api

package module
v1.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2024 License: MPL-2.0 Imports: 45 Imported by: 4,054

README

Vault API

This provides the github.com/hashicorp/vault/api package which contains code useful for interacting with a Vault server.

For examples of how to use this module, see the vault-examples repo. For a step-by-step walkthrough on using these client libraries, see the developer quickstart.

GoDoc

Documentation

Index

Constants

View Source 
const (
	EnvVaultAddress          = "VAULT_ADDR"
	EnvVaultAgentAddr        = "VAULT_AGENT_ADDR"
	EnvVaultCACert           = "VAULT_CACERT"
	EnvVaultCACertBytes      = "VAULT_CACERT_BYTES"
	EnvVaultCAPath           = "VAULT_CAPATH"
	EnvVaultClientCert       = "VAULT_CLIENT_CERT"
	EnvVaultClientKey        = "VAULT_CLIENT_KEY"
	EnvVaultClientTimeout    = "VAULT_CLIENT_TIMEOUT"
	EnvVaultSRVLookup        = "VAULT_SRV_LOOKUP"
	EnvVaultSkipVerify       = "VAULT_SKIP_VERIFY"
	EnvVaultNamespace        = "VAULT_NAMESPACE"
	EnvVaultTLSServerName    = "VAULT_TLS_SERVER_NAME"
	EnvVaultWrapTTL          = "VAULT_WRAP_TTL"
	EnvVaultMaxRetries       = "VAULT_MAX_RETRIES"
	EnvVaultToken            = "VAULT_TOKEN"
	EnvVaultMFA              = "VAULT_MFA"
	EnvRateLimit             = "VAULT_RATE_LIMIT"
	EnvHTTPProxy             = "VAULT_HTTP_PROXY"
	EnvVaultProxyAddr        = "VAULT_PROXY_ADDR"
	EnvVaultDisableRedirects = "VAULT_DISABLE_REDIRECTS"
	HeaderIndex              = "X-Vault-Index"
	HeaderForward            = "X-Vault-Forward"
	HeaderInconsistent       = "X-Vault-Inconsistent"

	// NamespaceHeaderName is the header set to specify which namespace the
	// request is indented for.
	NamespaceHeaderName = "X-Vault-Namespace"

	// AuthHeaderName is the name of the header containing the token.
	AuthHeaderName = "X-Vault-Token"

	// RequestHeaderName is the name of the header used by the Agent for
	// SSRF protection.
	RequestHeaderName = "X-Vault-Request"

	TLSErrorString = "This error usually means that the server is running with TLS disabled\n" +
		"but the client is configured to use TLS. Please either enable TLS\n" +
		"on the server or run the client with -address set to an address\n" +
		"that uses the http protocol:\n\n" +
		"    vault <command> -address http://<address>\n\n" +
		"You can also set the VAULT_ADDR environment variable:\n\n\n" +
		"    VAULT_ADDR=http://<address> vault <command>\n\n" +
		"where <address> is replaced by the actual address to the server."
)
View Source 
const (
	EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
	EnvVaultInsecure     = "VAULT_SKIP_VERIFY"

	DefaultAddress = "https://127.0.0.1:8200"
)

Deprecated values

View Source 
const (
	KVOptionCheckAndSet    = "cas"
	KVOptionMethod         = "method"
	KVMergeMethodPatch     = "patch"
	KVMergeMethodReadWrite = "rw"
)
View Source 
const (
	// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
	// setting a TLSProviderFunc for a plugin.
	PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"

	// PluginMetadataModeEnv is an ENV name used to disable TLS communication
	// to bootstrap mounting plugins.
	PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"

	// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
	// plugin.
	PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
)
View Source 
const (
	// SSHHelperDefaultMountPoint is the default path at which SSH backend will be
	// mounted in the Vault server.
	SSHHelperDefaultMountPoint = "ssh"

	// VerifyEchoRequest is the echo request message sent as OTP by the helper.
	VerifyEchoRequest = "verify-echo-request"

	// VerifyEchoResponse is the echo response message sent as a response to OTP
	// matching echo request.
	VerifyEchoResponse = "verify-echo-response"
)
View Source 
const (
	ErrOutputPolicyRequest = "output a policy, please"
)
View Source 
const (
	ErrOutputStringRequest = "output a string, please"
)

Variables

View Source 
var (
	ErrLifetimeWatcherMissingInput  = errors.New("missing input")
	ErrLifetimeWatcherMissingSecret = errors.New("missing secret")
	ErrLifetimeWatcherNotRenewable  = errors.New("secret is not renewable")
	ErrLifetimeWatcherNoSecretData  = errors.New("returned empty secret data")

	// Deprecated; kept for compatibility
	ErrRenewerMissingInput  = errors.New("missing input to renewer")
	ErrRenewerMissingSecret = errors.New("missing secret to renew")
	ErrRenewerNotRenewable  = errors.New("secret is not renewable")
	ErrRenewerNoSecretData  = errors.New("returned empty secret data")

	// DefaultLifetimeWatcherRenewBuffer is the default size of the buffer for renew
	// messages on the channel.
	DefaultLifetimeWatcherRenewBuffer = 5
	// Deprecated: kept for backwards compatibility
	DefaultRenewerRenewBuffer = 5
)
View Source 
var (
	// The default TTL that will be used with `sys/wrapping/wrap`, can be
	// changed
	DefaultWrappingTTL = "5m"

	// The default function used if no other function is set. It honors the env
	// var to set the wrap TTL. The default wrap TTL will apply when when writing
	// to `sys/wrapping/wrap` when the env var is not set.
	DefaultWrappingLookupFunc = func(operation, path string) string {
		if os.Getenv(EnvVaultWrapTTL) != "" {
			return os.Getenv(EnvVaultWrapTTL)
		}

		if (operation == http.MethodPut || operation == http.MethodPost) && path == "sys/wrapping/wrap" {
			return DefaultWrappingTTL
		}

		return ""
	}
)
View Source 
var ErrIncompleteSnapshot = errors.New("incomplete snapshot, unable to read SHA256SUMS.sealed file")
View Source 
var ErrSecretNotFound = errors.New("secret not found")

ErrSecretNotFound is returned by KVv1 and KVv2 wrappers to indicate that the secret is missing at the given location.

View Source 
var PluginRuntimeTypes = []PluginRuntimeType{
	PluginRuntimeTypeUnsupported,
	PluginRuntimeTypeContainer,
}
View Source 
var PluginTypes = []PluginType{
	PluginTypeUnknown,
	PluginTypeCredential,
	PluginTypeDatabase,
	PluginTypeSecrets,
}

Functions

func CheckHCLKeys added in v1.9.0 

func CheckHCLKeys(node ast.Node, valid []string) error

func DefaultRetryPolicy 

func DefaultRetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, error)

DefaultRetryPolicy is the default retry policy used by new Client objects. It is the same as retryablehttp.DefaultRetryPolicy except that it also retries 412 requests, which are returned by Vault when a X-Vault-Index header isn't satisfied.

func IsSudoPath added in v1.6.0 

func IsSudoPath(path string) bool

Determine whether the given path requires the sudo capability. Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces, or for secret engines mounted at non-default paths. Expects to receive a path with an initial slash, but no trailing slashes, as the Vault CLI (the only known and expected user of this function) sanitizes its paths that way.

func MergeReplicationStates 

func MergeReplicationStates(old []string, new string) []string

MergeReplicationStates returns a merged array of replication states by iterating through all states in `old`. An iterated state is merged to the result before `new` based on the result of compareReplicationStates

func SudoPaths added in v1.6.0 

func SudoPaths() map[string]*regexp.Regexp

func VaultPluginTLSProvider 

func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)

VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.

func VaultPluginTLSProviderContext added in v1.5.0 

func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error)

VaultPluginTLSProviderContext is run inside a plugin and retrieves the response wrapped TLS certificate from vault. It returns a configured TLS Config.

Types

type Audit 

type Audit struct {
	Type        string            `json:"type" mapstructure:"type"`
	Description string            `json:"description" mapstructure:"description"`
	Options     map[string]string `json:"options" mapstructure:"options"`
	Local       bool              `json:"local" mapstructure:"local"`
	Path        string            `json:"path" mapstructure:"path"`
}

type Auth 

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to perform credential backend related operations.

func (*Auth) Login 

func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error)

Login sets up the required request body for login requests to the given auth method's /login API endpoint, and then performs a write to it. After a successful login, this method will automatically set the client's token to the login response's ClientToken as well.

The Secret returned is the authentication secret, which if desired can be passed as input to the NewLifetimeWatcher method in order to start automatically renewing the token.

func (*Auth) MFALogin added in v1.6.0 

func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error)

MFALogin is a wrapper that helps satisfy Vault's MFA implementation. If optional credentials are provided a single-phase login will be attempted and the resulting Secret will contain a ClientToken if the authentication is successful. The client's token will also be set accordingly.

If no credentials are provided a two-phase MFA login will be assumed and the resulting Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate.

func (*Auth) MFAValidate added in v1.6.0 

func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error)

MFAValidate validates an MFA request using the appropriate payload and a secret containing Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided. Upon successful validation the client token will be set accordingly.

The Secret returned is the authentication secret, which if desired can be passed as input to the NewLifetimeWatcher method in order to start automatically renewing the token.

func (*Auth) Token 

func (a *Auth) Token() *TokenAuth

Token is used to return the client for token-backend API calls

type AuthConfigInput 

type AuthConfigInput = MountConfigInput

Rather than duplicate, we can use modern Go's type aliasing

type AuthConfigOutput 

type AuthConfigOutput = MountConfigOutput

Rather than duplicate, we can use modern Go's type aliasing

type AuthMethod 

type AuthMethod interface {
	Login(ctx context.Context, client *Client) (*Secret, error)
}

type AuthMount 

type AuthMount = MountOutput

Rather than duplicate, we can use modern Go's type aliasing

type AutopilotConfig 

type AutopilotConfig struct {
	CleanupDeadServers             bool          `json:"cleanup_dead_servers" mapstructure:"cleanup_dead_servers"`
	LastContactThreshold           time.Duration `json:"last_contact_threshold" mapstructure:"-"`
	DeadServerLastContactThreshold time.Duration `json:"dead_server_last_contact_threshold" mapstructure:"-"`
	MaxTrailingLogs                uint64        `json:"max_trailing_logs" mapstructure:"max_trailing_logs"`
	MinQuorum                      uint          `json:"min_quorum" mapstructure:"min_quorum"`
	ServerStabilizationTime        time.Duration `json:"server_stabilization_time" mapstructure:"-"`
	DisableUpgradeMigration        bool          `json:"disable_upgrade_migration" mapstructure:"disable_upgrade_migration"`
}

AutopilotConfig is used for querying/setting the Autopilot configuration.

func (*AutopilotConfig) MarshalJSON 

func (ac *AutopilotConfig) MarshalJSON() ([]byte, error)

MarshalJSON makes the autopilot config fields JSON compatible

func (*AutopilotConfig) UnmarshalJSON 

func (ac *AutopilotConfig) UnmarshalJSON(b []byte) error

UnmarshalJSON parses the autopilot config JSON blob

type AutopilotServer 

type AutopilotServer struct {
	ID             string `mapstructure:"id"`
	Name           string `mapstructure:"name"`
	Address        string `mapstructure:"address"`
	NodeStatus     string `mapstructure:"node_status"`
	LastContact    string `mapstructure:"last_contact"`
	LastTerm       uint64 `mapstructure:"last_term"`
	LastIndex      uint64 `mapstructure:"last_index"`
	Healthy        bool   `mapstructure:"healthy"`
	StableSince    string `mapstructure:"stable_since"`
	Status         string `mapstructure:"status"`
	Version        string `mapstructure:"version"`
	UpgradeVersion string `mapstructure:"upgrade_version,omitempty"`
	RedundancyZone string `mapstructure:"redundancy_zone,omitempty"`
	NodeType       string `mapstructure:"node_type,omitempty"`
}

AutopilotServer represents the server blocks in the response of the raft autopilot state API.

type AutopilotState 

type AutopilotState struct {
	Healthy                    bool                        `mapstructure:"healthy"`
	FailureTolerance           int                         `mapstructure:"failure_tolerance"`
	Servers                    map[string]*AutopilotServer `mapstructure:"servers"`
	Leader                     string                      `mapstructure:"leader"`
	Voters                     []string                    `mapstructure:"voters"`
	NonVoters                  []string                    `mapstructure:"non_voters"`
	RedundancyZones            map[string]AutopilotZone    `mapstructure:"redundancy_zones,omitempty"`
	Upgrade                    *AutopilotUpgrade           `mapstructure:"upgrade_info,omitempty"`
	OptimisticFailureTolerance int                         `mapstructure:"optimistic_failure_tolerance,omitempty"`
}

AutopilotState represents the response of the raft autopilot state API

type AutopilotUpgrade added in v1.6.0 

type AutopilotUpgrade struct {
	Status                    string                                  `mapstructure:"status"`
	TargetVersion             string                                  `mapstructure:"target_version,omitempty"`
	TargetVersionVoters       []string                                `mapstructure:"target_version_voters,omitempty"`
	TargetVersionNonVoters    []string                                `mapstructure:"target_version_non_voters,omitempty"`
	TargetVersionReadReplicas []string                                `mapstructure:"target_version_read_replicas,omitempty"`
	OtherVersionVoters        []string                                `mapstructure:"other_version_voters,omitempty"`
	OtherVersionNonVoters     []string                                `mapstructure:"other_version_non_voters,omitempty"`
	OtherVersionReadReplicas  []string                                `mapstructure:"other_version_read_replicas,omitempty"`
	RedundancyZones           map[string]AutopilotZoneUpgradeVersions `mapstructure:"redundancy_zones,omitempty"`
}

type AutopilotZone added in v1.6.0 

type AutopilotZone struct {
	Servers          []string `mapstructure:"servers,omitempty"`
	Voters           []string `mapstructure:"voters,omitempty"`
	FailureTolerance int      `mapstructure:"failure_tolerance,omitempty"`
}

type AutopilotZoneUpgradeVersions added in v1.6.0 

type AutopilotZoneUpgradeVersions struct {
	TargetVersionVoters    []string `mapstructure:"target_version_voters,omitempty"`
	TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"`
	OtherVersionVoters     []string `mapstructure:"other_version_voters,omitempty"`
	OtherVersionNonVoters  []string `mapstructure:"other_version_non_voters,omitempty"`
}

type CORSRequest 

type CORSRequest struct {
	AllowedOrigins []string `json:"allowed_origins" mapstructure:"allowed_origins"`
	AllowedHeaders []string `json:"allowed_headers" mapstructure:"allowed_headers"`
	Enabled        bool     `json:"enabled" mapstructure:"enabled"`
}

type CORSResponse 

type CORSResponse struct {
	AllowedOrigins []string `json:"allowed_origins" mapstructure:"allowed_origins"`
	AllowedHeaders []string `json:"allowed_headers" mapstructure:"allowed_headers"`
	Enabled        bool     `json:"enabled" mapstructure:"enabled"`
}

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is the client to the Vault API. Create a client with NewClient.

func NewClient 

func NewClient(c *Config) (*Client, error)

NewClient returns a new client for the given configuration.

