/sys/namespaces
The /sys/namespaces endpoint is used manage namespaces in OpenBao.
List namespaces
This endpoints lists all the namespaces.
| Method | Path |
|---|---|
LIST | /sys/namespaces |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
-X LIST \
http://127.0.0.1:8200/v1/sys/namespaces
Sample response
{
"data": {
"key_info": {
"bar/": {
"custom_metadata": {},
"id": "HWmNL",
"path": "bar/"
},
"foo/": {
"custom_metadata": {},
"id": "5q39x",
"path": "foo/"
}
},
"keys": [
"bar/",
"foo/"
]
}
}
Create namespace
This endpoint creates a namespace at the given path.
| Method | Path |
|---|---|
POST | /sys/namespaces/:path |
Parameters
path(string: <required>)– Specifies the path where the namespace will be created.custom_metadata(map<string|string>: nil)- A map of arbitrary string to string valued user-provided metadata meant to describe the namespace.seal(string: "")- An optional seal config document (JSON or HCL) to create a sealable namespace
Sample payload
{
"custom_metadata": {
"foo": "abc",
"bar": "123"
},
"seal": "seal \"shamir\" {\n shares = 5\n threshold = 3\n}"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Patch namespace
This endpoint patches an existing namespace at the specified path.
| Method | Path |
|---|---|
PATCH | /sys/namespaces/:path |
Parameters
path(string: <required>)– Specifies the path of the existing namespace.custom_metadata(map<string|string>: nil)- A map of arbitrary string to string valued user-provided metadata meant to describe the namespace.
Sample payload
{
"custom_metadata": {
"foo": "abc",
"bar": "123"
}
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--header "Content-Type: application/merge-patch+json"
--request PATCH \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Delete namespace
This endpoint deletes a namespace at the specified path.
| Method | Path |
|---|---|
DELETE | /sys/namespaces/:path |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Delete sealed namespace
Note that this requires the sudo capability and will not clean up external
resources via lease deletion like standard namespace deletion does. Prefer the
standard DELETE /sys/namespaces/:path endpoint unless the namespace is
irrecoverable due to lost seal keys.
This endpoint deletes a sealed namespace at the specified path.
| Method | Path |
|---|---|
DELETE | /sys/namespaces/:path/delete-sealed |
Parameters
force(bool: false)- if set to true, will also recursively delete any child namespaces.
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/namespaces/ns1/delete-sealed?force=true
Read namespace information
This endpoint gets the metadata for the given namespace path.
| Method | Path |
|---|---|
GET | /sys/namespaces/:path |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Sample response
{
"id": "gsudj",
"path": "ns1/",
"custom_metadata": {
"foo": "abc",
"bar": "123"
}
}
Read namespace seal status (sealable namespaces only)
This endpoint gets the seal status for the given sealable namespace path.
| Method | Path |
|---|---|
GET | /sys/namespaces/:path/seal-status |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/namespaces/ns1/seal-status
Sample response
{
"initialized": true,
"n": 5,
"nonce": "",
"progress": 0,
"sealed": false,
"t": 3,
"type": "shamir"
}
Unseal a namespace (sealable namespaces only)
This endpoint unseals the given sealable namespace.
| Method | Path |
|---|---|
PUT | /sys/namespaces/:path/unseal |
Sample payload
{
"key": "...",
"reset": false,
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/ns1/unseal
Sample response
{
"initialized": true,
"n": 5,
"nonce": "",
"progress": 1,
"sealed": true,
"t": 3,
"type": "shamir"
}
Seal a namespace (sealable namespaces only)
This endpoint seals the given sealable namespace.
| Method | Path |
|---|---|
PUT | /sys/namespaces/:path/seal |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
http://127.0.0.1:8200/v1/sys/namespaces/ns1/seal