Your First Secret](/intro/getting-started/first-secret) in our getting started guide. +If you're new to Vault, you may want to pick up with [Your First Secret](https://learn.hashicorp.com/vault/getting-started/first-secret) in our getting started guide. In addition to experimentation, the dev server is very easy to automate for development environments. diff --git a/website/content/docs/concepts/integrated-storage/autopilot.mdx b/website/content/docs/concepts/integrated-storage/autopilot.mdx index 29a074aef43fe..6b0b14a058007 100644 --- a/website/content/docs/concepts/integrated-storage/autopilot.mdx +++ b/website/content/docs/concepts/integrated-storage/autopilot.mdx @@ -67,7 +67,6 @@ behavior. Autopilot gets initialized with the following default values. - `server_stabilization_time` - `10s` - ~> **Note**: Autopilot in Vault does similar things to what autopilot does in [Consul](https://www.consul.io/). However, the configuration in these 2 systems differ in terms of default values and thresholds; some additional parameters @@ -110,4 +109,3 @@ Refer to the following tutorials to learn more. - [Integrated Storage Autopilot](https://learn.hashicorp.com/tutorials/vault/raft-autopilot) - [Fault Tolerance with Redundancy Zones](https://learn.hashicorp.com/tutorials/vault/raft-redundancy-zones) - [Automate Upgrades with Vault Enterprise](https://learn.hashicorp.com/tutorials/vault/raft-upgrade-automation) - diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 2a0a190a9bffa..d3c1cf8212d3e 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -181,10 +181,10 @@ also match `"secret/foobar"`. Specifically, when there are potentially multiple matching policy paths, `P1` and `P2`, the following matching criteria is applied: 1. If the first wildcard (`+`) or glob (`*`) occurs earlier in `P1`, `P1` is lower priority -2. If `P1` ends in `*` and `P2` doesn't, `P1` is lower priority -3. If `P1` has more `+` (wildcard) segments, `P1` is lower priority -4. If `P1` is shorter, it is lower priority -5. If `P1` is smaller lexicographically, it is lower priority +1. If `P1` ends in `*` and `P2` doesn't, `P1` is lower priority +1. If `P1` has more `+` (wildcard) segments, `P1` is lower priority +1. If `P1` is shorter, it is lower priority +1. If `P1` is smaller lexicographically, it is lower priority For example, given the two paths, `"secret/*"` and `"secret/+/+/foo/*"`, the first wildcard appears in the same place, both end in `*` and the latter has two wildcard @@ -263,19 +263,19 @@ injected, and currently the `path` keys in policies allow injection. ### Parameters -| Name | Description | -| :------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------- | -| `identity.entity.id` | The entity's ID | -| `identity.entity.name` | The entity's name | -| `identity.entity.metadata.` | Metadata associated with the entity for the given key | -| `identity.entity.aliases..id` | Entity alias ID for the given mount | -| `identity.entity.aliases..name` | Entity alias name for the given mount | -| `identity.entity.aliases..metadata.` | Metadata associated with the alias for the given mount and metadata key | -| `identity.entity.aliases..custom_metadata.` | Custom metadata associated with the alias for the given mount and custom metadata key | -| `identity.groups.ids..name` | The group name for the given group ID | -| `identity.groups.names..id` | The group ID for the given group name | -| `identity.groups.ids..metadata.` | Metadata associated with the group for the given key | -| `identity.groups.names..metadata.` | Metadata associated with the group for the given key | +| Name | Description | +| :------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------ | +| `identity.entity.id` | The entity's ID | +| `identity.entity.name` | The entity's name | +| `identity.entity.metadata.` | Metadata associated with the entity for the given key | +| `identity.entity.aliases..id` | Entity alias ID for the given mount | +| `identity.entity.aliases..name` | Entity alias name for the given mount | +| `identity.entity.aliases..metadata.` | Metadata associated with the alias for the given mount and metadata key | +| `identity.entity.aliases..custom_metadata.` | Custom metadata associated with the alias for the given mount and custom metadata key | +| `identity.groups.ids..name` | The group name for the given group ID | +| `identity.groups.names..id` | The group ID for the given group name | +| `identity.groups.ids..metadata.` | Metadata associated with the group for the given key | +| `identity.groups.names..metadata.` | Metadata associated with the group for the given key | ### Examples @@ -614,8 +614,8 @@ $ curl \ For more information, please read: -- [Production Hardening](/guides/operations/production) -- [Generating a Root Token](/guides/operations/generate-root) +- [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening) +- [Generating a Root Token](https://learn.hashicorp.com/tutorials/vault/generate-root) ## Managing Policies diff --git a/website/content/docs/concepts/storage.mdx b/website/content/docs/concepts/storage.mdx index 5394e6157afb9..d752a6a22b005 100644 --- a/website/content/docs/concepts/storage.mdx +++ b/website/content/docs/concepts/storage.mdx @@ -81,7 +81,7 @@ components of that plan. Backups and restores are ideally performed while Vault is offline. If offline backups are not feasible, we recommend using a storage backend that supports atomic snapshots (such as -[Consul](https://www.consul.io/docs/commands/snapshot.html) or [Integrated +[Consul](https://www.consul.io/commands/snapshot) or [Integrated Storage](/docs/commands/operator/raft#snapshot)). ~> If your storage backend does not support atomic snapshots, we recommend only @@ -93,7 +93,7 @@ other storage backends, follow the documentation of that backend for taking and restoring backups. - Integrated Storage [snapshots](/docs/commands/operator/raft#snapshot) -- Consul [snapshots](https://www.consul.io/docs/commands/snapshot.html) +- Consul [snapshots](https://www.consul.io/commands/snapshot) #### Backing up Multiple Clusters diff --git a/website/content/docs/concepts/tokens.mdx b/website/content/docs/concepts/tokens.mdx index b796f321b6d98..1c4c4a549ef7c 100644 --- a/website/content/docs/concepts/tokens.mdx +++ b/website/content/docs/concepts/tokens.mdx @@ -60,9 +60,9 @@ there are only three ways to create root tokens: 1. The initial root token generated at `vault operator init` time -- this token has no expiration -2. By using another root token; a root token with an expiration cannot create a +1. By using another root token; a root token with an expiration