schema

package
v0.4.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2023 License: MPL-2.0 Imports: 1 Imported by: 44

Documentation ¶

Index ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AliCloudConfigureRequest ¶ added in v0.3.0 

type AliCloudConfigureRequest struct {
	// Access key with appropriate permissions.
	AccessKey string `json:"access_key,omitempty"`

	// Secret key with appropriate permissions.
	SecretKey string `json:"secret_key,omitempty"`
}

AliCloudConfigureRequest struct for AliCloudConfigureRequest

type AliCloudLoginRequest ¶ 

type AliCloudLoginRequest struct {
	// The request headers. This must include the headers over which AliCloud has included a signature.
	IdentityRequestHeaders string `json:"identity_request_headers,omitempty"`

	// Base64-encoded full URL against which to make the AliCloud request.
	IdentityRequestUrl string `json:"identity_request_url,omitempty"`

	// Name of the role against which the login is being attempted. If 'role' is not specified, then the login endpoint looks for a role name in the ARN returned by the GetCallerIdentity request. If a matching role is not found, login fails.
	Role string `json:"role"`
}

AliCloudLoginRequest struct for AliCloudLoginRequest

type AliCloudWriteAuthRoleRequest ¶ 

type AliCloudWriteAuthRoleRequest struct {
	// ARN of the RAM to bind to this role.
	Arn string `json:"arn,omitempty"`

	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

AliCloudWriteAuthRoleRequest struct for AliCloudWriteAuthRoleRequest

type AliCloudWriteRoleRequest ¶ 

type AliCloudWriteRoleRequest struct {
	// JSON of policies to be dynamically applied to users of this role.
	InlinePolicies string `json:"inline_policies,omitempty"`

	// The maximum allowed lifetime of tokens issued using this role.
	MaxTtl string `json:"max_ttl,omitempty"`

	// The name and type of each remote policy to be applied. Example: \"name:AliyunRDSReadOnlyAccess,type:System\".
	RemotePolicies []string `json:"remote_policies,omitempty"`

	// ARN of the role to be assumed. If provided, inline_policies and remote_policies should be blank. At creation time, this role must have configured trusted actors, and the access key and secret that will be used to assume the role (in /config) must qualify as a trusted actor.
	RoleArn string `json:"role_arn,omitempty"`

	// Duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
	Ttl string `json:"ttl,omitempty"`
}

AliCloudWriteRoleRequest struct for AliCloudWriteRoleRequest

type AliasCreateRequest ¶ added in v0.3.0 

type AliasCreateRequest struct {
	// Entity ID to which this alias belongs to
	CanonicalId string `json:"canonical_id,omitempty"`

	// Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'.
	EntityId string `json:"entity_id,omitempty"`

	// ID of the alias
	Id string `json:"id,omitempty"`

	// Mount accessor to which this alias belongs to
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Name of the alias
	Name string `json:"name,omitempty"`
}

AliasCreateRequest struct for AliasCreateRequest

type AliasUpdateByIdRequest ¶ added in v0.3.0 

type AliasUpdateByIdRequest struct {
	// Entity ID to which this alias should be tied to
	CanonicalId string `json:"canonical_id,omitempty"`

	// Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.
	EntityId string `json:"entity_id,omitempty"`

	// Mount accessor to which this alias belongs to
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Name of the alias
	Name string `json:"name,omitempty"`
}

AliasUpdateByIdRequest struct for AliasUpdateByIdRequest

type AppRoleDestroySecretIdByAccessorRequest ¶ added in v0.3.0 

type AppRoleDestroySecretIdByAccessorRequest struct {
	// Accessor of the SecretID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`
}

AppRoleDestroySecretIdByAccessorRequest struct for AppRoleDestroySecretIdByAccessorRequest

type AppRoleDestroySecretIdRequest ¶ added in v0.3.0 

type AppRoleDestroySecretIdRequest struct {
	// SecretID attached to the role.
	SecretId string `json:"secret_id,omitempty"`
}

AppRoleDestroySecretIdRequest struct for AppRoleDestroySecretIdRequest

type AppRoleLoginRequest ¶ 

type AppRoleLoginRequest struct {
	// Unique identifier of the Role. Required to be supplied when the 'bind_secret_id' constraint is set.
	RoleId string `json:"role_id,omitempty"`

	// SecretID belong to the App role
	SecretId string `json:"secret_id,omitempty"`
}

AppRoleLoginRequest struct for AppRoleLoginRequest

type AppRoleLoginResponse ¶ added in v0.3.0 

type AppRoleLoginResponse struct {
	Role string `json:"role,omitempty"`
}

AppRoleLoginResponse struct for AppRoleLoginResponse

type AppRoleLookUpSecretIdByAccessorRequest ¶ added in v0.3.0 

type AppRoleLookUpSecretIdByAccessorRequest struct {
	// Accessor of the SecretID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`
}

AppRoleLookUpSecretIdByAccessorRequest struct for AppRoleLookUpSecretIdByAccessorRequest

type AppRoleLookUpSecretIdByAccessorResponse ¶ added in v0.3.0 

type AppRoleLookUpSecretIdByAccessorResponse struct {
	// List of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.
	CidrList []string `json:"cidr_list,omitempty"`

	CreationTime time.Time `json:"creation_time,omitempty"`

	ExpirationTime time.Time `json:"expiration_time,omitempty"`

	LastUpdatedTime time.Time `json:"last_updated_time,omitempty"`

	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Accessor of the secret ID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`

	// Number of times a secret ID can access the role, after which the secret ID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued secret ID expires.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`

	// List of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`
}

AppRoleLookUpSecretIdByAccessorResponse struct for AppRoleLookUpSecretIdByAccessorResponse

type AppRoleLookUpSecretIdRequest ¶ added in v0.3.0 

type AppRoleLookUpSecretIdRequest struct {
	// SecretID attached to the role.
	SecretId string `json:"secret_id,omitempty"`
}

AppRoleLookUpSecretIdRequest struct for AppRoleLookUpSecretIdRequest

type AppRoleLookUpSecretIdResponse ¶ added in v0.3.0 

type AppRoleLookUpSecretIdResponse struct {
	// List of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.
	CidrList []string `json:"cidr_list,omitempty"`

	CreationTime time.Time `json:"creation_time,omitempty"`

	ExpirationTime time.Time `json:"expiration_time,omitempty"`

	LastUpdatedTime time.Time `json:"last_updated_time,omitempty"`

	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Accessor of the secret ID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`

	// Number of times a secret ID can access the role, after which the secret ID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued secret ID expires.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`

	// List of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`
}

AppRoleLookUpSecretIdResponse struct for AppRoleLookUpSecretIdResponse

type AppRoleReadBindSecretIdResponse ¶ added in v0.3.0 

type AppRoleReadBindSecretIdResponse struct {
	// Impose secret_id to be presented when logging in using this role. Defaults to 'true'.
	BindSecretId bool `json:"bind_secret_id,omitempty"`
}

AppRoleReadBindSecretIdResponse struct for AppRoleReadBindSecretIdResponse

type AppRoleReadBoundCidrListResponse ¶ added in v0.3.0 

type AppRoleReadBoundCidrListResponse struct {
	// Deprecated: Please use \"secret_id_bound_cidrs\" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	// Deprecated
	BoundCidrList []string `json:"bound_cidr_list,omitempty"`
}

AppRoleReadBoundCidrListResponse struct for AppRoleReadBoundCidrListResponse

type AppRoleReadLocalSecretIdsResponse ¶ added in v0.3.0 

type AppRoleReadLocalSecretIdsResponse struct {
	// If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later
	LocalSecretIds bool `json:"local_secret_ids,omitempty"`
}

AppRoleReadLocalSecretIdsResponse struct for AppRoleReadLocalSecretIdsResponse

type AppRoleReadPeriodResponse ¶ 

type AppRoleReadPeriodResponse struct {
	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`
}

