Skip to main content

secrets tune

The secrets tune command tunes the configuration options for the secrets engine at the given PATH. The argument corresponds to the PATH where the secrets engine is enabled, not the type.

Examples

Before tuning the secret mount, view the current configuration of the mount enabled at "pki/":

$ bao read sys/mounts/pki/tune
Key                             Value
---                             -----
default_lease_ttl               12h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Tune the default lease, exclude common_name and serial_number from being HMAC'd in the audit log for the PKI secrets engine:

$ bao secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/
Success! Tuned the secrets engine at: pki/

$ bao read sys/mounts/pki/tune
Key                             Value
---                             -----
audit_non_hmac_request_keys     [common_name]
audit_non_hmac_response_keys    [serial_number]
default_lease_ttl               18h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Specify multiple audit non-hmac request keys:

$ bao secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/

Usage

The following flags are available in addition to the standard set of flags included on all commands.

  • -allowed-response-headers (string: "") - response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.

  • -audit-non-hmac-request-keys (string: "") - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.

  • -audit-non-hmac-response-keys (string: "") - Key that will not be HMAC'd by audit devices in the response data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.

  • -default-lease-ttl (duration: "") - The default lease TTL for this secrets engine. If unspecified, this defaults to the OpenBao server's globally configured default lease TTL, or a previously configured value for the secrets engine. Uses duration format strings.

  • -description (string: "") - Specifies the description of the mount. This overrides the current stored value, if any.

  • -listing-visibility (string: "") - The flag to toggle whether to show the mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". Passing empty string leaves the current setting unchanged.

  • -max-lease-ttl (duration: "") - The maximum lease TTL for this secrets engine. If unspecified, this defaults to the OpenBao server's globally configured maximum lease TTL, or a previously configured value for the secrets engine. This value is allowed to override the server's global max TTL; it can be longer or shorter. Uses duration format strings.

  • -passthrough-request-headers (string: "") - request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key.

  • -plugin-version (string: "") - Configures the semantic version of the plugin to use. The new version will not start running until the mount is reloaded.