If the configuration is nil, Vault will use configuration from DefaultConfig(), which is the recommended starting configuration.

If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.

func (*Client) AddHeader 

func (c *Client) AddHeader(key, value string)

AddHeader allows a single header key/value pair to be added in a race-safe fashion.

func (*Client) Address 

func (c *Client) Address() string

Address returns the Vault URL the client is configured to connect to

func (*Client) Auth 

func (c *Client) Auth() *Auth

Auth is used to return the client for credential-backend API calls.

func (*Client) CheckRetry 

func (c *Client) CheckRetry() retryablehttp.CheckRetry

func (*Client) ClearNamespace 

func (c *Client) ClearNamespace()

ClearNamespace removes the namespace header if set.

func (*Client) ClearToken 

func (c *Client) ClearToken()

ClearToken deletes the token if it is set or does nothing otherwise.

func (*Client) ClientTimeout 

func (c *Client) ClientTimeout() time.Duration

func (*Client) Clone 

func (c *Client) Clone() (*Client, error)

Clone creates a new client with the same configuration. Note that the same underlying http.Client is used; modifying the client from more than one goroutine at once may not be safe, so modify the client as needed and then clone. The headers are cloned based on the CloneHeaders property of the source config

Also, only the client's config is currently copied; this means items not in the api.Config struct, such as policy override and wrapping function behavior, must currently then be set as desired on the new client.

func (*Client) CloneConfig 

func (c *Client) CloneConfig() *Config

func (*Client) CloneHeaders 

func (c *Client) CloneHeaders() bool

CloneHeaders gets the configured CloneHeaders value.

func (*Client) CloneTLSConfig added in v1.10.0 

func (c *Client) CloneTLSConfig() bool

CloneTLSConfig gets the configured CloneTLSConfig value.

func (*Client) CloneToken 

func (c *Client) CloneToken() bool

CloneToken gets the configured CloneToken value.

func (*Client) CloneWithHeaders 

func (c *Client) CloneWithHeaders() (*Client, error)

CloneWithHeaders creates a new client similar to Clone, with the difference being that the headers are always cloned

func (*Client) CurrentWrappingLookupFunc 

func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc

CurrentWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path.

func (*Client) DisableKeepAlives added in v1.8.0 

func (c *Client) DisableKeepAlives() bool

func (*Client) HCPCookie added in v1.11.0 

func (c *Client) HCPCookie() string

HCPCookie returns the HCP cookie being used by this client. It will return an empty cookie when no cookie is set.

func (*Client) Headers 

func (c *Client) Headers() http.Header

Headers gets the current set of headers used for requests. This returns a copy; to modify it call AddHeader or SetHeaders.

func (*Client) Help 

func (c *Client) Help(path string) (*Help, error)

Help wraps HelpWithContext using context.Background.

func (*Client) HelpWithContext added in v1.5.0 

func (c *Client) HelpWithContext(ctx context.Context, path string) (*Help, error)

HelpWithContext reads the help information for the given path.

func (*Client) KVv1 added in v1.7.0 

func (c *Client) KVv1(mountPath string) *KVv1

KVv1 is used to return a client for reads and writes against a KV v1 secrets engine in Vault.

The mount path is the location where the target KV secrets engine resides in Vault.

While v1 is not necessarily deprecated, Vault development servers tend to use v2 as the version of the KV secrets engine, as this is what's mounted by default when a server is started in -dev mode. See the kvv2 struct.

Learn more about the KV secrets engine here: https://developer.hashicorp.com/vault/docs/secrets/kv

func (*Client) KVv2 added in v1.7.0 

func (c *Client) KVv2(mountPath string) *KVv2

KVv2 is used to return a client for reads and writes against a KV v2 secrets engine in Vault.

The mount path is the location where the target KV secrets engine resides in Vault.

Vault development servers tend to have "secret" as the mount path, as these are the default settings when a server is started in -dev mode.

Learn more about the KV secrets engine here: https://developer.hashicorp.com/vault/docs/secrets/kv

func (*Client) Limiter 

func (c *Client) Limiter() *rate.Limiter

func (*Client) Logical 

func (c *Client) Logical() *Logical

Logical is used to return the client for logical-backend API calls.

func (*Client) MaxIdleConnections added in v1.8.0 

func (c *Client) MaxIdleConnections() int

func (*Client) MaxRetries 

func (c *Client) MaxRetries() int

func (*Client) MaxRetryWait 

func (c *Client) MaxRetryWait() time.Duration

func (*Client) MinRetryWait 

func (c *Client) MinRetryWait() time.Duration

func (*Client) Namespace added in v1.6.0 

func (c *Client) Namespace() string

Namespace returns the namespace currently set in this client. It will return an empty string if there is no namespace set.

func (*Client) NewLifetimeWatcher 

func (c *Client) NewLifetimeWatcher(i *LifetimeWatcherInput) (*LifetimeWatcher, error)

NewLifetimeWatcher creates a new renewer from the given input.

func (*Client) NewRenewer deprecated 

func (c *Client) NewRenewer(i *LifetimeWatcherInput) (*LifetimeWatcher, error)

Deprecated: exists only for backwards compatibility. Calls NewLifetimeWatcher, and sets compatibility flags.

func (*Client) NewRequest 

func (c *Client) NewRequest(method, requestPath string) *Request

NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.

func (*Client) OutputCurlString 

func (c *Client) OutputCurlString() bool

func (*Client) OutputPolicy added in v1.6.0 

func (c *Client) OutputPolicy() bool

func (*Client) RawRequest deprecated 

func (c *Client) RawRequest(r *Request) (*Response, error)

RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

Deprecated: RawRequest exists for historical compatibility and should not be used directly. Use client.Logical().ReadRaw(...) or higher level methods instead.

func (*Client) RawRequestWithContext deprecated 

func (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Response, error)

RawRequestWithContext performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

Deprecated: RawRequestWithContext exists for historical compatibility and should not be used directly. Use client.Logical().ReadRawWithContext(...) or higher level methods instead.

func (*Client) ReadYourWrites 

func (c *Client) ReadYourWrites() bool

ReadYourWrites gets the configured value of ReadYourWrites

func (*Client) SRVLookup 

func (c *Client) SRVLookup() bool

func (*Client) SSH 

func (c *Client) SSH() *SSH

SSH returns the client for logical-backend API calls.

func (*Client) SSHHelper 

func (c *Client) SSHHelper() *SSHHelper

SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").

func (*Client) SSHHelperWithMountPoint 

func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper

SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.

func (*Client) SSHWithMountPoint 

func (c *Client) SSHWithMountPoint(mountPoint string) *SSH

SSHWithMountPoint returns the client with specific SSH mount point.

func (*Client) SetAddress 

func (c *Client) SetAddress(addr string) error

SetAddress sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of VAULT_ADDR environment variable.

func (*Client) SetBackoff 

func (c *Client) SetBackoff(backoff retryablehttp.Backoff)

SetBackoff sets the backoff function to be used for future requests.

func (*Client) SetCheckRedirect added in v1.6.0 

func (c *Client) SetCheckRedirect(f func(*http.Request, []*http.Request) error)

func (*Client) SetCheckRetry 

func (c *Client) SetCheckRetry(checkRetry retryablehttp.CheckRetry)

SetCheckRetry sets the CheckRetry function to be used for future requests.

func (*Client) SetClientTimeout 

func (c *Client) SetClientTimeout(timeout time.Duration)

SetClientTimeout sets the client request timeout

func (*Client) SetCloneHeaders 

func (c *Client) SetCloneHeaders(cloneHeaders bool)

SetCloneHeaders to allow headers to be copied whenever the client is cloned.

func (*Client) SetCloneTLSConfig added in v1.10.0 

func (c *Client) SetCloneTLSConfig(clone bool)

SetCloneTLSConfig from parent.

func (*Client) SetCloneToken 

func (c *Client) SetCloneToken(cloneToken bool)

SetCloneToken from parent

func (*Client) SetDisableKeepAlives added in v1.8.0 

func (c *Client) SetDisableKeepAlives(disable bool)

func (*Client) SetHCPCookie added in v1.11.0 

func (c *Client) SetHCPCookie(v *http.Cookie) error

SetHCPCookie sets the hcp cookie directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) SetHeaders 

func (c *Client) SetHeaders(headers http.Header)

SetHeaders clears all previous headers and uses only the given ones going forward.

func (*Client) SetLimiter 

func (c *Client) SetLimiter(rateLimit float64, burst int)

SetLimiter will set the rate limiter for this client. This method is thread-safe. rateLimit and burst are specified according to https://godoc.org/golang.org/x/time/rate#NewLimiter

func (*Client) SetLogger 

func (c *Client) SetLogger(logger retryablehttp.LeveledLogger)

func (*Client) SetMFACreds 

func (c *Client) SetMFACreds(creds []string)

SetMFACreds sets the MFA credentials supplied either via the environment variable or via the command line.

func (*Client) SetMaxIdleConnections added in v1.8.0 

func (c *Client) SetMaxIdleConnections(idle int)

func (*Client) SetMaxRetries 

func (c *Client) SetMaxRetries(retries int)

SetMaxRetries sets the number of retries that will be used in the case of certain errors

func (*Client) SetMaxRetryWait 

func (c *Client) SetMaxRetryWait(retryWait time.Duration)

SetMaxRetryWait sets the maximum time to wait before retrying in the case of certain errors.

func (*Client) SetMinRetryWait 

func (c *Client) SetMinRetryWait(retryWait time.Duration)

SetMinRetryWait sets the minimum time to wait before retrying in the case of certain errors.

func (*Client) SetNamespace 

func (c *Client) SetNamespace(namespace string)

SetNamespace sets the namespace supplied either via the environment variable or via the command line.

func (*Client) SetOutputCurlString 

func (c *Client) SetOutputCurlString(curl bool)

func (*Client) SetOutputPolicy added in v1.6.0 

func (c *Client) SetOutputPolicy(isSet bool)

func (*Client) SetPolicyOverride 

func (c *Client) SetPolicyOverride(override bool)

SetPolicyOverride sets whether requests should be sent with the policy override flag to request overriding soft-mandatory Sentinel policies (both RGPs and EGPs)

func (*Client) SetReadYourWrites 

func (c *Client) SetReadYourWrites(preventStaleReads bool)

SetReadYourWrites to prevent reading stale cluster replication state.

func (*Client) SetSRVLookup 

func (c *Client) SetSRVLookup(srv bool)

func (*Client) SetToken 

func (c *Client) SetToken(v string)

SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) SetWrappingLookupFunc 

func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)

SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path.

func (*Client) Sys 

func (c *Client) Sys() *Sys

Sys is used to return the client for sys-related API calls.

func (*Client) Token 

func (c *Client) Token() string

Token returns the access token being used by this client. It will return the empty string if there is no token set.

func (*Client) WithNamespace added in v1.6.0 

func (c *Client) WithNamespace(namespace string) *Client

WithNamespace makes a shallow copy of Client, modifies it to use the given namespace, and returns it. Passing an empty string will temporarily unset the namespace.

func (*Client) WithRequestCallbacks 

func (c *Client) WithRequestCallbacks(callbacks ...RequestCallback) *Client

WithRequestCallbacks makes a shallow clone of Client, modifies it to use the given callbacks, and returns it. Each of the callbacks will be invoked on every outgoing request. A client may be used to issue requests concurrently; any locking needed by callbacks invoked concurrently is the callback's responsibility.

func (*Client) WithResponseCallbacks 

func (c *Client) WithResponseCallbacks(callbacks ...ResponseCallback) *Client

WithResponseCallbacks makes a shallow clone of Client, modifies it to use the given callbacks, and returns it. Each of the callbacks will be invoked on every received response. A client may be used to issue requests concurrently; any locking needed by callbacks invoked concurrently is the callback's responsibility.

type ClusterInfo added in v1.10.0 

type ClusterInfo struct {
	APIAddr                     string `json:"api_address,omitempty" mapstructure:"api_address"`
	ClusterAddress              string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
	ConnectionStatus            string `json:"connection_status,omitempty" mapstructure:"connection_status"`
	LastHeartBeat               string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
	LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
	ClockSkewMillis             string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
	NodeID                      string `json:"node_id,omitempty" mapstructure:"node_id"`
}

type Config 

type Config struct {

	// Address is the address of the Vault server. This should be a complete
	// URL such as "http://vault.example.com". If you need a custom SSL
	// cert or want to enable insecure mode, you need to specify a custom
	// HttpClient.
	Address string

	// AgentAddress is the address of the local Vault agent. This should be a
	// complete URL such as "http://vault.example.com".
	AgentAddress string

	// HttpClient is the HTTP client to use. Vault sets sane defaults for the
	// http.Client and its associated http.Transport created in DefaultConfig.
	// If you must modify Vault's defaults, it is suggested that you start with
	// that client and modify as needed rather than start with an empty client
	// (or http.DefaultClient).
	HttpClient *http.Client

	// MinRetryWait controls the minimum time to wait before retrying when a 5xx
	// error occurs. Defaults to 1000 milliseconds.
	MinRetryWait time.Duration

	// MaxRetryWait controls the maximum time to wait before retrying when a 5xx
	// error occurs. Defaults to 1500 milliseconds.
	MaxRetryWait time.Duration

	// MaxRetries controls the maximum number of times to retry when a 5xx
	// error occurs. Set to 0 to disable retrying. Defaults to 2 (for a total
	// of three tries).
	MaxRetries int

	// Timeout, given a non-negative value, will apply the request timeout
	// to each request function unless an earlier deadline is passed to the
	// request function through context.Context. Note that this timeout is
	// not applicable to Logical().ReadRaw* (raw response) functions.
	// Defaults to 60 seconds.
	Timeout time.Duration

	// If there is an error when creating the configuration, this will be the
	// error
	Error error

	// The Backoff function to use; a default is used if not provided
	Backoff retryablehttp.Backoff

	// The CheckRetry function to use; a default is used if not provided
	CheckRetry retryablehttp.CheckRetry

	// Logger is the leveled logger to provide to the retryable HTTP client.
	Logger retryablehttp.LeveledLogger

	// Limiter is the rate limiter used by the client.
	// If this pointer is nil, then there will be no limit set.
	// In contrast, if this pointer is set, even to an empty struct,
	// then that limiter will be used. Note that an empty Limiter
	// is equivalent blocking all events.
	Limiter *rate.Limiter

	// OutputCurlString causes the actual request to return an error of type
	// *OutputStringError. Type asserting the error message will allow
	// fetching a cURL-compatible string for the operation.
	//
	// Note: It is not thread-safe to set this and make concurrent requests
	// with the same client. Cloning a client will not clone this value.
	OutputCurlString bool

	// OutputPolicy causes the actual request to return an error of type
	// *OutputPolicyError. Type asserting the error message will display
	// an example of the required policy HCL needed for the operation.
	//
	// Note: It is not thread-safe to set this and make concurrent requests
	// with the same client. Cloning a client will not clone this value.
	OutputPolicy bool

	// SRVLookup enables the client to lookup the host through DNS SRV lookup
	SRVLookup bool

	// CloneHeaders ensures that the source client's headers are copied to
	// its clone.
	CloneHeaders bool