AppRoleReadPeriodResponse struct for AppRoleReadPeriodResponse

type AppRoleReadPoliciesResponse ¶ 

type AppRoleReadPoliciesResponse struct {
	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`
}

AppRoleReadPoliciesResponse struct for AppRoleReadPoliciesResponse

type AppRoleReadRoleIdResponse ¶ added in v0.3.0 

type AppRoleReadRoleIdResponse struct {
	// Identifier of the role. Defaults to a UUID.
	RoleId string `json:"role_id,omitempty"`
}

AppRoleReadRoleIdResponse struct for AppRoleReadRoleIdResponse

type AppRoleReadRoleResponse ¶ 

type AppRoleReadRoleResponse struct {
	// Impose secret ID to be presented when logging in using this role.
	BindSecretId bool `json:"bind_secret_id,omitempty"`

	// If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later
	LocalSecretIds bool `json:"local_secret_ids,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	SecretIdBoundCidrs []string `json:"secret_id_bound_cidrs,omitempty"`

	// Number of times a secret ID can access the role, after which the secret ID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued secret ID expires.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value.
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`
}

AppRoleReadRoleResponse struct for AppRoleReadRoleResponse

type AppRoleReadSecretIdBoundCidrsResponse ¶ added in v0.3.0 

type AppRoleReadSecretIdBoundCidrsResponse struct {
	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	SecretIdBoundCidrs []string `json:"secret_id_bound_cidrs,omitempty"`
}

AppRoleReadSecretIdBoundCidrsResponse struct for AppRoleReadSecretIdBoundCidrsResponse

type AppRoleReadSecretIdNumUsesResponse ¶ added in v0.3.0 

type AppRoleReadSecretIdNumUsesResponse struct {
	// Number of times a secret ID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the secret ID is of unlimited use.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`
}

AppRoleReadSecretIdNumUsesResponse struct for AppRoleReadSecretIdNumUsesResponse

type AppRoleReadSecretIdTtlResponse ¶ added in v0.3.0 

type AppRoleReadSecretIdTtlResponse struct {
	// Duration in seconds after which the issued secret ID should expire. Defaults to 0, meaning no expiration.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`
}

AppRoleReadSecretIdTtlResponse struct for AppRoleReadSecretIdTtlResponse

type AppRoleReadTokenBoundCidrsResponse ¶ added in v0.3.0 

type AppRoleReadTokenBoundCidrsResponse struct {
	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`
}

AppRoleReadTokenBoundCidrsResponse struct for AppRoleReadTokenBoundCidrsResponse

type AppRoleReadTokenMaxTtlResponse ¶ added in v0.3.0 

type AppRoleReadTokenMaxTtlResponse struct {
	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`
}

AppRoleReadTokenMaxTtlResponse struct for AppRoleReadTokenMaxTtlResponse

type AppRoleReadTokenNumUsesResponse ¶ 

type AppRoleReadTokenNumUsesResponse struct {
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`
}

AppRoleReadTokenNumUsesResponse struct for AppRoleReadTokenNumUsesResponse

type AppRoleReadTokenTtlResponse ¶ added in v0.3.0 

type AppRoleReadTokenTtlResponse struct {
	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`
}

AppRoleReadTokenTtlResponse struct for AppRoleReadTokenTtlResponse

type AppRoleWriteBindSecretIdRequest ¶ added in v0.3.0 

type AppRoleWriteBindSecretIdRequest struct {
	// Impose secret_id to be presented when logging in using this role.
	BindSecretId bool `json:"bind_secret_id,omitempty"`
}

AppRoleWriteBindSecretIdRequest struct for AppRoleWriteBindSecretIdRequest

type AppRoleWriteBoundCidrListRequest ¶ added in v0.3.0 

type AppRoleWriteBoundCidrListRequest struct {
	// Deprecated: Please use \"secret_id_bound_cidrs\" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	BoundCidrList []string `json:"bound_cidr_list,omitempty"`
}

AppRoleWriteBoundCidrListRequest struct for AppRoleWriteBoundCidrListRequest

type AppRoleWriteCustomSecretIdRequest ¶ added in v0.3.0 

type AppRoleWriteCustomSecretIdRequest struct {
	// Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.
	CidrList []string `json:"cidr_list,omitempty"`

	// Metadata to be tied to the SecretID. This should be a JSON formatted string containing metadata in key value pairs.
	Metadata string `json:"metadata,omitempty"`

	// Number of times this SecretID can be used, after which the SecretID expires. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.
	NumUses int32 `json:"num_uses,omitempty"`

	// SecretID to be attached to the role.
	SecretId string `json:"secret_id,omitempty"`

	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// Duration in seconds after which this SecretID expires. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.
	Ttl string `json:"ttl,omitempty"`
}

AppRoleWriteCustomSecretIdRequest struct for AppRoleWriteCustomSecretIdRequest

type AppRoleWriteCustomSecretIdResponse ¶ added in v0.3.0 

type AppRoleWriteCustomSecretIdResponse struct {
	// Secret ID attached to the role.
	SecretId string `json:"secret_id,omitempty"`

	// Accessor of the secret ID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`

	// Number of times a secret ID can access the role, after which the secret ID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued secret ID expires.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`
}

AppRoleWriteCustomSecretIdResponse struct for AppRoleWriteCustomSecretIdResponse

type AppRoleWritePeriodRequest ¶ 

type AppRoleWritePeriodRequest struct {
	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`
}

AppRoleWritePeriodRequest struct for AppRoleWritePeriodRequest

type AppRoleWritePoliciesRequest ¶ 

type AppRoleWritePoliciesRequest struct {
	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`
}

AppRoleWritePoliciesRequest struct for AppRoleWritePoliciesRequest

type AppRoleWriteRoleIdRequest ¶ added in v0.3.0 

type AppRoleWriteRoleIdRequest struct {
	// Identifier of the role. Defaults to a UUID.
	RoleId string `json:"role_id,omitempty"`
}

AppRoleWriteRoleIdRequest struct for AppRoleWriteRoleIdRequest

type AppRoleWriteRoleRequest ¶ 

type AppRoleWriteRoleRequest struct {
	// Impose secret_id to be presented when logging in using this role. Defaults to 'true'.
	BindSecretId bool `json:"bind_secret_id,omitempty"`

	// Use \"secret_id_bound_cidrs\" instead.
	// Deprecated
	BoundCidrList []string `json:"bound_cidr_list,omitempty"`

	// If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later.
	LocalSecretIds bool `json:"local_secret_ids,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Identifier of the role. Defaults to a UUID.
	RoleId string `json:"role_id,omitempty"`

	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	SecretIdBoundCidrs []string `json:"secret_id_bound_cidrs,omitempty"`

	// Number of times a SecretID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the the secret_id is of unlimited use.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`
}

AppRoleWriteRoleRequest struct for AppRoleWriteRoleRequest

type AppRoleWriteSecretIdBoundCidrsRequest ¶ added in v0.3.0 

type AppRoleWriteSecretIdBoundCidrsRequest struct {
	// Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
	SecretIdBoundCidrs []string `json:"secret_id_bound_cidrs,omitempty"`
}

AppRoleWriteSecretIdBoundCidrsRequest struct for AppRoleWriteSecretIdBoundCidrsRequest

type AppRoleWriteSecretIdNumUsesRequest ¶ added in v0.3.0 

type AppRoleWriteSecretIdNumUsesRequest struct {
	// Number of times a SecretID can access the role, after which the SecretID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`
}

AppRoleWriteSecretIdNumUsesRequest struct for AppRoleWriteSecretIdNumUsesRequest

type AppRoleWriteSecretIdRequest ¶ added in v0.3.0 

type AppRoleWriteSecretIdRequest struct {
	// Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role.
	CidrList []string `json:"cidr_list,omitempty"`