cannot create a root token that never expires -3. By using `vault operator generate-root` ([example](/guides/operations/generate-root)) +1. By using `vault operator generate-root` ([example](https://learn.hashicorp.com/tutorials/vault/generate-root)) with the permission of a quorum of unseal key holders Root tokens are useful in development but should be extremely carefully guarded @@ -91,10 +91,10 @@ Often this behavior is not desired, so users with appropriate access can create token tree. These orphan tokens can be created: 1. Via `write` access to the `auth/token/create-orphan` endpoint -2. By having `sudo` or `root` access to the `auth/token/create` +1. By having `sudo` or `root` access to the `auth/token/create` and setting the `no_parent` parameter to `true` -3. Via token store roles -4. By logging in with any other (non-`token`) auth method +1. Via token store roles +1. By logging in with any other (non-`token`) auth method Users with appropriate permissions can also use the `auth/token/revoke-orphan` endpoint, which revokes the given token but rather than revoke the rest of the @@ -108,9 +108,9 @@ accessor is a value that acts as a reference to a token and can only be used to perform limited actions: 1. Look up a token's properties (not including the actual token ID) -2. Look up a token's capabilities on a path -3. Renew the token -4. Revoke the token +1. Look up a token's capabilities on a path +1. Renew the token +1. Revoke the token The token _making the call_, _not_ the token associated with the accessor, must have appropriate permissions for these functions. @@ -159,11 +159,11 @@ token's information is looked up. It is based on a combination of factors: 1. The system max TTL, which is 32 days but can be changed in Vault's configuration file. -2. The max TTL set on a mount using [mount +1. The max TTL set on a mount using [mount tuning](/api-docs/system/mounts). This value is allowed to override the system max TTL -- it can be longer or shorter, and if set this value will be respected. -3. A value suggested by the auth method that issued the token. This +1. A value suggested by the auth method that issued the token. This might be configured on a per-role, per-group, or per-user basis. This value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. @@ -194,8 +194,8 @@ can be created in a few ways: 1. By having `sudo` capability or a `root` token with the `auth/token/create` endpoint -2. By using token store roles -3. By using an auth method that supports issuing these, such as +1. By using token store roles +1. By using an auth method that supports issuing these, such as AppRole At issue time, the TTL of a periodic token will be equal to the configured diff --git a/website/content/docs/configuration/index.mdx b/website/content/docs/configuration/index.mdx index 036e22167fa9e..7c3e6023453e3 100644 --- a/website/content/docs/configuration/index.mdx +++ b/website/content/docs/configuration/index.mdx @@ -238,4 +238,4 @@ The following parameters are only used with Vault Enterprise [telemetry]: /docs/configuration/telemetry [sentinel]: /docs/configuration/sentinel [high-availability]: /docs/concepts/ha -[plugins]: /docs/plugin +[plugins]: /docs/plugins diff --git a/website/content/docs/configuration/sentinel.mdx b/website/content/docs/configuration/sentinel.mdx index b630df28689f8..f89aa7309ff3d 100644 --- a/website/content/docs/configuration/sentinel.mdx +++ b/website/content/docs/configuration/sentinel.mdx @@ -27,7 +27,7 @@ The sentinel stanza currently supports only one parameter, `additional_enabled_m - `additional_enabled_modules` `(string array: [])`` - This parameter specifies a list of imports (modules) to allow in Sentinel policies. - Vault currently enables all of Sentinel's [standard imports](https://docs.hashicorp.com/sentinel/imports/) + Vault currently enables all of Sentinel's [standard imports](https://docs.hashicorp.com/sentinel/imports) except the "http" import, which has performance and security implications. In the future, if any new Sentinel imports are not automatically enabled by Vault, users could enable them in this stanza. Note that this setting cannot be used to load custom import plugins. diff --git a/website/content/docs/configuration/service-registration/consul.mdx b/website/content/docs/configuration/service-registration/consul.mdx index cde61c1ee2118..748a1982a5d58 100644 --- a/website/content/docs/configuration/service-registration/consul.mdx +++ b/website/content/docs/configuration/service-registration/consul.mdx @@ -101,7 +101,7 @@ connection. You can read more about encrypting Consul connections on the - `tls_key_file` `(string: "")` – Specifies the path to the private key for Consul communication. This should be set according to the - [`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting + [`key_file`](https://www.consul.io/docs/agent/config/config-files#key_file) setting in Consul. - `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to diff --git a/website/content/docs/configuration/service-registration/index.mdx b/website/content/docs/configuration/service-registration/index.mdx index 87aaf237dc0a7..daaf2d8bde10c 100644 --- a/website/content/docs/configuration/service-registration/index.mdx +++ b/website/content/docs/configuration/service-registration/index.mdx @@ -59,7 +59,7 @@ environment variable will take precedence over values in the configuration file. [consul]: https://www.consul.io/ -[consul-discovery]: https://www.consul.io/discovery.html +[consul-discovery]: https://www.consul.io/ [storage-backend]: /docs/configuration/storage [consul-backend]: /docs/configuration/storage/consul [raft-backend]: /docs/configuration/storage/raft diff --git a/website/content/docs/configuration/storage/index.mdx b/website/content/docs/configuration/storage/index.mdx index 39bc4964f2fe9..54cbaf3bff7b4 100644 --- a/website/content/docs/configuration/storage/index.mdx +++ b/website/content/docs/configuration/storage/index.mdx @@ -79,7 +79,7 @@ Consul. | Data location | Data is on disk. | All data is in memory. | | System requirements | [System requirements](https://learn.hashicorp.com/tutorials/vault/raft-reference-architecture#system-requirements) | [System requirements](https://learn.hashicorp.com/tutorials/vault/reference-architecture#hardware-sizing-for-vault-servers) | | Snapshots | Normal data backup strategy of your organization. | More frequent snapshots are necessary since data is in memory. | -| Max message size | 1 MiB (Configurable using the [`max_entry_size`](/docs/configuration/storage/raft#max_entry_size) parameter) | 512 KiB (Configurable using the [`kv_max_value_size`](https://www.consul.io/docs/agent/options#kv_max_value_size) parameter) | +| Max message size | 1 MiB (Configurable using the [`max_entry_size`](/docs/configuration/storage/raft#max_entry_size) parameter) | 512 KiB (Configurable using the [`kv_max_value_size`](https://www.consul.io/docs/agent/config/config-files#kv_max_value_size) parameter) | If you have a Vault cluster using Consul as its storage backend and wish to migrate to Integrated Storage, read the following tutorials: diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 79c30373cedc3..1ef9d6df00f84 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -125,7 +125,7 @@ It is not necessary to remove the stored license entry. That will occur automati 1. Use the command `vault license get -signed` to retrieve the license from storage of your running cluster. 