	// CloneToken from parent.
	CloneToken bool

	// CloneTLSConfig from parent (tls.Config).
	CloneTLSConfig bool

	// ReadYourWrites ensures isolated read-after-write semantics by
	// providing discovered cluster replication states in each request.
	// The shared state is automatically propagated to all Client clones.
	//
	// Note: Careful consideration should be made prior to enabling this setting
	// since there will be a performance penalty paid upon each request.
	// This feature requires Enterprise server-side.
	ReadYourWrites bool

	// DisableRedirects when set to true, will prevent the client from
	// automatically following a (single) redirect response to its initial
	// request. This behavior may be desirable if using Vault CLI on the server
	// side.
	//
	// Note: Disabling redirect following behavior could cause issues with
	// commands such as 'vault operator raft snapshot' as this redirects to the
	// primary node.
	DisableRedirects bool
	// contains filtered or unexported fields
}

Config is used to configure the creation of the client.

func DefaultConfig 

func DefaultConfig() *Config

DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

If an error is encountered, the Error field on the returned *Config will be populated with the specific error.

func (*Config) ConfigureTLS 

func (c *Config) ConfigureTLS(t *TLSConfig) error

ConfigureTLS takes a set of TLS configurations and applies those to the HTTP client.

func (*Config) ParseAddress added in v1.8.0 

func (c *Config) ParseAddress(address string) (*url.URL, error)

ParseAddress transforms the provided address into a url.URL and handles the case of Unix domain sockets by setting the DialContext in the configuration's HttpClient.Transport. This function must be called with c.modifyLock held for write access.

func (*Config) ReadEnvironment 

func (c *Config) ReadEnvironment() error

ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.

func (*Config) TLSConfig added in v1.9.1 

func (c *Config) TLSConfig() *tls.Config

type DeregisterPluginInput 

type DeregisterPluginInput struct {
	// Name is the name of the plugin. Required.
	Name string `json:"-"`

	// Type of the plugin. Required.
	Type PluginType `json:"type"`

	// Version of the plugin. Optional.
	Version string `json:"version,omitempty"`
}

DeregisterPluginInput is used as input to the DeregisterPlugin function.

type DeregisterPluginRuntimeInput added in v1.10.0 

type DeregisterPluginRuntimeInput struct {
	// Name is the name of the plugin runtime. Required.
	Name string `json:"-"`

	// Type of the plugin. Required.
	Type PluginRuntimeType `json:"type"`
}

DeregisterPluginRuntimeInput is used as input to the DeregisterPluginRuntime function.

type EnableAuditOptions 

type EnableAuditOptions struct {
	Type        string            `json:"type" mapstructure:"type"`
	Description string            `json:"description" mapstructure:"description"`
	Options     map[string]string `json:"options" mapstructure:"options"`
	Local       bool              `json:"local" mapstructure:"local"`
}

type EnableAuthOptions 

type EnableAuthOptions = MountInput

Rather than duplicate, we can use modern Go's type aliasing

type ErrorResponse 

type ErrorResponse struct {
	Errors []string
}

ErrorResponse is the raw structure of errors when they're returned by the HTTP API.

type GenerateRootStatusResponse 

type GenerateRootStatusResponse struct {
	Nonce            string `json:"nonce"`
	Started          bool   `json:"started"`
	Progress         int    `json:"progress"`
	Required         int    `json:"required"`
	Complete         bool   `json:"complete"`
	EncodedToken     string `json:"encoded_token"`
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
	OTP              string `json:"otp"`
	OTPLength        int    `json:"otp_length"`
}

type GetPluginInput 

type GetPluginInput struct {
	Name string `json:"-"`

	// Type of the plugin. Required.
	Type    PluginType `json:"type"`
	Version string     `json:"version"`
}

GetPluginInput is used as input to the GetPlugin function.

type GetPluginResponse 

type GetPluginResponse struct {
	Args              []string `json:"args"`
	Builtin           bool     `json:"builtin"`
	Command           string   `json:"command"`
	Name              string   `json:"name"`
	SHA256            string   `json:"sha256"`
	OCIImage          string   `json:"oci_image,omitempty"`
	Runtime           string   `json:"runtime,omitempty"`
	DeprecationStatus string   `json:"deprecation_status,omitempty"`
	Version           string   `json:"version,omitempty"`
}

GetPluginResponse is the response from the GetPlugin call.

type GetPluginRuntimeInput added in v1.10.0 

type GetPluginRuntimeInput struct {
	Name string `json:"-"`

	// Type of the plugin runtime. Required.
	Type PluginRuntimeType `json:"type"`
}

GetPluginRuntimeInput is used as input to the GetPluginRuntime function.

type GetPluginRuntimeResponse added in v1.10.0 

type GetPluginRuntimeResponse struct {
	Type         string `json:"type"`
	Name         string `json:"name"`
	OCIRuntime   string `json:"oci_runtime"`
	CgroupParent string `json:"cgroup_parent"`
	CPU          int64  `json:"cpu_nanos"`
	Memory       int64  `json:"memory_bytes"`
}

GetPluginRuntimeResponse is the response from the GetPluginRuntime call.

type HANode 

type HANode struct {
	Hostname           string     `json:"hostname"`
	APIAddress         string     `json:"api_address"`
	ClusterAddress     string     `json:"cluster_address"`
	ActiveNode         bool       `json:"active_node"`
	LastEcho           *time.Time `json:"last_echo"`
	EchoDurationMillis int64      `json:"echo_duration_ms"`
	ClockSkewMillis    int64      `json:"clock_skew_ms"`
	Version            string     `json:"version"`
	UpgradeVersion     string     `json:"upgrade_version,omitempty"`
	RedundancyZone     string     `json:"redundancy_zone,omitempty"`
}

type HAStatusResponse 

type HAStatusResponse struct {
	Nodes []HANode
}

type HealthResponse 

type HealthResponse struct {
	Initialized                bool   `json:"initialized"`
	Sealed                     bool   `json:"sealed"`
	Standby                    bool   `json:"standby"`
	PerformanceStandby         bool   `json:"performance_standby"`
	ReplicationPerformanceMode string `json:"replication_performance_mode"`
	ReplicationDRMode          string `json:"replication_dr_mode"`
	ServerTimeUTC              int64  `json:"server_time_utc"`
	Version                    string `json:"version"`
	ClusterName                string `json:"cluster_name,omitempty"`
	ClusterID                  string `json:"cluster_id,omitempty"`
	LastWAL                    uint64 `json:"last_wal,omitempty"`
	Enterprise                 bool   `json:"enterprise"`
	EchoDurationMillis         int64  `json:"echo_duration_ms"`
	ClockSkewMillis            int64  `json:"clock_skew_ms"`
}

type Help 

type Help struct {
	Help    string                 `json:"help"`
	SeeAlso []string               `json:"see_also"`
	OpenAPI map[string]interface{} `json:"openapi"`
}

type InitRequest 

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse 

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse 

type InitStatusResponse struct {
	Initialized bool
}

type KVMetadata added in v1.7.0 

type KVMetadata struct {
	CASRequired        bool                   `mapstructure:"cas_required"`
	CreatedTime        time.Time              `mapstructure:"created_time"`
	CurrentVersion     int                    `mapstructure:"current_version"`
	CustomMetadata     map[string]interface{} `mapstructure:"custom_metadata"`
	DeleteVersionAfter time.Duration          `mapstructure:"delete_version_after"`
	MaxVersions        int                    `mapstructure:"max_versions"`
	OldestVersion      int                    `mapstructure:"oldest_version"`
	UpdatedTime        time.Time              `mapstructure:"updated_time"`
	// Keys are stringified ints, e.g. "3". To get a sorted slice of version metadata, use GetVersionsAsList.
	Versions map[string]KVVersionMetadata `mapstructure:"versions"`
	Raw      *Secret
}

KVMetadata is the full metadata for a given KV v2 secret.

type KVMetadataPatchInput added in v1.7.0 

type KVMetadataPatchInput struct {
	CASRequired        *bool
	CustomMetadata     map[string]interface{}
	DeleteVersionAfter *time.Duration
	MaxVersions        *int
}

KVMetadataPatchInput is the subset of metadata that can be manually modified for a KV v2 secret using the PatchMetadata method.

The struct's fields are all pointers. A pointer to a field's zero value (e.g. false for *bool) implies that field should be reset to its zero value after update, whereas a field left as a nil pointer (e.g. nil for *bool) implies the field should remain unchanged.

Since maps are already pointers, use an empty map to remove all custom metadata.

type KVMetadataPutInput added in v1.7.0 

type KVMetadataPutInput struct {
	CASRequired        bool
	CustomMetadata     map[string]interface{}
	DeleteVersionAfter time.Duration
	MaxVersions        int
}

KVMetadataPutInput is the subset of metadata that can be replaced for a KV v2 secret using the PutMetadata method.

All fields should be explicitly provided, as any fields left unset in the struct will be reset to their zero value.

type KVOption added in v1.7.0 

type KVOption func() (key string, value interface{})

Currently supported options: WithOption, WithCheckAndSet, WithMethod

func WithCheckAndSet added in v1.7.0 

func WithCheckAndSet(cas int) KVOption

WithCheckAndSet can optionally be passed to perform a check-and-set operation on a KV request. If not set, the write will be allowed. If cas is set to 0, a write will only be allowed if the key doesn't exist. If set to non-zero, the write will only be allowed if the key’s current version matches the version specified in the cas parameter.

func WithMergeMethod added in v1.7.0 

func WithMergeMethod(method string) KVOption

WithMergeMethod can optionally be passed to dictate which type of patch to perform in a Patch request. If set to "patch", then an HTTP PATCH request will be issued. If set to "rw", then a read will be performed, then a local update, followed by a remote update. Defaults to "patch".

func WithOption added in v1.7.0 

func WithOption(key string, value interface{}) KVOption

WithOption can optionally be passed to provide generic options for a KV request. Valid keys and values depend on the type of request.

type KVSecret added in v1.7.0 

type KVSecret struct {
	Data            map[string]interface{}
	VersionMetadata *KVVersionMetadata
	CustomMetadata  map[string]interface{}
	Raw             *Secret
}

A KVSecret is a key-value secret returned by Vault's KV secrets engine, and is the most basic type of secret stored in Vault.

Data contains the key-value pairs of the secret itself, while Metadata contains a subset of metadata describing this particular version of the secret. The Metadata field for a KV v1 secret will always be nil, as metadata is only supported starting in KV v2.

The Raw field can be inspected for information about the lease, and passed to a LifetimeWatcher object for periodic renewal.

type KVVersionMetadata added in v1.7.0 

type KVVersionMetadata struct {
	Version      int       `mapstructure:"version"`
	CreatedTime  time.Time `mapstructure:"created_time"`
	DeletionTime time.Time `mapstructure:"deletion_time"`
	Destroyed    bool      `mapstructure:"destroyed"`
}

KVVersionMetadata is a subset of metadata for a given version of a KV v2 secret.

type KVv1 added in v1.7.1 

type KVv1 struct {
	// contains filtered or unexported fields
}

func (*KVv1) Delete added in v1.7.1 

func (kv *KVv1) Delete(ctx context.Context, secretPath string) error

Delete deletes a secret from the KV v1 secrets engine.

func (*KVv1) Get added in v1.7.1 

func (kv *KVv1) Get(ctx context.Context, secretPath string) (*KVSecret, error)

Get returns a secret from the KV v1 secrets engine.

func (*KVv1) Put added in v1.7.1 

func (kv *KVv1) Put(ctx context.Context, secretPath string, data map[string]interface{}) error

Put inserts a key-value secret (e.g. {"password": "Hashi123"}) into the KV v1 secrets engine.

If the secret already exists, it will be overwritten.

type KVv2 added in v1.7.1 

type KVv2 struct {
	// contains filtered or unexported fields
}

func (*KVv2) Delete added in v1.7.1 

func (kv *KVv2) Delete(ctx context.Context, secretPath string) error

Delete deletes the most recent version of a secret from the KV v2 secrets engine. To delete an older version, use DeleteVersions.

func (*KVv2) DeleteMetadata added in v1.7.1 

func (kv *KVv2) DeleteMetadata(ctx context.Context, secretPath string) error

DeleteMetadata deletes all versions and metadata of the secret at the given path.

func (*KVv2) DeleteVersions added in v1.7.1 

func (kv *KVv2) DeleteVersions(ctx context.Context, secretPath string, versions []int) error

DeleteVersions deletes the specified versions of a secret from the KV v2 secrets engine. To delete the latest version of a secret, just use Delete.

func (*KVv2) Destroy added in v1.7.1 

func (kv *KVv2) Destroy(ctx context.Context, secretPath string, versions []int) error

Destroy permanently removes the specified secret versions' data from the Vault server. If no secret exists at the given path, no action will be taken.

A list of existing versions can be retrieved using the GetVersionsAsList method.

func (*KVv2) Get added in v1.7.1 

func (kv *KVv2) Get(ctx context.Context, secretPath string) (*KVSecret, error)

Get returns the latest version of a secret from the KV v2 secrets engine.

If the latest version has been deleted, an error will not be thrown, but the Data field on the returned secret will be nil, and the Metadata field will contain the deletion time.

func (*KVv2) GetMetadata added in v1.7.1 

func (kv *KVv2) GetMetadata(ctx context.Context, secretPath string) (*KVMetadata, error)

GetMetadata returns the full metadata for a given secret, including a map of its existing versions and their respective creation/deletion times, etc.

func (*KVv2) GetVersion added in v1.7.1 

func (kv *KVv2) GetVersion(ctx context.Context, secretPath string, version int) (*KVSecret, error)

GetVersion returns the data and metadata for a specific version of the given secret.

If that version has been deleted, the Data field on the returned secret will be nil, and the Metadata field will contain the deletion time.

GetVersionsAsList can provide a list of available versions sorted by version number, while the response from GetMetadata contains them as a map.

func (*KVv2) GetVersionsAsList added in v1.7.1 

func (kv *KVv2) GetVersionsAsList(ctx context.Context, secretPath string) ([]KVVersionMetadata, error)

GetVersionsAsList returns a subset of the metadata for each version of the secret, sorted by version number.

func (*KVv2) Patch added in v1.7.1 

func (kv *KVv2) Patch(ctx context.Context, secretPath string, newData map[string]interface{}, opts ...KVOption) (*KVSecret, error)

Patch additively updates the most recent version of a key-value secret, differentiating it from Put which will fully overwrite the previous data. Only the key-value pairs that are new or changing need to be provided.

The WithMethod KVOption function can optionally be passed to dictate which kind of patch to perform, as older Vault server versions (pre-1.9.0) may only be able to use the old "rw" (read-then-write) style of partial update, whereas newer Vault servers can use the default value of "patch" if the client token's policy has the "patch" capability.

func (*KVv2) PatchMetadata added in v1.7.1 

func (kv *KVv2) PatchMetadata(ctx context.Context, secretPath string, metadata KVMetadataPatchInput) error

PatchMetadata can be used to replace just a subset of a secret's metadata fields at a time, as opposed to PutMetadata which is used to completely replace all fields on the previous metadata.

func (*KVv2) Put added in v1.7.1 

func (kv *KVv2) Put(ctx context.Context, secretPath string, data map[string]interface{}, opts ...KVOption) (*KVSecret, error)

Put inserts a key-value secret (e.g. {"password": "Hashi123"}) into the KV v2 secrets engine.