	// Metadata to be tied to the SecretID. This should be a JSON formatted string containing the metadata in key value pairs.
	Metadata string `json:"metadata,omitempty"`

	// Number of times this SecretID can be used, after which the SecretID expires. Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.
	NumUses int32 `json:"num_uses,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// Duration in seconds after which this SecretID expires. Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.
	Ttl string `json:"ttl,omitempty"`
}

AppRoleWriteSecretIdRequest struct for AppRoleWriteSecretIdRequest

type AppRoleWriteSecretIdResponse ¶ added in v0.3.0 

type AppRoleWriteSecretIdResponse struct {
	// Secret ID attached to the role.
	SecretId string `json:"secret_id,omitempty"`

	// Accessor of the secret ID
	SecretIdAccessor string `json:"secret_id_accessor,omitempty"`

	// Number of times a secret ID can access the role, after which the secret ID will expire.
	SecretIdNumUses int32 `json:"secret_id_num_uses,omitempty"`

	// Duration in seconds after which the issued secret ID expires.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`
}

AppRoleWriteSecretIdResponse struct for AppRoleWriteSecretIdResponse

type AppRoleWriteSecretIdTtlRequest ¶ added in v0.3.0 

type AppRoleWriteSecretIdTtlRequest struct {
	// Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration.
	SecretIdTtl string `json:"secret_id_ttl,omitempty"`
}

AppRoleWriteSecretIdTtlRequest struct for AppRoleWriteSecretIdTtlRequest

type AppRoleWriteTokenBoundCidrsRequest ¶ added in v0.3.0 

type AppRoleWriteTokenBoundCidrsRequest struct {
	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`
}

AppRoleWriteTokenBoundCidrsRequest struct for AppRoleWriteTokenBoundCidrsRequest

type AppRoleWriteTokenMaxTtlRequest ¶ added in v0.3.0 

type AppRoleWriteTokenMaxTtlRequest struct {
	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`
}

AppRoleWriteTokenMaxTtlRequest struct for AppRoleWriteTokenMaxTtlRequest

type AppRoleWriteTokenNumUsesRequest ¶ 

type AppRoleWriteTokenNumUsesRequest struct {
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`
}

AppRoleWriteTokenNumUsesRequest struct for AppRoleWriteTokenNumUsesRequest

type AppRoleWriteTokenTtlRequest ¶ added in v0.3.0 

type AppRoleWriteTokenTtlRequest struct {
	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`
}

AppRoleWriteTokenTtlRequest struct for AppRoleWriteTokenTtlRequest

type AuditingCalculateHashRequest ¶ added in v0.3.0 

type AuditingCalculateHashRequest struct {
	Input string `json:"input,omitempty"`
}

AuditingCalculateHashRequest struct for AuditingCalculateHashRequest

type AuditingCalculateHashResponse ¶ added in v0.3.0 

type AuditingCalculateHashResponse struct {
	Hash string `json:"hash,omitempty"`
}

AuditingCalculateHashResponse struct for AuditingCalculateHashResponse

type AuditingEnableDeviceRequest ¶ added in v0.3.0 

type AuditingEnableDeviceRequest struct {
	// User-friendly description for this audit backend.
	Description string `json:"description,omitempty"`

	// Mark the mount as a local mount, which is not replicated and is unaffected by replication.
	Local bool `json:"local,omitempty"`

	// Configuration options for the audit backend.
	Options map[string]interface{} `json:"options,omitempty"`

	// The type of the backend. Example: \"mysql\"
	Type string `json:"type,omitempty"`
}

AuditingEnableDeviceRequest struct for AuditingEnableDeviceRequest

type AuditingEnableRequestHeaderRequest ¶ added in v0.3.0 

type AuditingEnableRequestHeaderRequest struct {
	Hmac bool `json:"hmac,omitempty"`
}

AuditingEnableRequestHeaderRequest struct for AuditingEnableRequestHeaderRequest

type AuditingListRequestHeadersResponse ¶ added in v0.3.0 

type AuditingListRequestHeadersResponse struct {
	Headers map[string]interface{} `json:"headers,omitempty"`
}

AuditingListRequestHeadersResponse struct for AuditingListRequestHeadersResponse

type AuthEnableMethodRequest ¶ added in v0.3.0 

type AuthEnableMethodRequest struct {
	// Configuration for this mount, such as plugin_name.
	Config map[string]interface{} `json:"config,omitempty"`

	// User-friendly description for this credential backend.
	Description string `json:"description,omitempty"`

	// Whether to give the mount access to Vault's external entropy.
	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	// Mark the mount as a local mount, which is not replicated and is unaffected by replication.
	Local bool `json:"local,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	// Name of the auth plugin to use based from the name in the plugin catalog.
	PluginName string `json:"plugin_name,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	// Whether to turn on seal wrapping for the mount.
	SealWrap bool `json:"seal_wrap,omitempty"`

	// The type of the backend. Example: \"userpass\"
	Type string `json:"type,omitempty"`
}

AuthEnableMethodRequest struct for AuthEnableMethodRequest

type AuthReadConfigurationResponse ¶ added in v0.3.0 

type AuthReadConfigurationResponse struct {
	Accessor string `json:"accessor,omitempty"`

	Config map[string]interface{} `json:"config,omitempty"`

	DeprecationStatus string `json:"deprecation_status,omitempty"`

	Description string `json:"description,omitempty"`

	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	Local bool `json:"local,omitempty"`

	Options map[string]interface{} `json:"options,omitempty"`

	PluginVersion string `json:"plugin_version,omitempty"`

	RunningPluginVersion string `json:"running_plugin_version,omitempty"`

	RunningSha256 string `json:"running_sha256,omitempty"`

	SealWrap bool `json:"seal_wrap,omitempty"`

	Type string `json:"type,omitempty"`

	Uuid string `json:"uuid,omitempty"`
}

AuthReadConfigurationResponse struct for AuthReadConfigurationResponse

type AuthReadTuningInformationResponse ¶ added in v0.3.0 

type AuthReadTuningInformationResponse struct {
	AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty"`

	AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty"`

	AuditNonHmacRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty"`

	AuditNonHmacResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty"`

	DefaultLeaseTtl int32 `json:"default_lease_ttl,omitempty"`

	Description string `json:"description,omitempty"`

	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	ForceNoCache bool `json:"force_no_cache,omitempty"`

	ListingVisibility string `json:"listing_visibility,omitempty"`

	MaxLeaseTtl int32 `json:"max_lease_ttl,omitempty"`

	Options map[string]interface{} `json:"options,omitempty"`

	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty"`

	PluginVersion string `json:"plugin_version,omitempty"`

	TokenType string `json:"token_type,omitempty"`

	UserLockoutCounterResetDuration int64 `json:"user_lockout_counter_reset_duration,omitempty"`

	UserLockoutDisable bool `json:"user_lockout_disable,omitempty"`

	UserLockoutDuration int64 `json:"user_lockout_duration,omitempty"`

	UserLockoutThreshold int64 `json:"user_lockout_threshold,omitempty"`
}

AuthReadTuningInformationResponse struct for AuthReadTuningInformationResponse

type AuthTuneConfigurationParametersRequest ¶ added in v0.3.0 

type AuthTuneConfigurationParametersRequest struct {
	// A list of headers to whitelist and allow a plugin to set on responses.
	AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty"`

	// The list of keys in the request data object that will not be HMAC'ed by audit devices.
	AuditNonHmacRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty"`

	// The list of keys in the response data object that will not be HMAC'ed by audit devices.
	AuditNonHmacResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty"`

	// The default lease TTL for this mount.
	DefaultLeaseTtl string `json:"default_lease_ttl,omitempty"`

	// User-friendly description for this credential backend.
	Description string `json:"description,omitempty"`

	// Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default (”) behaving like 'hidden'.
	ListingVisibility string `json:"listing_visibility,omitempty"`

	// The max lease TTL for this mount.
	MaxLeaseTtl string `json:"max_lease_ttl,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	// A list of headers to whitelist and pass from the request to the plugin.
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	// The type of token to issue (service or batch).
	TokenType string `json:"token_type,omitempty"`

	// The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
	UserLockoutConfig map[string]interface{} `json:"user_lockout_config,omitempty"`
}

AuthTuneConfigurationParametersRequest struct for AuthTuneConfigurationParametersRequest

type AwsConfigureCertificateRequest ¶ added in v0.3.0 

type AwsConfigureCertificateRequest struct {
	// Base64 encoded AWS Public cert required to verify PKCS7 signature of the EC2 instance metadata.
	AwsPublicCert string `json:"aws_public_cert,omitempty"`

	// Takes the value of either \"pkcs7\" or \"identity\", indicating the type of document which can be verified using the given certificate. The reason is that the PKCS#7 document will have a DSA digest and the identity signature will have an RSA signature, and accordingly the public certificates to verify those also vary. Defaults to \"pkcs7\".
	Type string `json:"type,omitempty"`
}

AwsConfigureCertificateRequest struct for AwsConfigureCertificateRequest

type AwsConfigureClientRequest ¶ added in v0.3.0 

type AwsConfigureClientRequest struct {
	// AWS Access Key ID for the account used to make AWS API requests.
	AccessKey string `json:"access_key,omitempty"`

	// List of additional headers that are allowed to be in AWS STS request headers
	AllowedStsHeaderValues []string `json:"allowed_sts_header_values,omitempty"`

	// URL to override the default generated endpoint for making AWS EC2 API calls.
	Endpoint string `json:"endpoint,omitempty"`

	// URL to override the default generated endpoint for making AWS IAM API calls.
	IamEndpoint string `json:"iam_endpoint,omitempty"`

	// Value to require in the X-Vault-AWS-IAM-Server-ID request header
	IamServerIdHeaderValue string `json:"iam_server_id_header_value,omitempty"`

	// Maximum number of retries for recoverable exceptions of AWS APIs
	MaxRetries int32 `json:"max_retries,omitempty"`

	// AWS Secret Access Key for the account used to make AWS API requests.
	SecretKey string `json:"secret_key,omitempty"`

	// URL to override the default generated endpoint for making AWS STS API calls.
	StsEndpoint string `json:"sts_endpoint,omitempty"`

	// The region ID for the sts_endpoint, if set.
	StsRegion string `json:"sts_region,omitempty"`

	// Uses the STS region from client requests for making AWS STS API calls.
	UseStsRegionFromClient bool `json:"use_sts_region_from_client,omitempty"`
}

AwsConfigureClientRequest struct for AwsConfigureClientRequest

type AwsConfigureIdentityAccessListTidyOperationRequest ¶ added in v0.3.0 

type AwsConfigureIdentityAccessListTidyOperationRequest struct {
	// If set to 'true', disables the periodic tidying of the 'identity-accesslist/<instance_id>' entries.
	DisablePeriodicTidy bool `json:"disable_periodic_tidy,omitempty"`

	// The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsConfigureIdentityAccessListTidyOperationRequest struct for AwsConfigureIdentityAccessListTidyOperationRequest

type AwsConfigureIdentityIntegrationRequest ¶ added in v0.3.0 

type AwsConfigureIdentityIntegrationRequest struct {
	// Configure how the AWS auth method generates entity alias when using EC2 auth. Valid values are \"role_id\", \"instance_id\", and \"image_id\". Defaults to \"role_id\".
	Ec2Alias string `json:"ec2_alias,omitempty"`

	// The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: account_id, auth_type. These fields are available to add: ami_id, instance_id, region. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.
	Ec2Metadata []string `json:"ec2_metadata,omitempty"`

	// Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are \"role_id\", \"unique_id\", and \"full_arn\". Defaults to \"role_id\".
	IamAlias string `json:"iam_alias,omitempty"`

	// The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: account_id, auth_type. These fields are available to add: canonical_arn, client_arn, client_user_id, inferred_aws_region, inferred_entity_id, inferred_entity_type. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.
	IamMetadata []string `json:"iam_metadata,omitempty"`
}

AwsConfigureIdentityIntegrationRequest struct for AwsConfigureIdentityIntegrationRequest

type AwsConfigureIdentityWhitelistTidyOperationRequest ¶ added in v0.3.0 

type AwsConfigureIdentityWhitelistTidyOperationRequest struct {
	// If set to 'true', disables the periodic tidying of the 'identity-accesslist/<instance_id>' entries.
	DisablePeriodicTidy bool `json:"disable_periodic_tidy,omitempty"`

	// The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsConfigureIdentityWhitelistTidyOperationRequest struct for AwsConfigureIdentityWhitelistTidyOperationRequest

type AwsConfigureLeaseRequest ¶ added in v0.3.0 

type AwsConfigureLeaseRequest struct {
	// Default lease for roles.
	Lease string `json:"lease,omitempty"`

	// Maximum time a credential is valid for.
	LeaseMax string `json:"lease_max,omitempty"`
}

AwsConfigureLeaseRequest struct for AwsConfigureLeaseRequest

type AwsConfigureRoleTagBlacklistTidyOperationRequest ¶ added in v0.3.0 

type AwsConfigureRoleTagBlacklistTidyOperationRequest struct {
	// If set to 'true', disables the periodic tidying of deny listed entries.
	DisablePeriodicTidy bool `json:"disable_periodic_tidy,omitempty"`

	// The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 4320h (180 days).
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsConfigureRoleTagBlacklistTidyOperationRequest struct for AwsConfigureRoleTagBlacklistTidyOperationRequest

type AwsConfigureRoleTagDenyListTidyOperationRequest ¶ added in v0.3.0 

type AwsConfigureRoleTagDenyListTidyOperationRequest struct {
	// If set to 'true', disables the periodic tidying of deny listed entries.
	DisablePeriodicTidy bool `json:"disable_periodic_tidy,omitempty"`

	// The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 4320h (180 days).
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsConfigureRoleTagDenyListTidyOperationRequest struct for AwsConfigureRoleTagDenyListTidyOperationRequest

type AwsConfigureRootIamCredentialsRequest ¶ added in v0.3.0 

type AwsConfigureRootIamCredentialsRequest struct {
	// Access key with permission to create new keys.
	AccessKey string `json:"access_key,omitempty"`

	// Endpoint to custom IAM server URL
	IamEndpoint string `json:"iam_endpoint,omitempty"`

	// Maximum number of retries for recoverable exceptions of AWS APIs
	MaxRetries int32 `json:"max_retries,omitempty"`

	// Region for API calls.
	Region string `json:"region,omitempty"`

	// Secret key with permission to create new keys.
	SecretKey string `json:"secret_key,omitempty"`

	// Endpoint to custom STS server URL
	StsEndpoint string `json:"sts_endpoint,omitempty"`

	// Template to generate custom IAM usernames
	UsernameTemplate string `json:"username_template,omitempty"`
}

AwsConfigureRootIamCredentialsRequest struct for AwsConfigureRootIamCredentialsRequest

type AwsGenerateCredentialsWithParametersRequest ¶ added in v0.4.0 

type AwsGenerateCredentialsWithParametersRequest struct {
	// ARN of role to assume when credential_type is assumed_role
	RoleArn string `json:"role_arn,omitempty"`

	// Session name to use when assuming role. Max chars: 64
	RoleSessionName string `json:"role_session_name,omitempty"`

	// Lifetime of the returned credentials in seconds
	Ttl string `json:"ttl,omitempty"`
}