2. Put the license on disk -3. Configure license auto-loading by specifying the [`license_path`](/docs/configuration#license_path) config option or setting the [`VAULT_LICENSE`](/docs/commands#vault_license) or [`VAULT_LICENSE_PATH`](o/docs/commands#vault_license_path) environment variable. +3. Configure license auto-loading by specifying the [`license_path`](/docs/configuration#license_path) config option or setting the [`VAULT_LICENSE`](/docs/commands#vault_license) or [`VAULT_LICENSE_PATH`](/docs/commands#vault_license_path) environment variable. ### Q: What is the path for customers who want to downgrade/rollback from Vault 1.11 or later (auto-loaded license mandatory) to a pre-Vault 1.11 (auto-loading not mandatory, stored license supported)? diff --git a/website/content/docs/faq/ssct.mdx b/website/content/docs/faq/ssct.mdx index be3829e31fee3..2bb6b7e34465a 100644 --- a/website/content/docs/faq/ssct.mdx +++ b/website/content/docs/faq/ssct.mdx @@ -23,7 +23,7 @@ This FAQ section contains frequently asked questions about the Server Side Consi ~> **Note**: This features requires Vault Enterprise. -Vault has an [eventual consistency](docs/enterprise/consistency) model where only the leader can write to Vault's storage. When using performance standbys with Integrated Storage, there are sequences of operations that don't always yield read-after-write consistency, which may pose a challenge for some use cases. +Vault has an [eventual consistency](/docs/enterprise/consistency) model where only the leader can write to Vault's storage. When using performance standbys with Integrated Storage, there are sequences of operations that don't always yield read-after-write consistency, which may pose a challenge for some use cases. Several client-based mitigations were added in Vault version 1.7, which depended on some modifications to clients (provide the appropriate response header per request) so they can specify state. This may not be possible to do in some environments. diff --git a/website/content/docs/index.mdx b/website/content/docs/index.mdx index be7b2c6b709a7..2597dba0fc683 100644 --- a/website/content/docs/index.mdx +++ b/website/content/docs/index.mdx @@ -5,4 +5,4 @@ page_title: Documentation # Documentation -Welcome to the Vault documentation! This documentation is more of a reference guide for all available features and options of Vault. If you're just getting started with Vault, please start with the [introduction](/docs/what-is-vault) instead, and work your way up to the [Getting Started](/intro/getting-started/install) guide. +Welcome to the Vault documentation! This documentation is more of a reference guide for all available features and options of Vault. If you're just getting started with Vault, please start with the [introduction](/docs/what-is-vault) instead, and work your way up to the [Getting Started](https://learn.hashicorp.com/tutorials/vault/getting-started-install) guide. diff --git a/website/content/docs/internals/limits.mdx b/website/content/docs/internals/limits.mdx index 04e3952c69f87..1ed6ec1901431 100644 --- a/website/content/docs/internals/limits.mdx +++ b/website/content/docs/internals/limits.mdx @@ -24,7 +24,7 @@ by that backend. For the Consul storage backend, the default limit imposed by Consul is 512 KiB. This may be configured via Consul’s -[`kv_max_value_size`](https://www.consul.io/docs/agent/options#kv_max_value_size) parameter, introduced in version 1.5.3. +[`kv_max_value_size`](https://www.consul.io/docs/agent/config/config-files#kv_max_value_size) parameter, introduced in version 1.5.3. For the integrated storage backend, the default limit (introduced in Vault 1.5.0) is 1 MiB. This may be configured via `max_entry_size` in diff --git a/website/content/docs/internals/telemetry.mdx b/website/content/docs/internals/telemetry.mdx index 5bbc272145ac5..6633141ced187 100644 --- a/website/content/docs/internals/telemetry.mdx +++ b/website/content/docs/internals/telemetry.mdx @@ -501,7 +501,7 @@ indicate flapping leadership. ## Integrated Storage (Raft) Automated Snapshots -These metrics related to the Enterprise feature [Raft Automated Snapshots](/docs/enterprise/automated-raft-snapshots). +These metrics related to the Enterprise feature [Raft Automated Snapshots](/docs/enterprise/automated-integrated-storage-snapshots). | Metric | Description | Unit | Type | | :------------------------------------------ | :-------------------------------------------------------------------------------------------- | :--------- | :------ | @@ -531,25 +531,47 @@ These metrics related to the Enterprise feature [Raft Automated Snapshots](/docs | `snapshot_config_name` | For automated snapshots, the name of the configuration | `config1` | [secrets-engines]: /docs/secrets + [storage-backends]: /docs/configuration/storage + [telemetry-stanza]: /docs/configuration/telemetry + [cubbyhole-secrets-engine]: /docs/secrets/cubbyhole + [kv-secrets-engine]: /docs/secrets/kv + [ldap-auth-backend]: /docs/auth/ldap + [token-auth-backend]: /docs/auth/token + [azure-storage-backend]: /docs/configuration/storage/azure + [cassandra-storage-backend]: /docs/configuration/storage/cassandra + [cockroachdb-storage-backend]: /docs/configuration/storage/cockroachdb + [consul-storage-backend]: /docs/configuration/storage/consul + [couchdb-storage-backend]: /docs/configuration/storage/couchdb + [dynamodb-storage-backend]: /docs/configuration/storage/dynamodb + [etcd-storage-backend]: /docs/configuration/storage/etcd + [gcs-storage-backend]: /docs/configuration/storage/google-cloud-storage + [spanner-storage-backend]: /docs/configuration/storage/google-cloud-spanner + [mssql-storage-backend]: /docs/configuration/storage/mssql + [mysql-storage-backend]: /docs/configuration/storage/mysql + [postgresql-storage-backend]: /docs/configuration/storage/postgresql + [s3-storage-backend]: /docs/configuration/storage/s3 + [swift-storage-backend]: /docs/configuration/storage/swift + [zookeeper-storage-backend]: /docs/configuration/storage/zookeeper + [integrated-storage]: /docs/configuration/storage/raft diff --git a/website/content/docs/partnerships.mdx b/website/content/docs/partnerships.mdx index 38b65755eb9b7..0a0a889ac233f 100644 --- a/website/content/docs/partnerships.mdx +++ b/website/content/docs/partnerships.mdx @@ -18,7 +18,7 @@ Vault is an Identity-based security solution that leverages trusted sources of i Vault has a secure [plugin](/docs/plugins) architecture. Vault’s plugins are completely separate, standalone applications that Vault executes and communicates with over RPC. This means the plugin process does not share the same memory space as Vault and therefore can only access the interfaces and arguments given to it. -Vault plugins can be built-in and bundled with the Vault binary, or be external that has to be manually mounted. Built-in plugins are developed by HashiCorp, while external plugins can be developed by HashiCorp, technology partners, or the community. There is a curated collection of all plugins, both built-in and external, located on the [Plugin Portal](/docs/plugin-portal). +Vault plugins can be built-in and bundled with the Vault binary, or be external that has to be manually mounted. Built-in plugins are developed by HashiCorp, while external plugins can be developed by HashiCorp, technology partners, or the community. There is a curated collection of all plugins, both built-in and external, located on the [Plugin Portal](/docs/plugins/plugin-portal). The diagram below depicts the key Vault integration categories and types. @@ -32,7 +32,7 @@ Main Vault categories for partners to integrate with include: HSM (Hardware Security Module) are specific types of runtime integrations and provide an added level of security and compliance. The HSM communicates with Vault using the PKCS#11 protocol, thereby resulting in the integration to primarily involve verification of the operation of the functionality. You can find more information about Vault's HSM support [here](/docs/enterprise/hsm). --> **Note:** Integrations related Vault’s [storage](/docs/concepts/storage) backend, [auto auth](/docs/agent/autoauth), and [auto unseal](/docs/concepts/seal#auto-unseal) functionality are not encouraged. Please reach out to [technologypartners@hashicorp.com](mailto:technologypartners@hashicorp.com) for any questions related to this. +\-> **Note:** Integrations related Vault’s [storage](/docs/concepts/storage) backend, [auto auth](/docs/agent/autoauth), and [auto unseal](/docs/concepts/seal#auto-unseal) functionality are not encouraged. Please reach out to [technologypartners@hashicorp.com](mailto:technologypartners@hashicorp.com) for any questions related to this. **Audit/Monitoring & Compliance**: Audit/Monitoring and Compliance are components in Vault that keep a detailed log of all requests and responses to Vault. Because every operation with Vault is an API request/response, the audit log contains every authenticated interaction with Vault, including errors. Vault supports multiple audit devices to support your business use case. You can find more information about Vault Audit Devices [here](/docs/audit/). @@ -67,12 +67,12 @@ The Vault integration development process is divided into six steps. By followin ![Development Process](/img/integration-program-devprocess.png) -1. Engage: Initial contact between vendor and HashiCorp -2. Enable: Information and articles to aid with the development of the integration -3. Develop and Test: Integration development and testing process -4. Review: HashiCorp verification of integration (iterative process) -5. Release: Verified integration made available and listed on the HashiCorp website once the HashiCorp technology partnership agreement has been executed -6. Support: Ongoing maintenance and support of the integration by the partner. +1. Engage: Initial contact between vendor and HashiCorp +1. Enable: Information and articles to aid with the development of the integration +1. Develop and Test: Integration development and testing process +1. Review: HashiCorp verification of integration (iterative process) +1. Release: Verified integration made available and listed on the HashiCorp website once the HashiCorp technology partnership agreement has been executed +1. Support: Ongoing maintenance and support of the integration by the partner. ### 1. Engage @@ -125,7 +125,7 @@ Please remember that all integrations should have the appropriate documentation **HCP Vault** -The process to spin up a testing instance of HCP Vault is very [straightforward](https://learn.hashicorp.com/tutorials/cloud/get-started-vault). HCP has been designed as a turn-key managed service so configuration is minimal. Furthermore, HashiCorp provides all new users an initial credit which lasts for a couple of months when using the [development](https://cloud.hashicorp.com/pricing/vault) cluster. Used in conjunction with AWS free tier resources, there should be no cost beyond the time spent by the designated tester. +The process to spin up a testing instance of HCP Vault is very [straightforward](https://learn.hashicorp.com/tutorials/cloud/get-started-vault). HCP has been designed as a turn-key managed service so configuration is minimal. Furthermore, HashiCorp provides all new users an initial credit which lasts for a couple of months when using the [development](https://cloud.hashicorp.com/products/vault/pricing) cluster. Used in conjunction with AWS free tier resources, there should be no cost beyond the time spent by the designated tester. There are a couple of items to consider when determining if the integration will work with HCP Vault. @@ -150,7 +150,7 @@ Once the integration has been verified, the partner is requested to sign the Has At this stage, it is expected that the integration is fully complete, the necessary documentation has been written, and HashiCorp has reviewed the integration. -For Auth or Secret Engine plugins specifically, once the plugin has been validated by HashiCorp, it is recommended the plugin be hosted on Github so it can more easily be downloaded and installed within Vault. We also encourage partners to list their plugin on the [Vault Plugin Portal](/docs/plugin-portal). This is in addition to the listing of the plugin on the technology partners’ dedicated HashiCorp partner page. To have the plugin listed on the portal page, please do a pull request via the “edit