If the secret already exists, a new version will be created and the previous version can be accessed with the GetVersion method. GetMetadata can provide a list of available versions.

func (*KVv2) PutMetadata added in v1.7.1 

func (kv *KVv2) PutMetadata(ctx context.Context, secretPath string, metadata KVMetadataPutInput) error

PutMetadata can be used to fully replace a subset of metadata fields for a given KV v2 secret. All fields will replace the corresponding values on the Vault server. Any fields left as nil will reset the field on the Vault server back to its zero value.

To only partially replace the values of these metadata fields, use PatchMetadata.

This method can also be used to create a new secret with just metadata and no secret data yet.

func (*KVv2) Rollback added in v1.7.1 

func (kv *KVv2) Rollback(ctx context.Context, secretPath string, toVersion int) (*KVSecret, error)

Rollback can be used to roll a secret back to a previous non-deleted/non-destroyed version. That previous version becomes the next/newest version for the path.

func (*KVv2) Undelete added in v1.7.1 

func (kv *KVv2) Undelete(ctx context.Context, secretPath string, versions []int) error

Undelete undeletes the given versions of a secret, restoring the data so that it can be fetched again with Get requests.

A list of existing versions can be retrieved using the GetVersionsAsList method.

type KeyStatus 

type KeyStatus struct {
	Term        int       `json:"term"`
	InstallTime time.Time `json:"install_time"`
	Encryptions int       `json:"encryptions"`
}

type LeaderResponse 

type LeaderResponse struct {
	HAEnabled                bool      `json:"ha_enabled"`
	IsSelf                   bool      `json:"is_self"`
	ActiveTime               time.Time `json:"active_time"`
	LeaderAddress            string    `json:"leader_address"`
	LeaderClusterAddress     string    `json:"leader_cluster_address"`
	PerfStandby              bool      `json:"performance_standby"`
	PerfStandbyLastRemoteWAL uint64    `json:"performance_standby_last_remote_wal"`
	LastWAL                  uint64    `json:"last_wal"`
	RaftCommittedIndex       uint64    `json:"raft_committed_index,omitempty"`
	RaftAppliedIndex         uint64    `json:"raft_applied_index,omitempty"`
}

type LifetimeWatcher 

type LifetimeWatcher struct {
	// contains filtered or unexported fields
}

LifetimeWatcher is a process for watching lifetime of a secret. 

watcher, err := client.NewLifetimeWatcher(&LifetimeWatcherInput{
	Secret: mySecret,
})
go watcher.Start()
defer watcher.Stop()

for {
	select {
	case err := <-watcher.DoneCh():
		if err != nil {
			log.Fatal(err)
		}

		// Renewal is now over
	case renewal := <-watcher.RenewCh():
		log.Printf("Successfully renewed: %#v", renewal)
	}
}

`DoneCh` will return if renewal fails, or if the remaining lease duration is under a built-in threshold and either renewing is not extending it or renewing is disabled. In both cases, the caller should attempt a re-read of the secret. Clients should check the return value of the channel to see if renewal was successful.

func (*LifetimeWatcher) DoneCh 

func (r *LifetimeWatcher) DoneCh() <-chan error

DoneCh returns the channel where the renewer will publish when renewal stops. If there is an error, this will be an error.

func (*LifetimeWatcher) Renew 

func (r *LifetimeWatcher) Renew()

Renew is for compatibility with the legacy api.Renewer. Calling Renew simply chains to Start.

func (*LifetimeWatcher) RenewCh 

func (r *LifetimeWatcher) RenewCh() <-chan *RenewOutput

RenewCh is a channel that receives a message when a successful renewal takes place and includes metadata about the renewal.

func (*LifetimeWatcher) Start 

func (r *LifetimeWatcher) Start()

Start starts a background process for watching the lifetime of this secret. If renewal is enabled, when the secret has auth data, this attempts to renew the auth (token); When the secret has a lease, this attempts to renew the lease.

func (*LifetimeWatcher) Stop 

func (r *LifetimeWatcher) Stop()

Stop stops the renewer.

type LifetimeWatcherInput 

type LifetimeWatcherInput struct {
	// Secret is the secret to renew
	Secret *Secret

	// DEPRECATED: this does not do anything.
	Grace time.Duration

	// Rand is the randomizer to use for underlying randomization. If not
	// provided, one will be generated and seeded automatically. If provided, it
	// is assumed to have already been seeded.
	Rand *rand.Rand

	// RenewBuffer is the size of the buffered channel where renew messages are
	// dispatched.
	RenewBuffer int

	// The new TTL, in seconds, that should be set on the lease. The TTL set
	// here may or may not be honored by the vault server, based on Vault
	// configuration or any associated max TTL values. If specified, the
	// minimum of this value and the remaining lease duration will be used
	// for grace period calculations.
	Increment int

	// RenewBehavior controls what happens when a renewal errors or the
	// passed-in secret is not renewable.
	RenewBehavior RenewBehavior
}

LifetimeWatcherInput is used as input to the renew function.

type ListPluginRuntimesInput added in v1.10.0 

type ListPluginRuntimesInput struct {
	// Type of the plugin. Required.
	Type PluginRuntimeType `json:"type"`
}

ListPluginRuntimesInput is used as input to the ListPluginRuntimes function.

type ListPluginRuntimesResponse added in v1.10.0 

type ListPluginRuntimesResponse struct {
	// RuntimesByType is the list of plugin runtimes by type.
	Runtimes []PluginRuntimeDetails `json:"runtimes"`
}

ListPluginRuntimesResponse is the response from the ListPluginRuntimes call.

type ListPluginsInput 

type ListPluginsInput struct {
	// Type of the plugin. Required.
	Type PluginType `json:"type"`
}

ListPluginsInput is used as input to the ListPlugins function.

type ListPluginsResponse 

type ListPluginsResponse struct {
	// PluginsByType is the list of plugins by type.
	PluginsByType map[PluginType][]string `json:"types"`

	Details []PluginDetails `json:"details,omitempty"`

	// Names is the list of names of the plugins.
	//
	// Deprecated: Newer server responses should be returning PluginsByType (json:
	// "types") instead.
	Names []string `json:"names"`
}

ListPluginsResponse is the response from the ListPlugins call.

type Logical 

type Logical struct {
	// contains filtered or unexported fields
}

Logical is used to perform logical backend operations on Vault.

func (*Logical) Delete 

func (c *Logical) Delete(path string) (*Secret, error)

func (*Logical) DeleteWithContext added in v1.5.0 

func (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret, error)

func (*Logical) DeleteWithData 

func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error)

func (*Logical) DeleteWithDataWithContext added in v1.5.0 

func (c *Logical) DeleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error)

func (*Logical) JSONMergePatch 

func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error)

func (*Logical) List 

func (c *Logical) List(path string) (*Secret, error)

func (*Logical) ListWithContext added in v1.5.0 

func (c *Logical) ListWithContext(ctx context.Context, path string) (*Secret, error)

func (*Logical) ParseRawResponseAndCloseBody added in v1.8.3 

func (c *Logical) ParseRawResponseAndCloseBody(resp *Response, err error) (*Secret, error)

func (*Logical) Read 

func (c *Logical) Read(path string) (*Secret, error)

func (*Logical) ReadRaw added in v1.8.2 

func (c *Logical) ReadRaw(path string) (*Response, error)

ReadRaw attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response.

Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please use ReadRawWithContext instead and set the timeout through context.WithTimeout or context.WithDeadline.

func (*Logical) ReadRawWithContext added in v1.8.3 

func (c *Logical) ReadRawWithContext(ctx context.Context, path string) (*Response, error)

ReadRawWithContext attempts to read the value stored at the give Vault path (without '/v1/' prefix) and returns a raw *http.Response.

Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please set it through context.WithTimeout or context.WithDeadline.

func (*Logical) ReadRawWithData added in v1.8.2 

func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error)

ReadRawWithData attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map is added as query parameters to the request.

Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please use ReadRawWithDataWithContext instead and set the timeout through context.WithTimeout or context.WithDeadline.

func (*Logical) ReadRawWithDataWithContext added in v1.8.2 

func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error)

ReadRawWithDataWithContext attempts to read the value stored at the given Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map is added as query parameters to the request.

Note: the raw-response functions do not respect the client-configured request timeout; if a timeout is desired, please set it through context.WithTimeout or context.WithDeadline.

func (*Logical) ReadWithContext added in v1.5.0 

func (c *Logical) ReadWithContext(ctx context.Context, path string) (*Secret, error)

func (*Logical) ReadWithData 

func (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret, error)

func (*Logical) ReadWithDataWithContext added in v1.5.0 

func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error)

func (*Logical) Unwrap 

func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)

func (*Logical) UnwrapWithContext added in v1.5.0 

func (c *Logical) UnwrapWithContext(ctx context.Context, wrappingToken string) (*Secret, error)

func (*Logical) Write 

func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)

func (*Logical) WriteBytes 

func (c *Logical) WriteBytes(path string, data []byte) (*Secret, error)

func (*Logical) WriteBytesWithContext added in v1.5.0 

func (c *Logical) WriteBytesWithContext(ctx context.Context, path string, data []byte) (*Secret, error)

func (*Logical) WriteRaw added in v1.11.0 

func (c *Logical) WriteRaw(path string, data []byte) (*Response, error)

func (*Logical) WriteRawWithContext added in v1.11.0 

func (c *Logical) WriteRawWithContext(ctx context.Context, path string, data []byte) (*Response, error)

func (*Logical) WriteWithContext added in v1.5.0 

func (c *Logical) WriteWithContext(ctx context.Context, path string, data map[string]interface{}) (*Secret, error)

type MFAConstraintAny added in v1.9.0 

type MFAConstraintAny struct {
	Any []*MFAMethodID `json:"any,omitempty"`
}

type MFAMethodID added in v1.9.0 

type MFAMethodID struct {
	Type         string `json:"type,omitempty"`
	ID           string `json:"id,omitempty"`
	UsesPasscode bool   `json:"uses_passcode,omitempty"`
	Name         string `json:"name,omitempty"`
}

type MFARequirement added in v1.9.0 

type MFARequirement struct {
	MFARequestID   string                       `json:"mfa_request_id,omitempty"`
	MFAConstraints map[string]*MFAConstraintAny `json:"mfa_constraints,omitempty"`
}

type MountConfigInput 

type MountConfigInput struct {
	Options                   map[string]string       `json:"options" mapstructure:"options"`
	DefaultLeaseTTL           string                  `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	Description               *string                 `json:"description,omitempty" mapstructure:"description"`
	MaxLeaseTTL               string                  `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool                    `json:"force_no_cache" mapstructure:"force_no_cache"`
	AuditNonHMACRequestKeys   []string                `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string                `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string                  `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string                `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
	AllowedResponseHeaders    []string                `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
	TokenType                 string                  `json:"token_type,omitempty" mapstructure:"token_type"`
	AllowedManagedKeys        []string                `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
	PluginVersion             string                  `json:"plugin_version,omitempty"`
	UserLockoutConfig         *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
	DelegatedAuthAccessors    []string                `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
	IdentityTokenKey          string                  `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`

	// Deprecated: This field will always be blank for newer server responses.
	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountConfigOutput 

type MountConfigOutput struct {
	DefaultLeaseTTL           int                      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               int                      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool                     `json:"force_no_cache" mapstructure:"force_no_cache"`
	AuditNonHMACRequestKeys   []string                 `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string                 `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string                   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string                 `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
	AllowedResponseHeaders    []string                 `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
	TokenType                 string                   `json:"token_type,omitempty" mapstructure:"token_type"`
	AllowedManagedKeys        []string                 `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
	UserLockoutConfig         *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
	DelegatedAuthAccessors    []string                 `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
	IdentityTokenKey          string                   `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`

	// Deprecated: This field will always be blank for newer server responses.
	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountInput 

type MountInput struct {
	Type                  string            `json:"type"`
	Description           string            `json:"description"`
	Config                MountConfigInput  `json:"config"`
	Local                 bool              `json:"local"`
	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
	Options               map[string]string `json:"options"`

	// Deprecated: Newer server responses should be returning this information in the
	// Type field (json: "type") instead.
	PluginName string `json:"plugin_name,omitempty"`
}

type MountMigrationOutput 

type MountMigrationOutput struct {
	MigrationID string `mapstructure:"migration_id"`
}

type MountMigrationStatusInfo 

type MountMigrationStatusInfo struct {
	SourceMount     string `mapstructure:"source_mount"`
	TargetMount     string `mapstructure:"target_mount"`
	MigrationStatus string `mapstructure:"status"`
}

type MountMigrationStatusOutput 

type MountMigrationStatusOutput struct {
	MigrationID   string                    `mapstructure:"migration_id"`
	MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"`
}

type MountOutput 

type MountOutput struct {
	UUID                  string            `json:"uuid"`
	Type                  string            `json:"type"`
	Description           string            `json:"description"`
	Accessor              string            `json:"accessor"`
	Config                MountConfigOutput `json:"config"`
	Options               map[string]string `json:"options"`
	Local                 bool              `json:"local"`
	SealWrap              bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
	ExternalEntropyAccess bool              `json:"external_entropy_access" mapstructure:"external_entropy_access"`
	PluginVersion         string            `json:"plugin_version" mapstructure:"plugin_version"`
	RunningVersion        string            `json:"running_plugin_version" mapstructure:"running_plugin_version"`
	RunningSha256         string            `json:"running_sha256" mapstructure:"running_sha256"`
	DeprecationStatus     string            `json:"deprecation_status" mapstructure:"deprecation_status"`
}

type OutputPolicyError added in v1.6.0 

type OutputPolicyError struct {
	// contains filtered or unexported fields
}
var LastOutputPolicyError *OutputPolicyError

func (*OutputPolicyError) Error added in v1.6.0 

func (d *OutputPolicyError) Error() string

func (*OutputPolicyError) HCLString added in v1.6.0 

func (d *OutputPolicyError) HCLString() (string, error)

type OutputStringError 

type OutputStringError struct {
	*retryablehttp.Request
	TLSSkipVerify              bool
	ClientCACert, ClientCAPath string
	ClientCert, ClientKey      string
	// contains filtered or unexported fields
}
var LastOutputStringError *OutputStringError

func (*OutputStringError) CurlString 

func (d *OutputStringError) CurlString() (string, error)

func (*OutputStringError) Error 

func (d *OutputStringError) Error() string

type PluginAPIClientMeta 

type PluginAPIClientMeta struct {
	// contains filtered or unexported fields
}

PluginAPIClientMeta is a helper that plugins can use to configure TLS connections back to Vault.