AwsGenerateCredentialsWithParametersRequest struct for AwsGenerateCredentialsWithParametersRequest

type AwsGenerateStsCredentialsWithParametersRequest ¶ added in v0.4.0 

type AwsGenerateStsCredentialsWithParametersRequest struct {
	// ARN of role to assume when credential_type is assumed_role
	RoleArn string `json:"role_arn,omitempty"`

	// Session name to use when assuming role. Max chars: 64
	RoleSessionName string `json:"role_session_name,omitempty"`

	// Lifetime of the returned credentials in seconds
	Ttl string `json:"ttl,omitempty"`
}

AwsGenerateStsCredentialsWithParametersRequest struct for AwsGenerateStsCredentialsWithParametersRequest

type AwsLoginRequest ¶ added in v0.3.0 

type AwsLoginRequest struct {
	// HTTP method to use for the AWS request when auth_type is iam. This must match what has been signed in the presigned request.
	IamHttpRequestMethod string `json:"iam_http_request_method,omitempty"`

	// Base64-encoded request body when auth_type is iam. This must match the request body included in the signature.
	IamRequestBody string `json:"iam_request_body,omitempty"`

	// Key/value pairs of headers for use in the sts:GetCallerIdentity HTTP requests headers when auth_type is iam. Can be either a Base64-encoded, JSON-serialized string, or a JSON object of key/value pairs. This must at a minimum include the headers over which AWS has included a signature.
	IamRequestHeaders string `json:"iam_request_headers,omitempty"`

	// Base64-encoded full URL against which to make the AWS request when using iam auth_type.
	IamRequestUrl string `json:"iam_request_url,omitempty"`

	// Base64 encoded EC2 instance identity document. This needs to be supplied along with the 'signature' parameter. If using 'curl' for fetching the identity document, consider using the option '-w 0' while piping the output to 'base64' binary.
	Identity string `json:"identity,omitempty"`

	// The nonce to be used for subsequent login requests when auth_type is ec2. If this parameter is not specified at all and if reauthentication is allowed, then the backend will generate a random nonce, attaches it to the instance's identity access list entry and returns the nonce back as part of auth metadata. This value should be used with further login requests, to establish client authenticity. Clients can choose to set a custom nonce if preferred, in which case, it is recommended that clients provide a strong nonce. If a nonce is provided but with an empty value, it indicates intent to disable reauthentication. Note that, when 'disallow_reauthentication' option is enabled on either the role or the role tag, the 'nonce' holds no significance.
	Nonce string `json:"nonce,omitempty"`

	// PKCS7 signature of the identity document when using an auth_type of ec2.
	Pkcs7 string `json:"pkcs7,omitempty"`

	// Name of the role against which the login is being attempted. If 'role' is not specified, then the login endpoint looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login. If a matching role is not found, login fails.
	Role string `json:"role,omitempty"`

	// Base64 encoded SHA256 RSA signature of the instance identity document. This needs to be supplied along with 'identity' parameter.
	Signature string `json:"signature,omitempty"`
}

AwsLoginRequest struct for AwsLoginRequest

type AwsReadStaticCredsNameResponse ¶ added in v0.4.0 

type AwsReadStaticCredsNameResponse struct {
	// The access key of the AWS Credential
	AccessKey string `json:"access_key,omitempty"`

	// The secret key of the AWS Credential
	SecretKey string `json:"secret_key,omitempty"`
}

AwsReadStaticCredsNameResponse struct for AwsReadStaticCredsNameResponse

type AwsReadStaticRolesNameResponse ¶ added in v0.4.0 

type AwsReadStaticRolesNameResponse struct {
	// The name of this role.
	Name string `json:"name,omitempty"`

	// Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.
	RotationPeriod string `json:"rotation_period,omitempty"`

	// The IAM user to adopt as a static role.
	Username string `json:"username,omitempty"`
}

AwsReadStaticRolesNameResponse struct for AwsReadStaticRolesNameResponse

type AwsTidyIdentityAccessListRequest ¶ added in v0.3.0 

type AwsTidyIdentityAccessListRequest struct {
	// The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsTidyIdentityAccessListRequest struct for AwsTidyIdentityAccessListRequest

type AwsTidyIdentityWhitelistRequest ¶ added in v0.3.0 

type AwsTidyIdentityWhitelistRequest struct {
	// The amount of extra time that must have passed beyond the identity's expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsTidyIdentityWhitelistRequest struct for AwsTidyIdentityWhitelistRequest

type AwsTidyRoleTagBlacklistRequest ¶ added in v0.3.0 

type AwsTidyRoleTagBlacklistRequest struct {
	// The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsTidyRoleTagBlacklistRequest struct for AwsTidyRoleTagBlacklistRequest

type AwsTidyRoleTagDenyListRequest ¶ added in v0.3.0 

type AwsTidyRoleTagDenyListRequest struct {
	// The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage.
	SafetyBuffer string `json:"safety_buffer,omitempty"`
}

AwsTidyRoleTagDenyListRequest struct for AwsTidyRoleTagDenyListRequest

type AwsWriteAuthRoleRequest ¶ added in v0.3.0 

type AwsWriteAuthRoleRequest struct {
	// If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution. This is only checked when auth_type is ec2.
	AllowInstanceMigration bool `json:"allow_instance_migration,omitempty"`

	// The auth_type permitted to authenticate to this role. Must be one of iam or ec2 and cannot be changed after role creation.
	AuthType string `json:"auth_type,omitempty"`

	// If set, defines a constraint on the EC2 instances that the account ID in its identity document to match one of the IDs specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundAccountId []string `json:"bound_account_id,omitempty"`

	// If set, defines a constraint on the EC2 instances that they should be using one of the AMI IDs specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundAmiId []string `json:"bound_ami_id,omitempty"`

	// If set, defines a constraint on the EC2 instances to have one of the given instance IDs. Can be a list or comma-separated string of EC2 instance IDs. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundEc2InstanceId []string `json:"bound_ec2_instance_id,omitempty"`

	// If set, defines a constraint on the EC2 instances to be associated with an IAM instance profile ARN which has a prefix that matches one of the values specified by this parameter. The value is prefix-matched (as though it were a glob ending in '*'). This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundIamInstanceProfileArn []string `json:"bound_iam_instance_profile_arn,omitempty"`

	// ARN of the IAM principals to bind to this role. Only applicable when auth_type is iam.
	BoundIamPrincipalArn []string `json:"bound_iam_principal_arn,omitempty"`

	// If set, defines a constraint on the authenticating EC2 instance that it must match one of the IAM role ARNs specified by this parameter. The value is prefix-matched (as though it were a glob ending in '*'). The configured IAM user or EC2 instance role must be allowed to execute the 'iam:GetInstanceProfile' action if this is specified. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundIamRoleArn []string `json:"bound_iam_role_arn,omitempty"`

	// If set, defines a constraint on the EC2 instances that the region in its identity document match one of the regions specified by this parameter. This is only applicable when auth_type is ec2.
	BoundRegion []string `json:"bound_region,omitempty"`

	// If set, defines a constraint on the EC2 instance to be associated with the subnet ID that matches one of the values specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundSubnetId []string `json:"bound_subnet_id,omitempty"`

	// If set, defines a constraint on the EC2 instance to be associated with a VPC ID that matches one of the value specified by this parameter. This is only applicable when auth_type is ec2 or inferred_entity_type is ec2_instance.
	BoundVpcId []string `json:"bound_vpc_id,omitempty"`

	// If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in the access list for the instance ID needs to be cleared using 'auth/aws-ec2/identity-accesslist/<instance_id>' endpoint. This is only applicable when auth_type is ec2.
	DisallowReauthentication bool `json:"disallow_reauthentication,omitempty"`

	// When auth_type is iam and inferred_entity_type is set, the region to assume the inferred entity exists in.
	InferredAwsRegion string `json:"inferred_aws_region,omitempty"`