in GitHub” link on the bottom of the page and add the plugin in the partner section. +For Auth or Secret Engine plugins specifically, once the plugin has been validated by HashiCorp, it is recommended the plugin be hosted on Github so it can more easily be downloaded and installed within Vault. We also encourage partners to list their plugin on the [Vault Plugin Portal](/docs/plugins/plugin-portal). This is in addition to the listing of the plugin on the technology partners’ dedicated HashiCorp partner page. To have the plugin listed on the portal page, please do a pull request via the “edit in GitHub” link on the bottom of the page and add the plugin in the partner section. For HCP Vault validations, the partner will be issued an HCP Vault Verified badge and will have this displayed on their partner page. diff --git a/website/content/docs/platform/k8s/helm/index.mdx b/website/content/docs/platform/k8s/helm/index.mdx index 23e353e90383d..300016e0d6424 100644 --- a/website/content/docs/platform/k8s/helm/index.mdx +++ b/website/content/docs/platform/k8s/helm/index.mdx @@ -24,7 +24,7 @@ properly installed and configured with your Kubernetes cluster. Helm must be installed and configured on your machine. Please refer to the [Helm documentation](https://helm.sh/) or the [Vault Installation to Minikube via -Helm](https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube) tutorial. +Helm](https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube-consul) tutorial. To use the Helm chart, add the Hashicorp helm repository and check that you have access to the chart: diff --git a/website/content/docs/platform/k8s/helm/terraform.mdx b/website/content/docs/platform/k8s/helm/terraform.mdx index b1b96c407226d..e0ac12e0f02b7 100644 --- a/website/content/docs/platform/k8s/helm/terraform.mdx +++ b/website/content/docs/platform/k8s/helm/terraform.mdx @@ -63,7 +63,7 @@ resource "helm_release" "vault" { -The values file can also be used directly in the Terraform configuration with the [`values` directive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#values). +The values file can also be used directly in the Terraform configuration with the [`values` directive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#values#values). ## Further Examples diff --git a/website/content/docs/release-notes/1.10.0.mdx b/website/content/docs/release-notes/1.10.0.mdx index ec67f964c47ab..8a4a0e3254e0a 100644 --- a/website/content/docs/release-notes/1.10.0.mdx +++ b/website/content/docs/release-notes/1.10.0.mdx @@ -110,7 +110,7 @@ Any external database plugins that want to adopt multiplexing support will have ### Consul Secrets Engine enhancements -Consul has supported [namespace](https://www.consul.io/docs/enterprise/namespaces), [admin partitions](https://www.consul.io/docs/enterprise/admin-partitions) and [ACL roles](https://www.consul.io/commands/acl/role) for some time now. In this release we have added enhancements to the Consul Secrets engine to support [namespace]() awareness and add admin partition and role support for Consul ACL tokens. This significantly simplifies the integrations for customers who want to achieve a zero trust security posture with both Vault and Consul. +Consul has supported [namespace](https://www.consul.io/docs/enterprise/namespaces), [admin partitions](https://www.consul.io/docs/enterprise/admin-partitions) and [ACL roles](https://www.consul.io/commands/acl/role) for some time now. In this release we have added enhancements to the Consul Secrets engine to support [namespace](<>) awareness and add admin partition and role support for Consul ACL tokens. This significantly simplifies the integrations for customers who want to achieve a zero trust security posture with both Vault and Consul. ### Using sessionStorage instead of localStorage for the Vault UI diff --git a/website/content/docs/release-notes/1.9.0.mdx b/website/content/docs/release-notes/1.9.0.mdx index d22dff87596e3..4a0f1a6f6053e 100644 --- a/website/content/docs/release-notes/1.9.0.mdx +++ b/website/content/docs/release-notes/1.9.0.mdx @@ -71,7 +71,7 @@ This [feature](/docs/concepts/namespace-api-lock) allows namespace administrator ### Vault Terraform Provider v3 -We have upgraded the [Vault Terraform Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to the latest version of the [Terraform Plugin SDKv2](https://www.terraform.io/docs/extend/sdkv2-intro.html) to leverage new features. +We have upgraded the [Vault Terraform Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to the latest version of the [Terraform Plugin SDKv2](https://www.terraform.io/plugin/sdkv2) to leverage new features. ### Azure Secrets Engine @@ -110,7 +110,7 @@ The following section details breaking changes introduced in Vault 1.9. ### Removal of HTTP request counters In Vault 1.9, the [internal HTTP Request count API](https://www.vaultproject.io/api-docs/system/internal-counters#http-requests) was removed from the product. Calls to the endpoint will result in a **404 error** with a message stating that functionality on this path has been removed. -Please refer to the [upgrade guide](/docs/upgrading/upgrade-to-1.9.0) for more information. +Please refer to the [upgrade guide](/docs/upgrading/upgrade-to-1.9.x) for more information. As called out in the documentation, Vault does not make backwards compatible guarantees on internal APIs (those prefaced with `sys/internal`). They are subject to change and may disappear without notice. diff --git a/website/content/docs/secrets/consul.mdx b/website/content/docs/secrets/consul.mdx index 0f5028001244a..a3ef310b34da9 100644 --- a/website/content/docs/secrets/consul.mdx +++ b/website/content/docs/secrets/consul.mdx @@ -197,4 +197,4 @@ The Consul secrets engine has a full HTTP API. Please see the [Consul secrets engine API](/api-docs/secret/consul) for more details. -[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create +[consul-mgmt-token]: https://www.consul.io/api-docs/acl#acl_create diff --git a/website/content/docs/secrets/databases/elasticdb.mdx b/website/content/docs/secrets/databases/elasticdb.mdx index 4e5b3c5037068..861e54f916805 100644 --- a/website/content/docs/secrets/databases/elasticdb.mdx +++ b/website/content/docs/secrets/databases/elasticdb.mdx @@ -106,78 +106,78 @@ Now, Elasticsearch is configured and ready to be used with Vault. ## Setup -1. Enable the database secrets engine if it is not already enabled: - - ```text - $ vault secrets enable database - Success! Enabled the database secrets engine at: database/ - ``` - - By default, the secrets engine will enable at the name of the engine. To - enable