func (*PluginAPIClientMeta) FlagSet 

func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet

FlagSet returns the flag set for configuring the TLS connection

func (*PluginAPIClientMeta) GetTLSConfig 

func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig

GetTLSConfig will return a TLSConfig based off the values from the flags

type PluginDetails added in v1.8.0 

type PluginDetails struct {
	Type              string `json:"type"`
	Name              string `json:"name"`
	OCIImage          string `json:"oci_image,omitempty" mapstructure:"oci_image"`
	Runtime           string `json:"runtime,omitempty"`
	Version           string `json:"version,omitempty"`
	Builtin           bool   `json:"builtin"`
	DeprecationStatus string `json:"deprecation_status,omitempty" mapstructure:"deprecation_status"`
}

type PluginRuntimeDetails added in v1.10.0 

type PluginRuntimeDetails struct {
	Type         string `json:"type" mapstructure:"type"`
	Name         string `json:"name" mapstructure:"name"`
	OCIRuntime   string `json:"oci_runtime" mapstructure:"oci_runtime"`
	CgroupParent string `json:"cgroup_parent" mapstructure:"cgroup_parent"`
	CPU          int64  `json:"cpu_nanos" mapstructure:"cpu_nanos"`
	Memory       int64  `json:"memory_bytes" mapstructure:"memory_bytes"`
}

type PluginRuntimeType added in v1.10.0 

type PluginRuntimeType uint32
const (
	PluginRuntimeTypeUnsupported PluginRuntimeType = iota
	PluginRuntimeTypeContainer
)

This is a list of PluginRuntimeTypes used by Vault.

func ParsePluginRuntimeType added in v1.10.0 

func ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error)

func (PluginRuntimeType) String added in v1.10.0 

func (r PluginRuntimeType) String() string

type PluginType added in v1.9.0 

type PluginType uint32
const (
	PluginTypeUnknown PluginType = iota
	PluginTypeCredential
	PluginTypeDatabase
	PluginTypeSecrets
)

This is a list of PluginTypes used by Vault. If we need to add any in the future, it would be best to add them to the _end_ of the list below because they resolve to incrementing numbers, which may be saved in state somewhere. Thus if the name for one of those numbers changed because a value were added to the middle, that could cause the wrong plugin types to be read from storage for a given underlying number. Example of the problem here: https://play.golang.org/p/YAaPw5ww3er

func ParsePluginType added in v1.9.0 

func ParsePluginType(pluginType string) (PluginType, error)

func (PluginType) MarshalJSON added in v1.11.0 

func (p PluginType) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaler.

func (PluginType) String added in v1.9.0 

func (p PluginType) String() string

func (*PluginType) UnmarshalJSON added in v1.11.0 

func (p *PluginType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler. It supports unmarshaling either a string or a uint32. All new serialization will be as a string, but we previously serialized as a uint32 so we need to support that for backwards compatibility.

type RaftJoinRequest 

type RaftJoinRequest struct {
	AutoJoin         string `json:"auto_join"`
	AutoJoinScheme   string `json:"auto_join_scheme"`
	AutoJoinPort     uint   `json:"auto_join_port"`
	LeaderAPIAddr    string `json:"leader_api_addr"`
	LeaderCACert     string `json:"leader_ca_cert"`
	LeaderClientCert string `json:"leader_client_cert"`
	LeaderClientKey  string `json:"leader_client_key"`
	Retry            bool   `json:"retry"`
	NonVoter         bool   `json:"non_voter"`
}

RaftJoinRequest represents the parameters consumed by the raft join API

type RaftJoinResponse 

type RaftJoinResponse struct {
	Joined bool `json:"joined"`
}

RaftJoinResponse represents the response of the raft join API

type RegisterPluginInput 

type RegisterPluginInput struct {
	// Name is the name of the plugin. Required.
	Name string `json:"-"`

	// Type of the plugin. Required.
	Type PluginType `json:"type"`

	// Args is the list of args to spawn the process with.
	Args []string `json:"args,omitempty"`

	// Command is the command to run.
	Command string `json:"command,omitempty"`

	// SHA256 is the shasum of the plugin.
	SHA256 string `json:"sha256,omitempty"`

	// Version is the optional version of the plugin being registered
	Version string `json:"version,omitempty"`

	// OCIImage specifies the container image to run as a plugin.
	OCIImage string `json:"oci_image,omitempty"`

	// Runtime is the Vault plugin runtime to use when running the plugin.
	Runtime string `json:"runtime,omitempty"`

	// Env specifies a list of key=value pairs to add to the plugin's environment
	// variables.
	Env []string `json:"env,omitempty"`
}

RegisterPluginInput is used as input to the RegisterPlugin function.

type RegisterPluginRuntimeInput added in v1.10.0 

type RegisterPluginRuntimeInput struct {
	// Name is the name of the plugin. Required.
	Name string `json:"-"`

	// Type of the plugin. Required.
	Type PluginRuntimeType `json:"type"`

	OCIRuntime   string `json:"oci_runtime,omitempty"`
	CgroupParent string `json:"cgroup_parent,omitempty"`
	CPU          int64  `json:"cpu_nanos,omitempty"`
	Memory       int64  `json:"memory_bytes,omitempty"`
	Rootless     bool   `json:"rootless,omitempty"`
}

RegisterPluginRuntimeInput is used as input to the RegisterPluginRuntime function.

type RekeyInitRequest 

type RekeyInitRequest struct {
	SecretShares        int      `json:"secret_shares"`
	SecretThreshold     int      `json:"secret_threshold"`
	StoredShares        int      `json:"stored_shares"`
	PGPKeys             []string `json:"pgp_keys"`
	Backup              bool
	RequireVerification bool `json:"require_verification"`
}

type RekeyRetrieveResponse 

type RekeyRetrieveResponse struct {
	Nonce   string              `json:"nonce" mapstructure:"nonce"`
	Keys    map[string][]string `json:"keys" mapstructure:"keys"`
	KeysB64 map[string][]string `json:"keys_base64" mapstructure:"keys_base64"`
}

type RekeyStatusResponse 

type RekeyStatusResponse struct {
	Nonce                string   `json:"nonce"`
	Started              bool     `json:"started"`
	T                    int      `json:"t"`
	N                    int      `json:"n"`
	Progress             int      `json:"progress"`
	Required             int      `json:"required"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce"`
}

type RekeyUpdateResponse 

type RekeyUpdateResponse struct {
	Nonce                string   `json:"nonce"`
	Complete             bool     `json:"complete"`
	Keys                 []string `json:"keys"`
	KeysB64              []string `json:"keys_base64"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce,omitempty"`
}

type RekeyVerificationStatusResponse 

type RekeyVerificationStatusResponse struct {
	Nonce    string `json:"nonce"`
	Started  bool   `json:"started"`
	T        int    `json:"t"`
	N        int    `json:"n"`
	Progress int    `json:"progress"`
}

type RekeyVerificationUpdateResponse 

type RekeyVerificationUpdateResponse struct {
	Nonce    string `json:"nonce"`
	Complete bool   `json:"complete"`
}

type ReloadPluginInput 

type ReloadPluginInput struct {
	// Plugin is the name of the plugin to reload, as registered in the plugin catalog
	Plugin string `json:"plugin"`

	// Mounts is the array of string mount paths of the plugin backends to reload
	Mounts []string `json:"mounts"`

	// Scope is the scope of the plugin reload
	Scope string `json:"scope"`
}

ReloadPluginInput is used as input to the ReloadPlugin function.

type ReloadPluginStatusInput 

type ReloadPluginStatusInput struct {
	// ReloadID is the ID of the reload operation
	ReloadID string `json:"reload_id"`
}

ReloadPluginStatusInput is used as input to the ReloadStatusPlugin function.

type ReloadStatus 

type ReloadStatus struct {
	Timestamp time.Time `json:"timestamp" mapstructure:"timestamp"`
	Error     string    `json:"error" mapstructure:"error"`
}

ReloadStatus is the status of an individual node's plugin reload

type ReloadStatusResponse 

type ReloadStatusResponse struct {
	ReloadID string                   `mapstructure:"reload_id"`
	Results  map[string]*ReloadStatus `mapstructure:"results"`
}

ReloadStatusResponse is the combined response of all known completed plugin reloads

type RenewBehavior 

type RenewBehavior uint
const (
	// RenewBehaviorIgnoreErrors means we will attempt to keep renewing until
	// we hit the lifetime threshold. It also ignores errors stemming from
	// passing a non-renewable lease in. In practice, this means you simply
	// reauthenticate/refetch credentials when the watcher exits. This is the
	// default.
	RenewBehaviorIgnoreErrors RenewBehavior = iota

	// RenewBehaviorRenewDisabled turns off renewal attempts entirely. This
	// allows you to simply watch lifetime and have the watcher return at a
	// reasonable threshold without actually making Vault calls.
	RenewBehaviorRenewDisabled

	// RenewBehaviorErrorOnErrors is the "legacy" behavior which always exits
	// on some kind of error
	RenewBehaviorErrorOnErrors
)

type RenewOutput 

type RenewOutput struct {
	// RenewedAt is the timestamp when the renewal took place (UTC).
	RenewedAt time.Time

	// Secret is the underlying renewal data. It's the same struct as all data
	// that is returned from Vault, but since this is renewal data, it will not
	// usually include the secret itself.
	Secret *Secret
}

RenewOutput is the metadata returned to the client (if it's listening) to renew messages.

type Renewer 

type Renewer = LifetimeWatcher

type RenewerInput 

type RenewerInput = LifetimeWatcherInput

type ReplicationStatusGenericResponse added in v1.10.0 

type ReplicationStatusGenericResponse struct {
	LastDRWAL             uint64 `json:"last_dr_wal,omitempty" mapstructure:"last_dr_wal"`
	LastReindexEpoch      string `json:"last_reindex_epoch,omitempty" mapstructure:"last_reindex_epoch"`
	ClusterID             string `json:"cluster_id,omitempty" mapstructure:"cluster_id"`
	LastWAL               uint64 `json:"last_wal,omitempty" mapstructure:"last_wal"`
	MerkleRoot            string `json:"merkle_root,omitempty" mapstructure:"merkle_root"`
	Mode                  string `json:"mode,omitempty" mapstructure:"mode"`
	PrimaryClusterAddr    string `json:"primary_cluster_addr,omitempty" mapstructure:"primary_cluster_addr"`
	LastPerformanceWAL    uint64 `json:"last_performance_wal,omitempty" mapstructure:"last_performance_wal"`
	State                 string `json:"state,omitempty" mapstructure:"state"`
	LastRemoteWAL         uint64 `json:"last_remote_wal,omitempty" mapstructure:"last_remote_wal"`
	SecondaryID           string `json:"secondary_id,omitempty" mapstructure:"secondary_id"`
	SSCTGenerationCounter uint64 `json:"ssct_generation_counter,omitempty" mapstructure:"ssct_generation_counter"`

	KnownSecondaries         []string      `json:"known_secondaries,omitempty" mapstructure:"known_secondaries"`
	KnownPrimaryClusterAddrs []string      `json:"known_primary_cluster_addrs,omitempty" mapstructure:"known_primary_cluster_addrs"`
	Primaries                []ClusterInfo `json:"primaries,omitempty" mapstructure:"primaries"`
	Secondaries              []ClusterInfo `json:"secondaries,omitempty" mapstructure:"secondaries"`
}

type ReplicationStatusResponse added in v1.10.0 

type ReplicationStatusResponse struct {
	DR          ReplicationStatusGenericResponse `json:"dr,omitempty" mapstructure:"dr"`
	Performance ReplicationStatusGenericResponse `json:"performance,omitempty" mapstructure:"performance"`
}

type Request 

type Request struct {
	Method        string
	URL           *url.URL
	Host          string
	Params        url.Values
	Headers       http.Header
	ClientToken   string
	MFAHeaderVals []string
	WrapTTL       string
	Obj           interface{}

	// When possible, use BodyBytes as it is more efficient due to how the
	// retry logic works
	BodyBytes []byte

	// Fallback
	Body     io.Reader
	BodySize int64

	// Whether to request overriding soft-mandatory Sentinel policies (RGPs and
	// EGPs). If set, the override flag will take effect for all policies
	// evaluated during the request.
	PolicyOverride bool

	// HCPCookie is used to set a http cookie when client is connected to HCP
	HCPCookie *http.Cookie
}

Request is a raw request configuration structure used to initiate API requests to the Vault server.

func (*Request) ResetJSONBody 

func (r *Request) ResetJSONBody() error

ResetJSONBody is used to reset the body for a redirect

func (*Request) SetJSONBody 

func (r *Request) SetJSONBody(val interface{}) error

SetJSONBody is used to set a request body that is a JSON-encoded value.

func (*Request) ToHTTP 

func (r *Request) ToHTTP() (*http.Request, error)

DEPRECATED: ToHTTP turns this request into a valid *http.Request for use with the net/http package.

type RequestCallback 

type RequestCallback func(*Request)

func ForwardAlways 

func ForwardAlways() RequestCallback

ForwardAlways returns a request callback which adds a header telling any performance standbys handling the request to forward it to the active node. This feature must be enabled in Vault's configuration.

func ForwardInconsistent 

func ForwardInconsistent() RequestCallback

ForwardInconsistent returns a request callback that will add a request header which says: if the state required isn't present on the node receiving this request, forward it to the active node. This should be used in conjunction with RequireState.

func RequireState 

func RequireState(states ...string) RequestCallback

RequireState returns a request callback that will add a request header to specify the state we require of Vault. This state was obtained from a response header seen previous, probably captured with RecordState.

type Response 

type Response struct {
	*http.Response
}

Response is a raw response that wraps an HTTP response.

func (*Response) DecodeJSON 

func (r *Response) DecodeJSON(out interface{}) error

DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.

func (*Response) Error 

func (r *Response) Error() error

Error returns an error response if there is one. If there is an error, this will fully consume the response body, but will not close it. The body must still be closed manually.

type ResponseCallback 

type ResponseCallback func(*Response)

func RecordState 

func RecordState(state *string) ResponseCallback

RecordState returns a response callback that will record the state returned by Vault in a response header.

type ResponseError 

type ResponseError struct {
	// HTTPMethod is the HTTP method for the request (PUT, GET, etc).
	HTTPMethod string

	// URL is the URL of the request.
	URL string

	// StatusCode is the HTTP status code.
	StatusCode int

	// RawError marks that the underlying error messages returned by Vault were
	// not parsable. The Errors slice will contain the raw response body as the
	// first and only error string if this value is set to true.
	RawError bool

	// Errors are the underlying errors returned by Vault.
	Errors []string

	// Namespace path to be reported to the client if it is set to anything other
	// than root
	NamespacePath string
}

ResponseError is the error returned when Vault responds with an error or non-success HTTP status code. If a request to Vault fails because of a network error a different error message will be returned. ResponseError gives access to the underlying errors and status code.

func (*ResponseError) Error 

func (r *ResponseError) Error() string

Error returns a human-readable error string for the response error.

type RevokeOptions 

type RevokeOptions struct {
	LeaseID string
	Force   bool
	Prefix  bool
	Sync    bool
}

type RootReloadPluginInput added in v1.11.0 

type RootReloadPluginInput struct {
	Plugin string     `json:"-"`               // Plugin name, as registered in the plugin catalog.
	Type   PluginType `json:"-"`               // Plugin type: auth, secret, or database.
	Scope  string     `json:"scope,omitempty"` // Empty to reload on current node, "global" for all nodes.
}

RootReloadPluginInput is used as input to the RootReloadPlugin function.

type SSH 

type SSH struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSH is used to return a client to invoke operations on SSH backend.

func (*SSH) Credential 

func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error)

Credential wraps CredentialWithContext using context.Background.

func (*SSH) CredentialWithContext added in v1.5.0 

func (c *SSH) CredentialWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error)

CredentialWithContext invokes the SSH backend API to create a credential to establish an SSH session.

func (*SSH) SignKey 

func (c *SSH) SignKey(role string, data map[string]interface{}) (*Secret, error)

SignKey wraps SignKeyWithContext using context.Background.

func (*SSH) SignKeyWithContext added in v1.5.0 

func (c *SSH) SignKeyWithContext(ctx context.Context, role string, data map[string]interface{}) (*Secret, error)

SignKeyWithContext signs the given public key and returns a signed public key to pass along with the SSH request.

type SSHHelper 

type SSHHelper struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.

func (*SSHHelper) Verify 

func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error)

Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by ssh-helper to verify if its configured correctly.

func (*SSHHelper) VerifyWithContext added in v1.5.0 

func (c *SSHHelper) VerifyWithContext(ctx context.Context, otp string) (*SSHVerifyResponse, error)

VerifyWithContext the same as Verify but with a custom context.

type SSHHelperConfig 

type SSHHelperConfig struct {
	VaultAddr       string `hcl:"vault_addr"`
	SSHMountPoint   string `hcl:"ssh_mount_point"`
	Namespace       string `hcl:"namespace"`
	CACert          string `hcl:"ca_cert"`
	CAPath          string `hcl:"ca_path"`
	AllowedCidrList string `hcl:"allowed_cidr_list"`
	AllowedRoles    string `hcl:"allowed_roles"`
	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
	TLSServerName   string `hcl:"tls_server_name"`
}

SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.

func LoadSSHHelperConfig 

func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error)

LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding in-memory structure.