	// When auth_type is iam, the AWS entity type to infer from the authenticated principal. The only supported value is ec2_instance, which will extract the EC2 instance ID from the authenticated role and apply the following restrictions specific to EC2 instances: bound_ami_id, bound_account_id, bound_iam_role_arn, bound_iam_instance_profile_arn, bound_vpc_id, bound_subnet_id. The configured EC2 client must be able to find the inferred instance ID in the results, and the instance must be running. If unable to determine the EC2 instance ID or unable to find the EC2 instance ID among running instances, then authentication will fail.
	InferredEntityType string `json:"inferred_entity_type,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// If set, resolve all AWS IAM ARNs into AWS's internal unique IDs. When an IAM entity (e.g., user, role, or instance profile) is deleted, then all references to it within the role will be invalidated, which prevents a new IAM entity from being created with the same name and matching the role's IAM binds. Once set, this cannot be unset.
	ResolveAwsUniqueIds bool `json:"resolve_aws_unique_ids,omitempty"`

	// If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role/<role>/tag' endpoint. Defaults to an empty string, meaning that role tags are disabled. This is only allowed if auth_type is ec2.
	RoleTag string `json:"role_tag,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

AwsWriteAuthRoleRequest struct for AwsWriteAuthRoleRequest

type AwsWriteRoleRequest ¶ added in v0.3.0 

type AwsWriteRoleRequest struct {
	// Use role_arns or policy_arns instead.
	// Deprecated
	Arn string `json:"arn,omitempty"`

	// Type of credential to retrieve. Must be one of assumed_role, iam_user, or federation_token
	CredentialType string `json:"credential_type,omitempty"`

	// Default TTL for assumed_role and federation_token credential types when no TTL is explicitly requested with the credentials
	DefaultStsTtl string `json:"default_sts_ttl,omitempty"`

	// Names of IAM groups that generated IAM users will be added to. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
	IamGroups []string `json:"iam_groups,omitempty"`

	// IAM tags to be set for any users created by this role. These must be presented as Key-Value pairs. This can be represented as a map or a list of equal sign delimited key pairs.
	IamTags map[string]interface{} `json:"iam_tags,omitempty"`

	// Max allowed TTL for assumed_role and federation_token credential types
	MaxStsTtl string `json:"max_sts_ttl,omitempty"`

	// ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type isiam_user
	PermissionsBoundaryArn string `json:"permissions_boundary_arn,omitempty"`

	// Use policy_document instead.
	// Deprecated
	Policy string `json:"policy,omitempty"`

	// ARNs of AWS policies. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the specified policies to the generated IAM user. When credential_type is assumed_role or federation_token, the policies will be passed as the PolicyArns parameter, acting as a filter on permissions available.
	PolicyArns []string `json:"policy_arns,omitempty"`

	// JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is iam_user, then it will attach the contents of the policy_document to the IAM user generated. When credential_type is assumed_role or federation_token, this will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.
	PolicyDocument string `json:"policy_document,omitempty"`

	// ARNs of AWS roles allowed to be assumed. Only valid when credential_type is assumed_role
	RoleArns []string `json:"role_arns,omitempty"`

	// Path for IAM User. Only valid when credential_type is iam_user
	UserPath string `json:"user_path,omitempty"`
}

AwsWriteRoleRequest struct for AwsWriteRoleRequest

type AwsWriteRoleTagRequest ¶ added in v0.3.0 

type AwsWriteRoleTagRequest struct {
	// If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution.
	AllowInstanceMigration bool `json:"allow_instance_migration,omitempty"`

	// If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in access list for the instance ID needs to be cleared using the 'auth/aws-ec2/identity-accesslist/<instance_id>' endpoint.
	DisallowReauthentication bool `json:"disallow_reauthentication,omitempty"`

	// Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
	InstanceId string `json:"instance_id,omitempty"`

	// If set, specifies the maximum allowed token lifetime.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Policies to be associated with the tag. If set, must be a subset of the role's policies. If set, but set to an empty value, only the 'default' policy will be given to issued tokens.
	Policies []string `json:"policies,omitempty"`
}

AwsWriteRoleTagRequest struct for AwsWriteRoleTagRequest

type AwsWriteStaticRolesNameRequest ¶ added in v0.4.0 

type AwsWriteStaticRolesNameRequest struct {
	// Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.
	RotationPeriod string `json:"rotation_period,omitempty"`

	// The IAM user to adopt as a static role.
	Username string `json:"username,omitempty"`
}

AwsWriteStaticRolesNameRequest struct for AwsWriteStaticRolesNameRequest

type AwsWriteStaticRolesNameResponse ¶ added in v0.4.0 

type AwsWriteStaticRolesNameResponse struct {
	// The name of this role.
	Name string `json:"name,omitempty"`

	// Period by which to rotate the backing credential of the adopted user. This can be a Go duration (e.g, '1m', 24h'), or an integer number of seconds.
	RotationPeriod string `json:"rotation_period,omitempty"`

	// The IAM user to adopt as a static role.
	Username string `json:"username,omitempty"`
}

AwsWriteStaticRolesNameResponse struct for AwsWriteStaticRolesNameResponse

type AwsWriteStsRoleRequest ¶ added in v0.3.0 

type AwsWriteStsRoleRequest struct {
	// AWS ARN for STS role to be assumed when interacting with the account specified. The Vault server must have permissions to assume this role.
	StsRole string `json:"sts_role,omitempty"`
}

AwsWriteStsRoleRequest struct for AwsWriteStsRoleRequest

type AzureConfigureAuthRequest ¶ added in v0.3.0 

type AzureConfigureAuthRequest struct {
	// The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.
	ClientId string `json:"client_id,omitempty"`

	// The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.
	ClientSecret string `json:"client_secret,omitempty"`

	// The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.
	Environment string `json:"environment,omitempty"`

	// The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.
	Resource string `json:"resource,omitempty"`

	// The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)
	RootPasswordTtl string `json:"root_password_ttl,omitempty"`

	// The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.
	TenantId string `json:"tenant_id,omitempty"`
}

AzureConfigureAuthRequest struct for AzureConfigureAuthRequest

type AzureConfigureRequest ¶ added in v0.3.0 

type AzureConfigureRequest struct {
	// The OAuth2 client id to connect to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.
	ClientId string `json:"client_id,omitempty"`

	// The OAuth2 client secret to connect to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.
	ClientSecret string `json:"client_secret,omitempty"`

	// The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.
	Environment string `json:"environment,omitempty"`

	// Name of the password policy to use to generate passwords for dynamic credentials.
	PasswordPolicy string `json:"password_policy,omitempty"`

	// The TTL of the root password in Azure. This can be either a number of seconds or a time formatted duration (ex: 24h, 48ds)
	RootPasswordTtl string `json:"root_password_ttl,omitempty"`

	// The subscription id for the Azure Active Directory. This value can also be provided with the AZURE_SUBSCRIPTION_ID environment variable.
	SubscriptionId string `json:"subscription_id,omitempty"`

	// The tenant id for the Azure Active Directory. This value can also be provided with the AZURE_TENANT_ID environment variable.
	TenantId string `json:"tenant_id,omitempty"`
}

AzureConfigureRequest struct for AzureConfigureRequest

type AzureLoginRequest ¶ 

type AzureLoginRequest struct {
	// A signed JWT
	Jwt string `json:"jwt,omitempty"`

	// The resource group from the instance.
	ResourceGroupName string `json:"resource_group_name,omitempty"`

	// The fully qualified ID of the resource, includingthe resource name and resource type. Use the format, /subscriptions/{guid}/resourceGroups/{resource-group-name}/{resource-provider-namespace}/{resource-type}/{resource-name}. This value is ignored if vm_name or vmss_name is specified.
	ResourceId string `json:"resource_id,omitempty"`