the secrets engine at a different path, use the `-path` argument. - -1. Configure Vault with the proper plugin and connection information: - - ```text - $ vault write database/config/my-elasticsearch-database \ - plugin_name="elasticsearch-database-plugin" \ - allowed_roles="internally-defined-role,externally-defined-role" \ - username=vault \ - password=myPa55word \ - url=http://localhost:9200 \ - ca_cert=/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem \ - client_cert=$ES_HOME/config/certs/elastic-certificates.crt.pem \ - client_key=$ES_HOME/config/certs/elastic-certificates.key.pem - ``` - -1. Configure a role that maps a name in Vault to a role definition in Elasticsearch. - This is considered the most secure type of role because nobody can perform - a privilege escalation by editing a role's privileges out-of-band in - Elasticsearch: - - ```text - $ vault write database/roles/internally-defined-role \ - db_name=my-elasticsearch-database \ - creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \ - default_ttl="1h" \ - max_ttl="24h" - Success! Data written to: database/roles/internally-defined-role - ``` - -1. Alternatively, configure a role that maps a name in Vault to a pre-existing - role definition in Elasticsearch: - - ```text - $ vault write database/roles/externally-defined-role \ - db_name=my-elasticsearch-database \ - creation_statements='{"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]}' \ - default_ttl="1h" \ - max_ttl="24h" - Success! Data written to: database/roles/externally-defined-role - ``` +1. Enable the database secrets engine if it is not already enabled: + + ```text + $ vault secrets enable database + Success! Enabled the database secrets engine at: database/ + ``` + + By default, the secrets engine will enable at the name of the engine. To + enable the secrets engine at a different path, use the `-path` argument. + +1. Configure Vault with the proper plugin and connection information: + + ```text + $ vault write database/config/my-elasticsearch-database \ + plugin_name="elasticsearch-database-plugin" \ + allowed_roles="internally-defined-role,externally-defined-role" \ + username=vault \ + password=myPa55word \ + url=http://localhost:9200 \ + ca_cert=/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem \ + client_cert=$ES_HOME/config/certs/elastic-certificates.crt.pem \ + client_key=$ES_HOME/config/certs/elastic-certificates.key.pem + ``` + +1. Configure a role that maps a name in Vault to a role definition in Elasticsearch. + This is considered the most secure type of role because nobody can perform + a privilege escalation by editing a role's privileges out-of-band in + Elasticsearch: + + ```text + $ vault write database/roles/internally-defined-role \ + db_name=my-elasticsearch-database \ + creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \ + default_ttl="1h" \ + max_ttl="24h" + Success! Data written to: database/roles/internally-defined-role + ``` + +1. Alternatively, configure a role that maps a name in Vault to a pre-existing + role definition in Elasticsearch: + + ```text + $ vault write database/roles/externally-defined-role \ + db_name=my-elasticsearch-database \ + creation_statements='{"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]}' \ + default_ttl="1h" \ + max_ttl="24h" + Success! Data written to: database/roles/externally-defined-role + ``` ## Usage After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials. -1. Generate a new credential by reading from the `/creds` endpoint with the name - of the role: +1. Generate a new credential by reading from the `/creds` endpoint with the name + of the role: - ```text - $ vault read database/creds/my-role - Key Value - --- ----- - lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6 - lease_duration 1h - lease_renewable true - password 0ZsueAP-dqCNGZo35M0n - username v-vaultuser-my-role-AgIViC5TdQHBdeiCxae0-1602541724 - ``` + ```text + $ vault read database/creds/my-role + Key Value + --- ----- + lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6 + lease_duration 1h + lease_renewable true + password 0ZsueAP-dqCNGZo35M0n + username v-vaultuser-my-role-AgIViC5TdQHBdeiCxae0-1602541724 + ``` ## API -The full list of configurable options can be seen in the [Elasticsearch database plugin API](/api-docs/secret/databases/elasticdb.html) page. +The full list of configurable options can be seen in the [Elasticsearch database plugin API](/api-docs/secret/databases/elasticdb) page. For more information on the database secrets engine's HTTP API please see the [Database secrets engine API](/api-docs/secret/databases) page. diff --git a/website/content/docs/secrets/databases/index.mdx b/website/content/docs/secrets/databases/index.mdx index fa33f30ffc777..5905e700919e9 100644 --- a/website/content/docs/secrets/databases/index.mdx +++ b/website/content/docs/secrets/databases/index.mdx @@ -222,9 +222,9 @@ disable_escaping="true" ## Tutorial Refer to the following step-by-step tutorials for more information: -- [Secrets as a Service: Dynamic Secrets](https://learn.hashicorp.com/vault/secrets-management/sm-dynamic-secrets) -- [Database Root Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-root-rotation) -- [Database Static Roles and Credential Rotation](https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation) +- [Secrets as a Service: Dynamic Secrets](https://learn.hashicorp.com/tutorials/vault/database-secrets) +- [Database Root Credential Rotation](https://learn.hashicorp.com/tutorials/vault/database-root-rotation) +- [Database Static Roles and Credential Rotation](https://learn.hashicorp.com/tutorials/vault/database-creds-rotation) ## API diff --git a/website/content/docs/secrets/databases/mysql-maria.mdx b/website/content/docs/secrets/databases/mysql-maria.mdx index e37a1169cc4b0..d867d3feb97aa 100644 --- a/website/content/docs/secrets/databases/mysql-maria.mdx +++ b/website/content/docs/secrets/databases/mysql-maria.mdx @@ -37,57 +37,57 @@ more information about setting up the database secrets engine. ## Setup -1. Enable the database secrets engine if it is not already enabled: - - ```text - $ vault secrets enable database - Success! Enabled the database secrets engine at: database/ - ``` - - By default, the secrets engine will enable at the name of the engine. To - enable the secrets engine at a different path, use the `-path` argument. - -1. Configure Vault with the proper plugin and connection information: - - ```text - $ vault write database/config/my-mysql-database \ - plugin_name=mysql-database-plugin \ - connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \ - allowed_roles="my-role" \ - username="vaultuser" \ - password="vaultpass" - ``` - -1. Configure a role that maps a name in Vault to an SQL statement to execute to - create the database credential: - - ```text - $ vault write database/roles/my-role \ - db_name=my-mysql-database \ - creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ - default_ttl="1h" \ - max_ttl="24h" - Success! Data written to: database/roles/my-role - ``` +1. Enable the database secrets engine if it is not already enabled: + + ```text + $ vault secrets enable database + Success! Enabled the database secrets engine at: database/ + ``` + + By default, the secrets engine will enable at the name of the engine. To + enable the secrets engine at a different path, use the `-path` argument. + +1. Configure Vault with the proper plugin and connection information: + + ```text + $ vault write database/config/my-mysql-database \ + plugin_name=mysql-database-plugin \ + connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \ + allowed_roles="my-role" \ + username="vaultuser" \ + password="vaultpass" + ``` + +1. Configure a role that maps a name in Vault to an SQL statement to execute to + create the database credential: + + ```text + $ vault write database/roles/my-role \ + db_name=my-mysql-database \ + creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ + default_ttl="1h" \ + max_ttl="24h" + Success! Data written to: database/roles/my-role + ``` ## Usage After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials. -1. Generate a new credential by reading from the `/creds` endpoint with the name - of the role: +1. Generate a new credential by reading from the `/creds` endpoint with the name + of the role: - ```text - $ vault read database/creds/my-role - Key Value - --- ----- - lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6 - lease_duration 1h - lease_renewable true - password yY-57n3X5UQhxnmFRP3f - username v_vaultuser_my-role_crBWVqVh2Hc1 - ``` + ```text + $ vault read database/creds/my-role + Key Value + --- ----- + lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6 + lease_duration 1h + lease_renewable true + password yY-57n3X5UQhxnmFRP3f + username v_vaultuser_my-role_crBWVqVh2Hc1 + ``` ## Client x509 Certificate Authentication @@ -157,7 +157,7 @@ $ vault write database/config/my-mysql-database \ ``` For a guide in root credential rotation, see [Database Root Credential -Rotation](/guides/secret-mgmt/db-root-rotation). +Rotation](https://learn.hashicorp.com/vault/secrets-management/db-root-rotation). ## API diff --git a/website/content/docs/secrets/identity/oidc-provider.mdx b/website/content/docs/secrets/identity/oidc-provider.mdx index 2bf0cf5c73fbe..9e7f9e2fefaec 100644 --- a/website/content/docs/secrets/identity/oidc-provider.mdx +++ b/website/content/docs/secrets/identity/oidc-provider.mdx @@ -15,7 +15,7 @@ to talk to Vault. Once enabled, Vault will act as the bridge to other identity p its existing authentication methods. Client applications can also obtain identity information for their end-users by leveraging custom templating of Vault identity information. --> **Note**: For more detailed information on the configuration resources and OIDC endpoints, +\-> **Note**: For more detailed information on the configuration resources and OIDC endpoints, please visit the [OIDC provider](/docs/concepts/oidc-provider) concepts page. ## Setup @@ -52,7 +52,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t This user will authenticate to Vault through a client application, otherwise known as an OIDC [relying party](https://openid.net/specs/openid-connect-core-1_0.html#Terminology). -3. Create a client application: +2. Create a client application: ```text $ vault write identity/oidc/client/my-webapp \ @@ -70,7 +70,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t To allow all Vault entities to authenticate, the built-in [allow_all](/docs/concepts/oidc-provider#assignments) assignment is provided. -4. Read client credentials: +2. Read client credentials: ```text $ vault read identity/oidc/client/my-webapp @@ -90,7 +90,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t The `client_id` and `client_secret` are the client application's credentials. These values are typically required when configuring an OIDC relying party. -5. Read OIDC discovery configuration: +2. Read OIDC discovery configuration: ```text $ curl -s http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/openid-configuration diff --git a/website/content/docs/secrets/nomad.mdx b/website/content/docs/secrets/nomad.mdx index 850d30bb59973..495a6a7808194 100644 --- a/website/content/docs/secrets/nomad.mdx +++ b/website/content/docs/secrets/nomad.mdx @@ -37,7 +37,7 @@ Success! Data written to: nomad/config/lease ``` For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap -process](https://www.nomadproject.io/guides/acl.html#generate-the-initial-token), although this +process](https://learn.hashicorp.com/collections/nomad/access-control#generate-the-initial-token), although this is discouraged for production deployments. ```shell-session @@ -54,7 +54,7 @@ Modify Index = 7 ``` The suggested pattern is to generate a token specifically for Vault, following the -[Nomad ACL guide](https://www.nomadproject.io/guides/acl.html) +[Nomad ACL guide](https://learn.hashicorp.com/collections/nomad/access-control) Next, we must configure Vault to know how to contact Nomad. This is done by writing the access information: diff --git a/website/content/docs/secrets/pki/considerations.mdx b/website/content/docs/secrets/pki/considerations.mdx index c0d6f2247144b..b7215baa192d0 100644 --- a/website/content/docs/secrets/pki/considerations.mdx +++ b/website/content/docs/secrets/pki/considerations.mdx @@ -58,7 +58,7 @@ root CA (which may be a second mount of the `pki` secrets engine). ### Managed Keys Since 1.10, Vault Enterprise can access private key material in a -[_managed key_](../enterprise/managed-keys). In this case, Vault never sees the +[_managed key_](/docs/enterprise/managed-keys). In this case, Vault never sees the private key, and the external KMS or HSM performs certificate signing operations. Managed keys are configured by selecting the `kms` type when generating a root or intermediate. diff --git a/website/content/docs/secrets/terraform.mdx b/website/content/docs/secrets/terraform.mdx index b53e11d6ebe23..0ad1c149f9550 100644 --- a/website/content/docs/secrets/terraform.mdx +++ b/website/content/docs/secrets/terraform.mdx @@ -16,7 +16,7 @@ This page will show a quick start for this backend. For detailed documentation on every path, use `vault path-help` after mounting