Vault address is a required parameter. Mount point defaults to "ssh".

func ParseSSHHelperConfig 

func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error)

ParseSSHHelperConfig parses the given contents as a string for the SSHHelper configuration.

func (*SSHHelperConfig) NewClient 

func (c *SSHHelperConfig) NewClient() (*Client, error)

NewClient returns a new client for the configuration. This client will be used by the vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.

func (*SSHHelperConfig) SetTLSParameters 

func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)

SetTLSParameters sets the TLS parameters for this SSH agent.

type SSHVerifyResponse 

type SSHVerifyResponse struct {
	// Usually empty. If the request OTP is echo request message, this will
	// be set to the corresponding echo response message.
	Message string `json:"message" mapstructure:"message"`

	// Username associated with the OTP
	Username string `json:"username" mapstructure:"username"`

	// IP associated with the OTP
	IP string `json:"ip" mapstructure:"ip"`

	// Name of the role against which the OTP was issued
	RoleName string `json:"role_name" mapstructure:"role_name"`
}

SSHVerifyResponse is a structure representing the fields in Vault server's response.

type SealStatusResponse 

type SealStatusResponse struct {
	Type              string   `json:"type"`
	Initialized       bool     `json:"initialized"`
	Sealed            bool     `json:"sealed"`
	T                 int      `json:"t"`
	N                 int      `json:"n"`
	Progress          int      `json:"progress"`
	Nonce             string   `json:"nonce"`
	Version           string   `json:"version"`
	BuildDate         string   `json:"build_date"`
	Migration         bool     `json:"migration"`
	ClusterName       string   `json:"cluster_name,omitempty"`
	ClusterID         string   `json:"cluster_id,omitempty"`
	RecoverySeal      bool     `json:"recovery_seal"`
	RecoverySealType  string   `json:"recovery_seal_type,omitempty"`
	StorageType       string   `json:"storage_type,omitempty"`
	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
	Warnings          []string `json:"warnings,omitempty"`
}

type Secret 

type Secret struct {
	// The request ID that generated this response
	RequestID string `json:"request_id"`

	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`

	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data map[string]interface{} `json:"data"`

	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`

	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`

	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`

	// MountType, if non-empty, provides some information about what kind
	// of mount this secret came from.
	MountType string `json:"mount_type,omitempty"`
}

Secret is the structure returned for every secret within Vault.

func ParseSecret 

func ParseSecret(r io.Reader) (*Secret, error)

ParseSecret is used to parse a secret value from JSON from an io.Reader.

func (*Secret) TokenAccessor 

func (s *Secret) TokenAccessor() (string, error)

TokenAccessor returns the standardized token accessor for the given secret. If the secret is nil or does not contain an accessor, this returns the empty string.

func (*Secret) TokenID 

func (s *Secret) TokenID() (string, error)

TokenID returns the standardized token ID (token) for the given secret.

func (*Secret) TokenIsRenewable 

func (s *Secret) TokenIsRenewable() (bool, error)

TokenIsRenewable returns the standardized token renewability for the given secret. If the secret is nil or does not contain the "renewable" key, this returns false.

func (*Secret) TokenMetadata 

func (s *Secret) TokenMetadata() (map[string]string, error)

TokenMetadata returns the map of metadata associated with this token, if any exists. If the secret is nil or does not contain the "metadata" key, this returns nil.

func (*Secret) TokenPolicies 

func (s *Secret) TokenPolicies() ([]string, error)

TokenPolicies returns the standardized list of policies for the given secret. If the secret is nil or does not contain any policies, this returns nil. It also populates the secret's Auth info with identity/token policy info.

func (*Secret) TokenRemainingUses 

func (s *Secret) TokenRemainingUses() (int, error)

TokenRemainingUses returns the standardized remaining uses for the given secret. If the secret is nil or does not contain the "num_uses", this returns -1. On error, this will return -1 and a non-nil error.

func (*Secret) TokenTTL 

func (s *Secret) TokenTTL() (time.Duration, error)

TokenTTL returns the standardized remaining token TTL for the given secret. If the secret is nil or does not contain a TTL, this returns 0.

type SecretAuth 

type SecretAuth struct {
	ClientToken      string            `json:"client_token"`
	Accessor         string            `json:"accessor"`
	Policies         []string          `json:"policies"`
	TokenPolicies    []string          `json:"token_policies"`
	IdentityPolicies []string          `json:"identity_policies"`
	Metadata         map[string]string `json:"metadata"`
	Orphan           bool              `json:"orphan"`
	EntityID         string            `json:"entity_id"`

	LeaseDuration int  `json:"lease_duration"`
	Renewable     bool `json:"renewable"`

	MFARequirement *MFARequirement `json:"mfa_requirement"`
}

SecretAuth is the structure containing auth information if we have it.

type SecretWrapInfo 

type SecretWrapInfo struct {
	Token           string    `json:"token"`
	Accessor        string    `json:"accessor"`
	TTL             int       `json:"ttl"`
	CreationTime    time.Time `json:"creation_time"`
	CreationPath    string    `json:"creation_path"`
	WrappedAccessor string    `json:"wrapped_accessor"`
}

SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.

type Sys 

type Sys struct {
	// contains filtered or unexported fields
}

Sys is used to perform system-related operations on Vault.

func (*Sys) AuditHash 

func (c *Sys) AuditHash(path string, input string) (string, error)

func (*Sys) AuditHashWithContext added in v1.5.0 

func (c *Sys) AuditHashWithContext(ctx context.Context, path string, input string) (string, error)

func (*Sys) CORSStatus 

func (c *Sys) CORSStatus() (*CORSResponse, error)

func (*Sys) CORSStatusWithContext added in v1.5.0 

func (c *Sys) CORSStatusWithContext(ctx context.Context) (*CORSResponse, error)

func (*Sys) Capabilities 

func (c *Sys) Capabilities(token, path string) ([]string, error)

func (*Sys) CapabilitiesAccessor added in v1.11.0 

func (c *Sys) CapabilitiesAccessor(accessor, path string) ([]string, error)

func (*Sys) CapabilitiesAccessorWithContext added in v1.11.0 

func (c *Sys) CapabilitiesAccessorWithContext(ctx context.Context, accessor, path string) ([]string, error)

func (*Sys) CapabilitiesSelf 

func (c *Sys) CapabilitiesSelf(path string) ([]string, error)

func (*Sys) CapabilitiesSelfWithContext added in v1.5.0 

func (c *Sys) CapabilitiesSelfWithContext(ctx context.Context, path string) ([]string, error)

func (*Sys) CapabilitiesWithContext added in v1.5.0 

func (c *Sys) CapabilitiesWithContext(ctx context.Context, token, path string) ([]string, error)

func (*Sys) ConfigureCORS 

func (c *Sys) ConfigureCORS(req *CORSRequest) error

func (*Sys) ConfigureCORSWithContext added in v1.5.0 

func (c *Sys) ConfigureCORSWithContext(ctx context.Context, req *CORSRequest) error

func (*Sys) CreateUICustomMessage added in v1.11.0 

func (c *Sys) CreateUICustomMessage(req UICustomMessageRequest) (*Secret, error)

CreateUICustomMessage calls CreateUICustomMessageWithContext using a background Context.

func (*Sys) CreateUICustomMessageWithContext added in v1.11.0 

func (c *Sys) CreateUICustomMessageWithContext(ctx context.Context, req UICustomMessageRequest) (*Secret, error)

CreateUICustomMessageWithContext sends a request to the Create custom messages endpoint using the provided Context and UICustomMessageRequest values as the inputs. It returns a pointer to a Secret if a response was obtained from the server, including error responses; or an error if a response could not be obtained due to an error.

func (*Sys) DeletePolicy 

func (c *Sys) DeletePolicy(name string) error

func (*Sys) DeletePolicyWithContext added in v1.5.0 

func (c *Sys) DeletePolicyWithContext(ctx context.Context, name string) error

func (*Sys) DeleteUICustomMessage added in v1.11.0 

func (c *Sys) DeleteUICustomMessage(id string) error

DeleteUICustomMessage calls DeleteUICustomMessageWithContext using a background Context.

func (*Sys) DeleteUICustomMessageWithContext added in v1.11.0 

func (c *Sys) DeleteUICustomMessageWithContext(ctx context.Context, id string) error

DeleteUICustomMessageWithContext sends a request to the Delete custom message endpoint using the provided Context and id values. It returns a pointer to a Secret if a response was obtained from the server, including error responses; or an error if a response could not be obtained due to an error.

func (*Sys) DeregisterPlugin 

func (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error

DeregisterPlugin wraps DeregisterPluginWithContext using context.Background.

func (*Sys) DeregisterPluginRuntime added in v1.10.0 

func (c *Sys) DeregisterPluginRuntime(ctx context.Context, i *DeregisterPluginRuntimeInput) error

DeregisterPluginRuntime removes the plugin with the given name from the plugin catalog.

func (*Sys) DeregisterPluginWithContext added in v1.5.0 

func (c *Sys) DeregisterPluginWithContext(ctx context.Context, i *DeregisterPluginInput) error

DeregisterPluginWithContext removes the plugin with the given name from the plugin catalog.

func (*Sys) DisableAudit 

func (c *Sys) DisableAudit(path string) error

func (*Sys) DisableAuditWithContext added in v1.5.0 

func (c *Sys) DisableAuditWithContext(ctx context.Context, path string) error

func (*Sys) DisableAuth 

func (c *Sys) DisableAuth(path string) error

func (*Sys) DisableAuthWithContext added in v1.5.0 

func (c *Sys) DisableAuthWithContext(ctx context.Context, path string) error

func (*Sys) DisableCORS 

func (c *Sys) DisableCORS() error

func (*Sys) DisableCORSWithContext added in v1.5.0 

func (c *Sys) DisableCORSWithContext(ctx context.Context) error

func (*Sys) EnableAudit 

func (c *Sys) EnableAudit(
	path string, auditType string, desc string, opts map[string]string,
) error

DEPRECATED: Use EnableAuditWithOptions instead

func (*Sys) EnableAuditWithOptions 

func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error

func (*Sys) EnableAuditWithOptionsWithContext added in v1.5.0 

func (c *Sys) EnableAuditWithOptionsWithContext(ctx context.Context, path string, options *EnableAuditOptions) error

func (*Sys) EnableAuth 

func (c *Sys) EnableAuth(path, authType, desc string) error

DEPRECATED: Use EnableAuthWithOptions instead

func (*Sys) EnableAuthWithOptions 

func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error

func (*Sys) EnableAuthWithOptionsWithContext added in v1.5.0 

func (c *Sys) EnableAuthWithOptionsWithContext(ctx context.Context, path string, options *EnableAuthOptions) error

func (*Sys) GenerateDROperationTokenCancel 

func (c *Sys) GenerateDROperationTokenCancel() error

func (*Sys) GenerateDROperationTokenCancelWithContext added in v1.5.0 

func (c *Sys) GenerateDROperationTokenCancelWithContext(ctx context.Context) error

func (*Sys) GenerateDROperationTokenInit 

func (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenInitWithContext added in v1.5.0 

func (c *Sys) GenerateDROperationTokenInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenStatus 

func (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenStatusWithContext added in v1.5.0 

func (c *Sys) GenerateDROperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenUpdate 

func (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenUpdateWithContext added in v1.5.0 

func (c *Sys) GenerateDROperationTokenUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenCancel 

func (c *Sys) GenerateRecoveryOperationTokenCancel() error

func (*Sys) GenerateRecoveryOperationTokenCancelWithContext added in v1.5.0 

func (c *Sys) GenerateRecoveryOperationTokenCancelWithContext(ctx context.Context) error

func (*Sys) GenerateRecoveryOperationTokenInit 

func (c *Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenInitWithContext added in v1.5.0 

func (c *Sys) GenerateRecoveryOperationTokenInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenStatus 

func (c *Sys) GenerateRecoveryOperationTokenStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenStatusWithContext added in v1.5.0 

func (c *Sys) GenerateRecoveryOperationTokenStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenUpdate 

func (c *Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRecoveryOperationTokenUpdateWithContext added in v1.5.0 

func (c *Sys) GenerateRecoveryOperationTokenUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootCancel 

func (c *Sys) GenerateRootCancel() error

func (*Sys) GenerateRootCancelWithContext added in v1.5.0 

func (c *Sys) GenerateRootCancelWithContext(ctx context.Context) error

func (*Sys) GenerateRootInit 

func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootInitWithContext added in v1.5.0 

func (c *Sys) GenerateRootInitWithContext(ctx context.Context, otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootStatus 

func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootStatusWithContext added in v1.5.0 

func (c *Sys) GenerateRootStatusWithContext(ctx context.Context) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootUpdate 

func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootUpdateWithContext added in v1.5.0 

func (c *Sys) GenerateRootUpdateWithContext(ctx context.Context, shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GetAuth added in v1.12.1 

func (c *Sys) GetAuth(path string) (*AuthMount, error)

func (*Sys) GetAuthWithContext added in v1.12.1 

func (c *Sys) GetAuthWithContext(ctx context.Context, path string) (*AuthMount, error)

func (*Sys) GetMount added in v1.12.1 

func (c *Sys) GetMount(path string) (*MountOutput, error)

func (*Sys) GetMountWithContext added in v1.12.1 

func (c *Sys) GetMountWithContext(ctx context.Context, path string) (*MountOutput, error)

func (*Sys) GetPlugin 

func (c *Sys) GetPlugin(i *GetPluginInput) (*GetPluginResponse, error)

GetPlugin wraps GetPluginWithContext using context.Background.