	// The token role.
	Role string `json:"role,omitempty"`

	// The subscription id for the instance.
	SubscriptionId string `json:"subscription_id,omitempty"`

	// The name of the virtual machine. This value is ignored if vmss_name is specified.
	VmName string `json:"vm_name,omitempty"`

	// The name of the virtual machine scale set the instance is in.
	VmssName string `json:"vmss_name,omitempty"`
}

AzureLoginRequest struct for AzureLoginRequest

type AzureWriteAuthRoleRequest ¶ 

type AzureWriteAuthRoleRequest struct {
	// Comma-separated list of group ids that login is restricted to.
	BoundGroupIds []string `json:"bound_group_ids,omitempty"`

	// Comma-separated list of locations that login is restricted to.
	BoundLocations []string `json:"bound_locations,omitempty"`

	// Comma-separated list of resource groups that login is restricted to.
	BoundResourceGroups []string `json:"bound_resource_groups,omitempty"`

	// Comma-separated list of scale sets that login is restricted to.
	BoundScaleSets []string `json:"bound_scale_sets,omitempty"`

	// Comma-separated list of service principal ids that login is restricted to.
	BoundServicePrincipalIds []string `json:"bound_service_principal_ids,omitempty"`

	// Comma-separated list of subscription ids that login is restricted to.
	BoundSubscriptionIds []string `json:"bound_subscription_ids,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.
	// Deprecated
	NumUses int32 `json:"num_uses,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

AzureWriteAuthRoleRequest struct for AzureWriteAuthRoleRequest

type AzureWriteRoleRequest ¶ 

type AzureWriteRoleRequest struct {
	// Application Object ID to use for static service principal credentials.
	ApplicationObjectId string `json:"application_object_id,omitempty"`

	// JSON list of Azure groups to add the service principal to.
	AzureGroups string `json:"azure_groups,omitempty"`

	// JSON list of Azure roles to assign.
	AzureRoles string `json:"azure_roles,omitempty"`

	// Maximum time a service principal. If not set or set to 0, will use system default.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Indicates whether new application objects should be permanently deleted. If not set, objects will not be permanently deleted.
	PermanentlyDelete bool `json:"permanently_delete,omitempty"`

	// Persist the app between generated credentials. Useful if the app needs to maintain owner ship of resources it creates
	PersistApp bool `json:"persist_app,omitempty"`

	// Default lease for generated credentials. If not set or set to 0, will use system default.
	Ttl string `json:"ttl,omitempty"`
}

AzureWriteRoleRequest struct for AzureWriteRoleRequest

type CentrifyConfigureRequest ¶ added in v0.3.0 

type CentrifyConfigureRequest struct {
	// OAuth2 App ID
	AppId string `json:"app_id,omitempty"`

	// OAuth2 Client ID
	ClientId string `json:"client_id,omitempty"`

	// OAuth2 Client Secret
	ClientSecret string `json:"client_secret,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// OAuth2 App Scope
	Scope string `json:"scope,omitempty"`

	// Service URL (https://<tenant>.my.centrify.com)
	ServiceUrl string `json:"service_url,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`
}

CentrifyConfigureRequest struct for CentrifyConfigureRequest

type CentrifyLoginRequest ¶ 

type CentrifyLoginRequest struct {
	// Auth mode ('ro' for resource owner, 'cc' for credential client).
	Mode string `json:"mode,omitempty"`

	// Password for this user.
	Password string `json:"password,omitempty"`

	// Username of the user.
	Username string `json:"username,omitempty"`
}

CentrifyLoginRequest struct for CentrifyLoginRequest

type CertConfigureRequest ¶ added in v0.3.0 

type CertConfigureRequest struct {
	// If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.
	DisableBinding bool `json:"disable_binding,omitempty"`

	// If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias. Defaults to false.
	EnableIdentityAliasMetadata bool `json:"enable_identity_alias_metadata,omitempty"`

	// The size of the in memory OCSP response cache, shared by all configured certs
	OcspCacheSize int32 `json:"ocsp_cache_size,omitempty"`
}

CertConfigureRequest struct for CertConfigureRequest

type CertLoginRequest ¶ added in v0.3.0 

type CertLoginRequest struct {
	// The name of the certificate role to authenticate against.
	Name string `json:"name,omitempty"`
}

CertLoginRequest struct for CertLoginRequest

type CertWriteCertificateRequest ¶ added in v0.3.0 

type CertWriteCertificateRequest struct {
	// A comma-separated list of names. At least one must exist in the Common Name. Supports globbing.
	AllowedCommonNames []string `json:"allowed_common_names,omitempty"`

	// A comma-separated list of DNS names. At least one must exist in the SANs. Supports globbing.
	AllowedDnsSans []string `json:"allowed_dns_sans,omitempty"`

	// A comma-separated list of Email Addresses. At least one must exist in the SANs. Supports globbing.
	AllowedEmailSans []string `json:"allowed_email_sans,omitempty"`

	// A comma-separated string or array of oid extensions. Upon successful authentication, these extensions will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.
	AllowedMetadataExtensions []string `json:"allowed_metadata_extensions,omitempty"`

	// A comma-separated list of names. At least one must exist in either the Common Name or SANs. Supports globbing. This parameter is deprecated, please use allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans.
	AllowedNames []string `json:"allowed_names,omitempty"`

	// A comma-separated list of Organizational Units names. At least one must exist in the OU field.
	AllowedOrganizationalUnits []string `json:"allowed_organizational_units,omitempty"`

	// A comma-separated list of URIs. At least one must exist in the SANs. Supports globbing.
	AllowedUriSans []string `json:"allowed_uri_sans,omitempty"`

	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// The public certificate that should be trusted. Must be x509 PEM encoded.
	Certificate string `json:"certificate,omitempty"`

	// The display name to use for clients using this certificate.
	DisplayName string `json:"display_name,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Lease int32 `json:"lease,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Any additional CA certificates needed to communicate with OCSP servers
	OcspCaCertificates string `json:"ocsp_ca_certificates,omitempty"`

	// Whether to attempt OCSP verification of certificates at login
	OcspEnabled bool `json:"ocsp_enabled,omitempty"`

	// If set to true, if an OCSP revocation cannot be made successfully, login will proceed rather than failing. If false, failing to get an OCSP status fails the request.
	OcspFailOpen bool `json:"ocsp_fail_open,omitempty"`

	// If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.
	OcspQueryAllServers bool `json:"ocsp_query_all_servers,omitempty"`

	// A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.
	OcspServersOverride []string `json:"ocsp_servers_override,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// A comma-separated string or array of extensions formatted as \"oid:value\". Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on \"value\".
	RequiredExtensions []string `json:"required_extensions,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

CertWriteCertificateRequest struct for CertWriteCertificateRequest

type CertWriteCrlRequest ¶ added in v0.3.0 

type CertWriteCrlRequest struct {
	// The public CRL that should be trusted to attest to certificates' validity statuses. May be DER or PEM encoded. Note: the expiration time is ignored; if the CRL is no longer valid, delete it using the same name as specified here.
	Crl string `json:"crl,omitempty"`

	// The URL of a CRL distribution point. Only one of 'crl' or 'url' parameters should be specified.
	Url string `json:"url,omitempty"`
}

CertWriteCrlRequest struct for CertWriteCrlRequest

type CloudFoundryConfigureRequest ¶ added in v0.3.0 

type CloudFoundryConfigureRequest struct {
	// CF’s API address.
	CfApiAddr string `json:"cf_api_addr,omitempty"`

	// The PEM-format certificates that are presented for mutual TLS with the CloudFoundry API. If not set, mutual TLS is not used
	CfApiMutualTlsCertificate string `json:"cf_api_mutual_tls_certificate,omitempty"`