the backend. ~> **Terraform Enterprise Support:** this secret engine supports both Terraform -Cloud ([app.terraform.io](https://app.terraform.io)) as well as on-prem +Cloud ([app.terraform.io](https://app.terraform.io/session)) as well as on-prem Terraform Enterprise. Any version requirements will be documented alongside the features that require them, if any. @@ -55,7 +55,7 @@ management tool. and manages the lifecycle of that API token. You will need to know the User ID in order to generate User API tokens for that user. You can use the Terraform Cloud [Account - API](https://www.terraform.io/docs/cloud/api-docs/account.html) to find the + API](https://www.terraform.io/cloud-docs/api-docs/account) to find the desired User ID. ```shell-session @@ -94,7 +94,7 @@ however there are important differences to be aware of. The Terraform Cloud API limits both Organization and Team roles to **one active token at any given time**. Generating a new Organization or Team API token by reading the credentials in Vault or otherwise generating them on -[app.terraform.io](https://app.terraform.io) will effectively revoke **any** +[app.terraform.io](https://app.terraform.io/session) will effectively revoke **any** existing API token for that Organization or Team. Due to this behavior, Organization and Team API tokens created by Vault will be diff --git a/website/content/docs/what-is-vault.mdx b/website/content/docs/what-is-vault.mdx index 3180684947ae3..aeda0c2fc85ac 100644 --- a/website/content/docs/what-is-vault.mdx +++ b/website/content/docs/what-is-vault.mdx @@ -45,7 +45,7 @@ The key features of Vault are: - **Secure Secret Storage**: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access - your secrets. Vault can write to disk, [Consul](https://www.consul.io), + your secrets. Vault can write to disk, [Consul](https://www.consul.io/), and more. - **Dynamic Secrets**: Vault can generate secrets on-demand for some diff --git a/website/data/api-docs-nav-data.json b/website/data/api-docs-nav-data.json index 31c7f779a90fe..c26ee1f949e82 100644 --- a/website/data/api-docs-nav-data.json +++ b/website/data/api-docs-nav-data.json @@ -1,8 +1,4 @@ [ - { - "title": "Overview", - "path": "index" - }, { "title": "Client Libraries", "path": "libraries" @@ -190,7 +186,12 @@ ] }, { - "title": "Key Management ENTERPRISE", + "title": "Key Management", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "routes": [ { "title": "Overview", @@ -228,7 +229,12 @@ ] }, { - "title": "KMIP ENTERPRISE", + "title": "KMIP", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "path": "secret/kmip" }, { @@ -268,7 +274,12 @@ "path": "secret/totp" }, { - "title": "Transform ENTERPRISE", + "title": "Transform", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "path": "secret/transform" }, { @@ -353,7 +364,12 @@ "path": "auth/userpass" }, { - "title": "App ID DEPRECATED", + "title": "App ID", + "badge": { + "text": "DEPRECATED", + "type": "outlined", + "color": "neutral" + }, "path": "auth/app-id" } ] @@ -490,8 +506,13 @@ "path": "system/loggers" }, { - "title": "/sys/managed-keys ENT", - "path": "system/managed-keys" + "title": "/sys/managed-keys", + "path": "system/managed-keys", + "badge": { + "text": "ENT", + "type": "outlined", + "color": "neutral" + } }, { "title": "/sys/metrics", diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 52195456d992c..f1677bf6b2e22 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -249,7 +249,12 @@ "path": "configuration/seal/ocikms" }, { - "title": "HSM PKCS11 ENT", + "title": "HSM PKCS11", + "badge": { + "text": "ENT", + "type": "outlined", + "color": "neutral" + }, "path": "configuration/seal/pkcs11" }, { @@ -393,11 +398,21 @@ "path": "configuration/log-requests-level" }, { - "title": "Entropy Augmentation ENT", + "title": "Entropy Augmentation", + "badge": { + "text": "ENT", + "type": "outlined", + "color": "neutral" + }, "path": "configuration/entropy-augmentation" }, { - "title": "kms_library ENT", + "title": "kms_library", + "badge": { + "text": "ENT", + "type": "outlined", + "color": "neutral" + }, "path": "configuration/kms-library" } ] @@ -1040,7 +1055,12 @@ ] }, { - "title": "Key Management ENTERPRISE", + "title": "Key Management", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "routes": [ { "title": "Overview", @@ -1078,7 +1098,12 @@ ] }, { - "title": "KMIP ENTERPRISE", + "title": "KMIP", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "path": "secrets/kmip" }, { @@ -1160,7 +1185,12 @@ "path": "secrets/totp" }, { - "title": "Transform ENTERPRISE", + "title": "Transform", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "routes": [ { "title": "Overview", @@ -1171,7 +1201,12 @@ "path": "secrets/transform/ff3-tweak-details" }, { - "title": "Tokenization Transform ENTERPRISE", + "title": "Tokenization Transform", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "path": "secrets/transform/tokenization" } ] @@ -1337,7 +1372,12 @@ "divider": true }, { - "title": "App ID DEPRECATED", + "title": "App ID", + "badge": { + "text": "DEPRECATED", + "type": "outlined", + "color": "neutral" + }, "path": "auth/app-id" } ] diff --git a/website/scripts/website-build.sh b/website/scripts/website-build.sh index 8c1e50a6a08e8..06333293ced33 100755 --- a/website/scripts/website-build.sh +++ b/website/scripts/website-build.sh @@ -6,6 +6,8 @@ PREVIEW_DIR=website-preview CLONE_DIR=website-preview # The product for which we are building the deploy preview PRODUCT=vault +# Preview mode, controls the UI rendered (either the product site or developer). Can be `io` or `developer` +PREVIEW_MODE=io from_cache=false @@ -28,4 +30,4 @@ fi cd "$PREVIEW_DIR" # Run the build:deploy-preview start script -REPO=$PRODUCT DEV_IO=$PRODUCT IS_CONTENT_PREVIEW=true HASHI_ENV=project-preview npm run build:deploy-preview +PREVIEW_MODE=$PREVIEW_MODE REPO=$PRODUCT HASHI_ENV=project-preview npm run build:deploy-preview diff --git a/website/scripts/website-start.sh b/website/scripts/website-start.sh index 9fe4618df1ca2..10de8829f81b9 100755 --- a/website/scripts/website-start.sh +++ b/website/scripts/website-start.sh @@ -4,6 +4,8 @@ REPO_TO_CLONE=dev-portal PREVIEW_DIR=website-preview # The product for which we are building the deploy preview PRODUCT=vault +# Preview mode, controls the UI rendered (either the product site or developer). Can be `io` or `developer` +PREVIEW_MODE=io should_pull=true @@ -22,4 +24,4 @@ if [ "$should_pull" = true ]; then fi # Run the dev-portal content-repo start script -REPO=$PRODUCT PREVIEW_DIR="$PREVIEW_DIR" npm run start:local-preview +REPO=$PRODUCT PREVIEW_MODE=$PREVIEW_MODE npm run start:local-preview