func (*Sys) GetPluginRuntime added in v1.10.0 

func (c *Sys) GetPluginRuntime(ctx context.Context, i *GetPluginRuntimeInput) (*GetPluginRuntimeResponse, error)

GetPluginRuntime retrieves information about the plugin.

func (*Sys) GetPluginWithContext added in v1.5.0 

func (c *Sys) GetPluginWithContext(ctx context.Context, i *GetPluginInput) (*GetPluginResponse, error)

GetPluginWithContext retrieves information about the plugin.

func (*Sys) GetPolicy 

func (c *Sys) GetPolicy(name string) (string, error)

func (*Sys) GetPolicyWithContext added in v1.5.0 

func (c *Sys) GetPolicyWithContext(ctx context.Context, name string) (string, error)

func (*Sys) HAStatus 

func (c *Sys) HAStatus() (*HAStatusResponse, error)

func (*Sys) HAStatusWithContext added in v1.5.0 

func (c *Sys) HAStatusWithContext(ctx context.Context) (*HAStatusResponse, error)

func (*Sys) Health 

func (c *Sys) Health() (*HealthResponse, error)

func (*Sys) HealthWithContext added in v1.5.0 

func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error)

func (*Sys) Init 

func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)

func (*Sys) InitStatus 

func (c *Sys) InitStatus() (bool, error)

func (*Sys) InitStatusWithContext added in v1.5.0 

func (c *Sys) InitStatusWithContext(ctx context.Context) (bool, error)

func (*Sys) InitWithContext added in v1.5.0 

func (c *Sys) InitWithContext(ctx context.Context, opts *InitRequest) (*InitResponse, error)

func (*Sys) KeyStatus 

func (c *Sys) KeyStatus() (*KeyStatus, error)

func (*Sys) KeyStatusWithContext added in v1.5.0 

func (c *Sys) KeyStatusWithContext(ctx context.Context) (*KeyStatus, error)

func (*Sys) Leader 

func (c *Sys) Leader() (*LeaderResponse, error)

func (*Sys) LeaderWithContext added in v1.5.0 

func (c *Sys) LeaderWithContext(ctx context.Context) (*LeaderResponse, error)

func (*Sys) ListAudit 

func (c *Sys) ListAudit() (map[string]*Audit, error)

func (*Sys) ListAuditWithContext added in v1.5.0 

func (c *Sys) ListAuditWithContext(ctx context.Context) (map[string]*Audit, error)

func (*Sys) ListAuth 

func (c *Sys) ListAuth() (map[string]*AuthMount, error)

func (*Sys) ListAuthWithContext added in v1.5.0 

func (c *Sys) ListAuthWithContext(ctx context.Context) (map[string]*AuthMount, error)

func (*Sys) ListMounts 

func (c *Sys) ListMounts() (map[string]*MountOutput, error)

func (*Sys) ListMountsWithContext added in v1.5.0 

func (c *Sys) ListMountsWithContext(ctx context.Context) (map[string]*MountOutput, error)

func (*Sys) ListPluginRuntimes added in v1.10.0 

func (c *Sys) ListPluginRuntimes(ctx context.Context, input *ListPluginRuntimesInput) (*ListPluginRuntimesResponse, error)

ListPluginRuntimes lists all plugin runtimes in the catalog and returns their names as a list of strings.

func (*Sys) ListPlugins 

func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error)

ListPlugins wraps ListPluginsWithContext using context.Background.

func (*Sys) ListPluginsWithContext added in v1.5.0 

func (c *Sys) ListPluginsWithContext(ctx context.Context, i *ListPluginsInput) (*ListPluginsResponse, error)

ListPluginsWithContext lists all plugins in the catalog and returns their names as a list of strings.

func (*Sys) ListPolicies 

func (c *Sys) ListPolicies() ([]string, error)

func (*Sys) ListPoliciesWithContext added in v1.5.0 

func (c *Sys) ListPoliciesWithContext(ctx context.Context) ([]string, error)

func (*Sys) ListUICustomMessages added in v1.11.0 

func (c *Sys) ListUICustomMessages(req UICustomMessageListRequest) (*Secret, error)

ListUICustomMessages calls ListUICustomMessagesWithContext using a background Context.

func (*Sys) ListUICustomMessagesWithContext added in v1.11.0 

func (c *Sys) ListUICustomMessagesWithContext(ctx context.Context, req UICustomMessageListRequest) (*Secret, error)

ListUICustomMessagesWithContext sends a request to the List custom messages endpoint using the provided Context and UICustomMessageListRequest value as the inputs. It returns a pointer to a Secret if a response was obtained from the server, including error responses; or an error if a response could not be obtained due to an error.

func (*Sys) Lookup 

func (c *Sys) Lookup(id string) (*Secret, error)

func (*Sys) LookupWithContext added in v1.5.0 

func (c *Sys) LookupWithContext(ctx context.Context, id string) (*Secret, error)

func (*Sys) MFAValidate added in v1.6.0 

func (c *Sys) MFAValidate(requestID string, payload map[string]interface{}) (*Secret, error)

func (*Sys) MFAValidateWithContext added in v1.6.0 

func (c *Sys) MFAValidateWithContext(ctx context.Context, requestID string, payload map[string]interface{}) (*Secret, error)

func (*Sys) Monitor 

func (c *Sys) Monitor(ctx context.Context, logLevel string, logFormat string) (chan string, error)

Monitor returns a channel that outputs strings containing the log messages coming from the server.

func (*Sys) Mount 

func (c *Sys) Mount(path string, mountInfo *MountInput) error

func (*Sys) MountConfig 

func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)

func (*Sys) MountConfigWithContext added in v1.5.0 

func (c *Sys) MountConfigWithContext(ctx context.Context, path string) (*MountConfigOutput, error)

func (*Sys) MountWithContext added in v1.5.0 

func (c *Sys) MountWithContext(ctx context.Context, path string, mountInfo *MountInput) error

func (*Sys) PutPolicy 

func (c *Sys) PutPolicy(name, rules string) error

func (*Sys) PutPolicyWithContext added in v1.5.0 

func (c *Sys) PutPolicyWithContext(ctx context.Context, name, rules string) error

func (*Sys) PutRaftAutopilotConfiguration 

func (c *Sys) PutRaftAutopilotConfiguration(opts *AutopilotConfig) error

PutRaftAutopilotConfiguration wraps PutRaftAutopilotConfigurationWithContext using context.Background.

func (*Sys) PutRaftAutopilotConfigurationWithContext added in v1.5.0 

func (c *Sys) PutRaftAutopilotConfigurationWithContext(ctx context.Context, opts *AutopilotConfig) error

PutRaftAutopilotConfigurationWithContext allows modifying the raft autopilot configuration

func (*Sys) RaftAutopilotConfiguration 

func (c *Sys) RaftAutopilotConfiguration() (*AutopilotConfig, error)

RaftAutopilotConfiguration wraps RaftAutopilotConfigurationWithContext using context.Background.

func (*Sys) RaftAutopilotConfigurationWithContext added in v1.5.0 

func (c *Sys) RaftAutopilotConfigurationWithContext(ctx context.Context) (*AutopilotConfig, error)

RaftAutopilotConfigurationWithContext fetches the autopilot config.

func (*Sys) RaftAutopilotConfigurationWithDRToken added in v1.10.0 

func (c *Sys) RaftAutopilotConfigurationWithDRToken(drToken string) (*AutopilotConfig, error)

RaftAutopilotConfigurationWithDRToken wraps RaftAutopilotConfigurationWithContext using the given token.

func (*Sys) RaftAutopilotState 

func (c *Sys) RaftAutopilotState() (*AutopilotState, error)

RaftAutopilotState wraps RaftAutopilotStateWithContext using context.Background.

func (*Sys) RaftAutopilotStateWithContext added in v1.5.0 

func (c *Sys) RaftAutopilotStateWithContext(ctx context.Context) (*AutopilotState, error)

RaftAutopilotStateWithContext returns the state of the raft cluster as seen by autopilot.

func (*Sys) RaftAutopilotStateWithDRToken added in v1.10.0 

func (c *Sys) RaftAutopilotStateWithDRToken(drToken string) (*AutopilotState, error)

RaftAutopilotStateWithToken wraps RaftAutopilotStateWithContext using the given token.

func (*Sys) RaftJoin 

func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error)

RaftJoin wraps RaftJoinWithContext using context.Background.

func (*Sys) RaftJoinWithContext added in v1.5.0 

func (c *Sys) RaftJoinWithContext(ctx context.Context, opts *RaftJoinRequest) (*RaftJoinResponse, error)

RaftJoinWithContext adds the node from which this call is invoked from to the raft cluster represented by the leader address in the parameter.

func (*Sys) RaftSnapshot 

func (c *Sys) RaftSnapshot(snapWriter io.Writer) error

RaftSnapshot wraps RaftSnapshotWithContext using context.Background.

func (*Sys) RaftSnapshotRestore 

func (c *Sys) RaftSnapshotRestore(snapReader io.Reader, force bool) error

RaftSnapshotRestore wraps RaftSnapshotRestoreWithContext using context.Background.

func (*Sys) RaftSnapshotRestoreWithContext added in v1.5.0 

func (c *Sys) RaftSnapshotRestoreWithContext(ctx context.Context, snapReader io.Reader, force bool) error

RaftSnapshotRestoreWithContext reads the snapshot from the io.Reader and installs that snapshot, returning the cluster to the state defined by it.

func (*Sys) RaftSnapshotWithContext added in v1.5.0 

func (c *Sys) RaftSnapshotWithContext(ctx context.Context, snapWriter io.Writer) error

RaftSnapshotWithContext invokes the API that takes the snapshot of the raft cluster and writes it to the supplied io.Writer.

func (*Sys) ReadUICustomMessage added in v1.11.0 

func (c *Sys) ReadUICustomMessage(id string) (*Secret, error)

ReadUICustomMessage calls ReadUICustomMessageWithContext using a background Context.

func (*Sys) ReadUICustomMessageWithContext added in v1.11.0 

func (c *Sys) ReadUICustomMessageWithContext(ctx context.Context, id string) (*Secret, error)

ReadUICustomMessageWithContext sends a request to the Read custom message endpoint using the provided Context and id values. It returns a pointer to a Secret if a response was obtained from the server, including error responses; or an error if a response could not be obtained due to an error.

func (*Sys) RegisterPlugin 

func (c *Sys) RegisterPlugin(i *RegisterPluginInput) error

RegisterPlugin wraps RegisterPluginWithContext using context.Background.

func (*Sys) RegisterPluginRuntime added in v1.10.0 

func (c *Sys) RegisterPluginRuntime(ctx context.Context, i *RegisterPluginRuntimeInput) error

RegisterPluginRuntime registers the plugin with the given information.

func (*Sys) RegisterPluginWithContext added in v1.5.0 

func (c *Sys) RegisterPluginWithContext(ctx context.Context, i *RegisterPluginInput) error

RegisterPluginWithContext registers the plugin with the given information.

func (*Sys) RekeyCancel 

func (c *Sys) RekeyCancel() error

func (*Sys) RekeyCancelWithContext added in v1.5.0 

func (c *Sys) RekeyCancelWithContext(ctx context.Context) error

func (*Sys) RekeyDeleteBackup 

func (c *Sys) RekeyDeleteBackup() error

func (*Sys) RekeyDeleteBackupWithContext added in v1.5.0 

func (c *Sys) RekeyDeleteBackupWithContext(ctx context.Context) error

func (*Sys) RekeyDeleteRecoveryBackup 

func (c *Sys) RekeyDeleteRecoveryBackup() error

func (*Sys) RekeyDeleteRecoveryBackupWithContext added in v1.5.0 

func (c *Sys) RekeyDeleteRecoveryBackupWithContext(ctx context.Context) error

func (*Sys) RekeyInit 

func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyInitWithContext added in v1.5.0 

func (c *Sys) RekeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyCancel 

func (c *Sys) RekeyRecoveryKeyCancel() error

func (*Sys) RekeyRecoveryKeyCancelWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyCancelWithContext(ctx context.Context) error

func (*Sys) RekeyRecoveryKeyInit 

func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyInitWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyInitWithContext(ctx context.Context, config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyStatus 

func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyStatusWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyUpdate 

func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyRecoveryKeyUpdateWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationCancel 

func (c *Sys) RekeyRecoveryKeyVerificationCancel() error

func (*Sys) RekeyRecoveryKeyVerificationCancelWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyVerificationCancelWithContext(ctx context.Context) error

func (*Sys) RekeyRecoveryKeyVerificationStatus 

func (c *Sys) RekeyRecoveryKeyVerificationStatus() (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationStatusWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationUpdate 

func (c *Sys) RekeyRecoveryKeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationUpdateWithContext added in v1.5.0 

func (c *Sys) RekeyRecoveryKeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) RekeyRetrieveBackup 

func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyRetrieveBackupWithContext added in v1.5.0 

func (c *Sys) RekeyRetrieveBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)

func (*Sys) RekeyRetrieveRecoveryBackup 

func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyRetrieveRecoveryBackupWithContext added in v1.5.0 

func (c *Sys) RekeyRetrieveRecoveryBackupWithContext(ctx context.Context) (*RekeyRetrieveResponse, error)

func (*Sys) RekeyStatus 

func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyStatusWithContext added in v1.5.0 

func (c *Sys) RekeyStatusWithContext(ctx context.Context) (*RekeyStatusResponse, error)

func (*Sys) RekeyUpdate 

func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyUpdateWithContext added in v1.5.0 

func (c *Sys) RekeyUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyVerificationCancel 

func (c *Sys) RekeyVerificationCancel() error

func (*Sys) RekeyVerificationCancelWithContext added in v1.5.0 

func (c *Sys) RekeyVerificationCancelWithContext(ctx context.Context) error

func (*Sys) RekeyVerificationStatus 

func (c *Sys) RekeyVerificationStatus() (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyVerificationStatusWithContext added in v1.5.0 

func (c *Sys) RekeyVerificationStatusWithContext(ctx context.Context) (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyVerificationUpdate 

func (c *Sys) RekeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) RekeyVerificationUpdateWithContext added in v1.5.0 

func (c *Sys) RekeyVerificationUpdateWithContext(ctx context.Context, shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) ReloadPlugin 

func (c *Sys) ReloadPlugin(i *ReloadPluginInput) (string, error)

ReloadPlugin wraps ReloadPluginWithContext using context.Background.

func (*Sys) ReloadPluginStatus 

func (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)

ReloadPluginStatus wraps ReloadPluginStatusWithContext using context.Background.

func (*Sys) ReloadPluginStatusWithContext added in v1.5.0 

func (c *Sys) ReloadPluginStatusWithContext(ctx context.Context, reloadStatusInput *ReloadPluginStatusInput) (*ReloadStatusResponse, error)

ReloadPluginStatusWithContext retrieves the status of a reload operation

func (*Sys) ReloadPluginWithContext added in v1.5.0 

func (c *Sys) ReloadPluginWithContext(ctx context.Context, i *ReloadPluginInput) (string, error)

ReloadPluginWithContext reloads mounted plugin backends, possibly returning reloadID for a cluster scoped reload. It is limited to reloading plugins that are in use in the request's namespace. See RootReloadPlugin for an API that can reload plugins across all namespaces.

func (*Sys) Remount 

func (c *Sys) Remount(from, to string) error

Remount wraps RemountWithContext using context.Background.

func (*Sys) RemountStatus 

func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error)

RemountStatus wraps RemountStatusWithContext using context.Background.

func (*Sys) RemountStatusWithContext added in v1.5.0 

func (c *Sys) RemountStatusWithContext(ctx context.Context, migrationID string) (*MountMigrationStatusOutput, error)

RemountStatusWithContext checks the status of a mount migration operation with the provided ID

func (*Sys) RemountWithContext added in v1.5.0 

func (c *Sys) RemountWithContext(ctx context.Context, from, to string) error

RemountWithContext kicks off a remount operation, polls the status endpoint using the migration ID till either success or failure state is observed

func (*Sys) Renew 

func (c *Sys) Renew(id string, increment int) (*Secret, error)

func (*Sys) RenewWithContext added in v1.5.0 

func (c *Sys) RenewWithContext(ctx context.Context, id string, increment int) (*Secret, error)

func (*Sys) ReplicationDRStatusWithContext added in v1.10.0 

func (c *Sys) ReplicationDRStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error)

func (*Sys) ReplicationPerformanceStatusWithContext added in v1.10.0 

func (c *Sys) ReplicationPerformanceStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error)

func (*Sys) ReplicationStatus added in v1.10.0 

func (c *Sys) ReplicationStatus() (*ReplicationStatusResponse, error)

func (*Sys) ReplicationStatusWithContext added in v1.10.0 

func (c *Sys) ReplicationStatusWithContext(ctx context.Context, path string) (*ReplicationStatusResponse, error)

func (*Sys) ResetUnsealProcess 

func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)

func (*Sys) ResetUnsealProcessWithContext added in v1.5.0 

func (c *Sys) ResetUnsealProcessWithContext(ctx context.Context) (*SealStatusResponse, error)

func (*Sys) Revoke 

func (c *Sys) Revoke(id string) error

func (*Sys) RevokeForce 

func (c *Sys) RevokeForce(id string) error

func (*Sys) RevokeForceWithContext added in v1.5.0 

func (c *Sys) RevokeForceWithContext(ctx context.Context, id string) error

func (*Sys) RevokePrefix 

func (c *Sys) RevokePrefix(id string) error

func (*Sys) RevokePrefixWithContext added in v1.5.0 

func (c *Sys) RevokePrefixWithContext(ctx context.Context, id string) error

func (*Sys) RevokeWithContext added in v1.5.0 

func (c *Sys) RevokeWithContext(ctx context.Context, id string) error

func (*Sys) RevokeWithOptions 

func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error

func (*Sys) RevokeWithOptionsWithContext added in v1.5.0 

func (c *Sys) RevokeWithOptionsWithContext(ctx context.Context, opts *RevokeOptions) error

func (*Sys) RootReloadPlugin added in v1.11.0 

func (c *Sys) RootReloadPlugin(ctx context.Context, i *RootReloadPluginInput) (string, error)

RootReloadPlugin reloads plugins, possibly returning reloadID for a global scoped reload. This is only available in the root namespace, and reloads plugins across all namespaces, whereas ReloadPlugin is available in all namespaces but only reloads plugins in use in the request's namespace.

func (*Sys) Rotate 

func (c *Sys) Rotate() error

func (*Sys) RotateWithContext added in v1.5.0 

func (c *Sys) RotateWithContext(ctx context.Context) error

func (*Sys) Seal 

func (c *Sys) Seal() error

func (*Sys) SealStatus 

func (c *Sys) SealStatus() (*SealStatusResponse, error)

func (*Sys) SealStatusWithContext added in v1.5.0 

func (c *Sys) SealStatusWithContext(ctx context.Context) (*SealStatusResponse, error)

func (*Sys) SealWithContext added in v1.5.0 

func (c *Sys) SealWithContext(ctx context.Context) error

func (*Sys) StartRemount 

func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error)

StartRemount wraps StartRemountWithContext using context.Background.

func (*Sys) StartRemountWithContext added in v1.5.0 

func (c *Sys) StartRemountWithContext(ctx context.Context, from, to string) (*MountMigrationOutput, error)

StartRemountWithContext kicks off a mount migration and returns a response with the migration ID

func (*Sys) StepDown 

func (c *Sys) StepDown() error

func (*Sys) StepDownWithContext added in v1.5.0 

func (c *Sys) StepDownWithContext(ctx context.Context) error

func (*Sys) TuneMount 

func (c *Sys) TuneMount(path string, config MountConfigInput) error

func (*Sys) TuneMountWithContext added in v1.5.0 

func (c *Sys) TuneMountWithContext(ctx context.Context, path string, config MountConfigInput) error

func (*Sys) Unmount 

func (c *Sys) Unmount(path string) error

func (*Sys) UnmountWithContext added in v1.5.0 

func (c *Sys) UnmountWithContext(ctx context.Context, path string) error

func (*Sys) Unseal 

func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)

func (*Sys) UnsealWithContext added in v1.5.0 

func (c *Sys) UnsealWithContext(ctx context.Context, shard string) (*SealStatusResponse, error)

func (*Sys) UnsealWithOptions 

func (c *Sys) UnsealWithOptions(opts *UnsealOpts) (*SealStatusResponse, error)

func (*Sys) UnsealWithOptionsWithContext added in v1.5.0 

func (c *Sys) UnsealWithOptionsWithContext(ctx context.Context, opts *UnsealOpts) (*SealStatusResponse, error)

func (*Sys) UpdateUICustomMessage added in v1.11.0 

func (c *Sys) UpdateUICustomMessage(id string, req UICustomMessageRequest) error

UpdateUICustomMessage calls UpdateUICustomMessageWithContext using a background Context.

func (*Sys) UpdateUICustomMessageWithContext added in v1.11.0 

func (c *Sys) UpdateUICustomMessageWithContext(ctx context.Context, id string, req UICustomMessageRequest) error

UpdateUICustomMessageWithContext sends a request to the Update custom message endpoint using the provided Context, id, and UICustomMessageRequest values. It returns a pointer to a Secret if a response was obtained from the server, including error responses; or an error if a response could not be obtained due to an error.

type TLSConfig 

type TLSConfig struct {
	// CACert is the path to a PEM-encoded CA cert file to use to verify the
	// Vault server SSL certificate. It takes precedence over CACertBytes
	// and CAPath.
	CACert string

	// CACertBytes is a PEM-encoded certificate or bundle. It takes precedence
	// over CAPath.
	CACertBytes []byte

	// CAPath is the path to a directory of PEM-encoded CA cert files to verify
	// the Vault server SSL certificate.
	CAPath string

	// ClientCert is the path to the certificate for Vault communication
	ClientCert string

	// ClientKey is the path to the private key for Vault communication
	ClientKey string

	// TLSServerName, if set, is used to set the SNI host when connecting via
	// TLS.
	TLSServerName string

	// Insecure enables or disables SSL verification
	Insecure bool
}

TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.

type TokenAuth 

type TokenAuth struct {
	// contains filtered or unexported fields
}

TokenAuth is used to perform token backend operations on Vault

func (*TokenAuth) Create 

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateOrphan 

func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateOrphanWithContext added in v1.5.0 

func (c *TokenAuth) CreateOrphanWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateWithContext added in v1.5.0 

func (c *TokenAuth) CreateWithContext(ctx context.Context, opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateWithRole 

func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)

func (*TokenAuth) CreateWithRoleWithContext added in v1.5.0 

func (c *TokenAuth) CreateWithRoleWithContext(ctx context.Context, opts *TokenCreateRequest, roleName string) (*Secret, error)

func (*TokenAuth) Lookup 

func (c *TokenAuth) Lookup(token string) (*Secret, error)

func (*TokenAuth) LookupAccessor 

func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error)

func (*TokenAuth) LookupAccessorWithContext added in v1.5.0 

func (c *TokenAuth) LookupAccessorWithContext(ctx context.Context, accessor string) (*Secret, error)

func (*TokenAuth) LookupSelf 

func (c *TokenAuth) LookupSelf() (*Secret, error)

func (*TokenAuth) LookupSelfWithContext added in v1.5.0 

func (c *TokenAuth) LookupSelfWithContext(ctx context.Context) (*Secret, error)

func (*TokenAuth) LookupWithContext added in v1.5.0 

func (c *TokenAuth) LookupWithContext(ctx context.Context, token string) (*Secret, error)

func (*TokenAuth) Renew 

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)

func (*TokenAuth) RenewAccessor 

func (c *TokenAuth) RenewAccessor(accessor string, increment int) (*Secret, error)

func (*TokenAuth) RenewAccessorWithContext added in v1.5.0 

func (c *TokenAuth) RenewAccessorWithContext(ctx context.Context, accessor string, increment int) (*Secret, error)

func (*TokenAuth) RenewSelf 

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)

func (*TokenAuth) RenewSelfWithContext added in v1.5.0 

func (c *TokenAuth) RenewSelfWithContext(ctx context.Context, increment int) (*Secret, error)

func (*TokenAuth) RenewTokenAsSelf 

func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error)

RenewTokenAsSelf wraps RenewTokenAsSelfWithContext using context.Background.

func (*TokenAuth) RenewTokenAsSelfWithContext added in v1.5.0 

func (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, token string, increment int) (*Secret, error)

RenewTokenAsSelfWithContext behaves like renew-self, but authenticates using a provided token instead of the token attached to the client.

func (*TokenAuth) RenewWithContext added in v1.5.0 

func (c *TokenAuth) RenewWithContext(ctx context.Context, token string, increment int) (*Secret, error)

func (*TokenAuth) RevokeAccessor 

func (c *TokenAuth) RevokeAccessor(accessor string) error

RevokeAccessor wraps RevokeAccessorWithContext using context.Background.

func (*TokenAuth) RevokeAccessorWithContext added in v1.5.0 

func (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, accessor string) error

RevokeAccessorWithContext revokes a token associated with the given accessor along with all the child tokens.

func (*TokenAuth) RevokeOrphan 

func (c *TokenAuth) RevokeOrphan(token string) error

RevokeOrphan wraps RevokeOrphanWithContext using context.Background.

func (*TokenAuth) RevokeOrphanWithContext added in v1.5.0 

func (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token string) error

RevokeOrphanWithContext revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)

func (*TokenAuth) RevokeSelf 

func (c *TokenAuth) RevokeSelf(token string) error

RevokeSelf wraps RevokeSelfWithContext using context.Background.

func (*TokenAuth) RevokeSelfWithContext added in v1.5.0 

func (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token string) error

RevokeSelfWithContext revokes the token making the call. The `token` parameter is kept for backwards compatibility but is ignored; only the client's set token has an effect.

func (*TokenAuth) RevokeTree 

func (c *TokenAuth) RevokeTree(token string) error

RevokeTree wraps RevokeTreeWithContext using context.Background.

func (*TokenAuth) RevokeTreeWithContext added in v1.5.0 

func (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token string) error

RevokeTreeWithContext is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.

type TokenCreateRequest 

type TokenCreateRequest struct {
	ID              string            `json:"id,omitempty"`
	Policies        []string          `json:"policies,omitempty"`
	Metadata        map[string]string `json:"meta,omitempty"`
	Lease           string            `json:"lease,omitempty"`
	TTL             string            `json:"ttl,omitempty"`
	ExplicitMaxTTL  string            `json:"explicit_max_ttl,omitempty"`
	Period          string            `json:"period,omitempty"`
	NoParent        bool              `json:"no_parent,omitempty"`
	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
	DisplayName     string            `json:"display_name"`
	NumUses         int               `json:"num_uses"`
	Renewable       *bool             `json:"renewable,omitempty"`
	Type            string            `json:"type"`
	EntityAlias     string            `json:"entity_alias"`
}

TokenCreateRequest is the options structure for creating a token.

type UICustomMessageListRequest added in v1.11.0 

type UICustomMessageListRequest struct {
	Authenticated *bool
	Type          *string
	Active        *bool
}

UICustomMessageListRequest is a struct used to contain inputs for the List custom messages request. Each field is optional, so their types are pointers. The With... methods can be used to easily set the fields with pointers to values.

func (*UICustomMessageListRequest) WithActive added in v1.11.0 

func (r *UICustomMessageListRequest) WithActive(value bool) *UICustomMessageListRequest

WithActive sets the Active field to a pointer referencing the provided bool value.

func (*UICustomMessageListRequest) WithAuthenticated added in v1.11.0 

func (r *UICustomMessageListRequest) WithAuthenticated(value bool) *UICustomMessageListRequest

WithAuthenticated sets the Authenticated field to a pointer referencing the provided bool value.

func (*UICustomMessageListRequest) WithType added in v1.11.0 

func (r *UICustomMessageListRequest) WithType(value string) *UICustomMessageListRequest

WithType sets the Type field to a pointer referencing the provided string value.

type UICustomMessageRequest added in v1.11.0 

type UICustomMessageRequest struct {
	Title         string               `json:"title"`
	Message       string               `json:"message"`
	Authenticated bool                 `json:"authenticated"`
	Type          string               `json:"type"`
	StartTime     string               `json:"start_time"`
	EndTime       string               `json:"end_time,omitempty"`
	Link          *uiCustomMessageLink `json:"link,omitempty"`
	Options       map[string]any       `json:"options,omitempty"`
}

UICustomMessageRequest is a struct containing the properties of a custom message. The Link field can be set using the WithLink method. 

func (r *UICustomMessageRequest) WithLink(title, href string) *UICustomMessageRequest

WithLink sets the Link field to the address of a new uiCustomMessageLink struct constructed from the provided title and href values.

type UnsealOpts 

type UnsealOpts struct {
	Key     string `json:"key"`
	Reset   bool   `json:"reset"`
	Migrate bool   `json:"migrate"`
}

type UserLockoutConfigInput added in v1.8.3 

type UserLockoutConfigInput struct {
	LockoutThreshold            string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
	LockoutDuration             string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
	LockoutCounterResetDuration string `` /* 134-byte string literal not displayed */
	DisableLockout              *bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
}

type UserLockoutConfigOutput added in v1.8.3 

type UserLockoutConfigOutput struct {
	LockoutThreshold    uint  `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
	LockoutDuration     int   `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
	LockoutCounterReset int   `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
	DisableLockout      *bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
}

type WALState added in v1.9.0 

type WALState struct {
	ClusterID       string
	LocalIndex      uint64
	ReplicatedIndex uint64
}

func ParseReplicationState 

func ParseReplicationState(raw string, hmacKey []byte) (*WALState, error)

type WrappingLookupFunc 

type WrappingLookupFunc func(operation, path string) string

WrappingLookupFunc is a function that, given an HTTP verb and a path, returns an optional string duration to be used for response wrapping (e.g. "15s", or simply "15"). The path will not begin with "/v1/" or "v1/" or "/", however, end-of-path forward slashes are not trimmed, so must match your called path precisely. Response wrapping will only be used when the return value is not the empty string.

Source Files

View all Source files

Directories

Path Synopsis
auth
approle Module
aws Module
azure Module
gcp Module
kubernetes Module
ldap Module
userpass Module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.