	// The PEM-format private key that are used for mutual TLS with the CloudFoundry API. If not set, mutual TLS is not used
	CfApiMutualTlsKey string `json:"cf_api_mutual_tls_key,omitempty"`

	// The PEM-format CA certificates that are acceptable for the CF API to present.
	CfApiTrustedCertificates []string `json:"cf_api_trusted_certificates,omitempty"`

	// The client id for CF’s API.
	CfClientId string `json:"cf_client_id,omitempty"`

	// The client secret for CF’s API.
	CfClientSecret string `json:"cf_client_secret,omitempty"`

	// The password for CF’s API.
	CfPassword string `json:"cf_password,omitempty"`

	// The username for CF’s API.
	CfUsername string `json:"cf_username,omitempty"`

	// The PEM-format CA certificates that are required to have issued the instance certificates presented for logging in.
	IdentityCaCertificates []string `json:"identity_ca_certificates,omitempty"`

	// Duration in seconds for the maximum acceptable length in the future a \"signing_time\" can be. Useful for clock drift. Set low to reduce the opportunity for replay attacks.
	LoginMaxSecondsNotAfter int32 `json:"login_max_seconds_not_after,omitempty"`

	// Duration in seconds for the maximum acceptable age of a \"signing_time\". Useful for clock drift. Set low to reduce the opportunity for replay attacks.
	LoginMaxSecondsNotBefore string `json:"login_max_seconds_not_before,omitempty"`

	// Deprecated. Please use \"cf_api_addr\".
	// Deprecated
	PcfApiAddr string `json:"pcf_api_addr,omitempty"`

	// Deprecated. Please use \"cf_api_trusted_certificates\".
	// Deprecated
	PcfApiTrustedCertificates []string `json:"pcf_api_trusted_certificates,omitempty"`

	// Deprecated. Please use \"cf_password\".
	// Deprecated
	PcfPassword string `json:"pcf_password,omitempty"`

	// Deprecated. Please use \"cf_username\".
	// Deprecated
	PcfUsername string `json:"pcf_username,omitempty"`
}

CloudFoundryConfigureRequest struct for CloudFoundryConfigureRequest

type CloudFoundryLoginRequest ¶ 

type CloudFoundryLoginRequest struct {
	// The full body of the file available at the CF_INSTANCE_CERT path on the CF instance.
	CfInstanceCert string `json:"cf_instance_cert"`

	// The name of the role to authenticate against.
	Role string `json:"role"`

	// The signature generated by the client certificate's private key.
	Signature string `json:"signature"`

	// The date and time used to construct the signature.
	SigningTime string `json:"signing_time"`
}

CloudFoundryLoginRequest struct for CloudFoundryLoginRequest

type CloudFoundryWriteRoleRequest ¶ 

type CloudFoundryWriteRoleRequest struct {
	// Require that the client certificate presented has at least one of these app IDs.
	BoundApplicationIds []string `json:"bound_application_ids,omitempty"`

	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// Require that the client certificate presented has at least one of these instance IDs.
	BoundInstanceIds []string `json:"bound_instance_ids,omitempty"`

	// Require that the client certificate presented has at least one of these org IDs.
	BoundOrganizationIds []string `json:"bound_organization_ids,omitempty"`

	// Require that the client certificate presented has at least one of these space IDs.
	BoundSpaceIds []string `json:"bound_space_ids,omitempty"`

	// If set to true, disables the default behavior that logging in must be performed from an acceptable IP address described by the certificate presented.
	DisableIpMatching bool `json:"disable_ip_matching,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

CloudFoundryWriteRoleRequest struct for CloudFoundryWriteRoleRequest

type CollectHostInformationResponse ¶ added in v0.3.0 

type CollectHostInformationResponse struct {
	Cpu []map[string]interface{} `json:"cpu,omitempty"`

	CpuTimes []map[string]interface{} `json:"cpu_times,omitempty"`

	Disk []map[string]interface{} `json:"disk,omitempty"`

	Host map[string]interface{} `json:"host,omitempty"`

	Memory map[string]interface{} `json:"memory,omitempty"`

	Timestamp time.Time `json:"timestamp,omitempty"`
}

CollectHostInformationResponse struct for CollectHostInformationResponse

type ConsulConfigureAccessRequest ¶ added in v0.3.0 

type ConsulConfigureAccessRequest struct {
	// Consul server address
	Address string `json:"address,omitempty"`

	// CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.
	CaCert string `json:"ca_cert,omitempty"`

	// Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.
	ClientCert string `json:"client_cert,omitempty"`

	// Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.
	ClientKey string `json:"client_key,omitempty"`

	// URI scheme for the Consul address
	Scheme string `json:"scheme,omitempty"`

	// Token for API calls
	Token string `json:"token,omitempty"`
}

ConsulConfigureAccessRequest struct for ConsulConfigureAccessRequest

type ConsulWriteRoleRequest ¶ 

type ConsulWriteRoleRequest struct {
	// Indicates which namespace that the token will be created within. Defaults to 'default'. Available in Consul 1.7 and above.
	ConsulNamespace string `json:"consul_namespace,omitempty"`

	// List of policies to attach to the token. Either \"consul_policies\" or \"consul_roles\" are required for Consul 1.5 and above, or just \"consul_policies\" if using Consul 1.4.
	ConsulPolicies []string `json:"consul_policies,omitempty"`

	// List of Consul roles to attach to the token. Either \"policies\" or \"consul_roles\" are required for Consul 1.5 and above.
	ConsulRoles []string `json:"consul_roles,omitempty"`

	// Use \"ttl\" instead.
	// Deprecated
	Lease string `json:"lease,omitempty"`

	// Indicates that the token should not be replicated globally and instead be local to the current datacenter. Available in Consul 1.4 and above.
	Local bool `json:"local,omitempty"`

	// Max TTL for the Consul token created from the role.
	MaxTtl string `json:"max_ttl,omitempty"`

	// List of Node Identities to attach to the token. Available in Consul 1.8.1 or above.
	NodeIdentities []string `json:"node_identities,omitempty"`

	// Indicates which admin partition that the token will be created within. Defaults to 'default'. Available in Consul 1.11 and above.
	Partition string `json:"partition,omitempty"`

	// Use \"consul_policies\" instead.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Policy document, base64 encoded. Required for 'client' tokens. Required for Consul pre-1.4.
	// Deprecated
	Policy string `json:"policy,omitempty"`

	// List of Service Identities to attach to the token, separated by semicolons. Available in Consul 1.5 or above.
	ServiceIdentities []string `json:"service_identities,omitempty"`

	// Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policy\", \"policies\", and \"consul_roles\" parameters are not required. Defaults to 'client'.
	// Deprecated
	TokenType string `json:"token_type,omitempty"`

	// TTL for the Consul token created from the role.
	Ttl string `json:"ttl,omitempty"`
}

ConsulWriteRoleRequest struct for ConsulWriteRoleRequest

type CorsConfigureRequest ¶ added in v0.3.0 

type CorsConfigureRequest struct {
	// A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
	AllowedHeaders []string `json:"allowed_headers,omitempty"`

	// A comma-separated string or array of strings indicating origins that may make cross-origin requests.
	AllowedOrigins []string `json:"allowed_origins,omitempty"`

	// Enables or disables CORS headers on requests.
	Enable bool `json:"enable,omitempty"`
}

CorsConfigureRequest struct for CorsConfigureRequest

type CorsReadConfigurationResponse ¶ added in v0.3.0 

type CorsReadConfigurationResponse struct {
	AllowedHeaders []string `json:"allowed_headers,omitempty"`

	AllowedOrigins []string `json:"allowed_origins,omitempty"`

	Enabled bool `json:"enabled,omitempty"`
}

CorsReadConfigurationResponse struct for CorsReadConfigurationResponse

type DatabaseConfigureConnectionRequest ¶ added in v0.3.0 

type DatabaseConfigureConnectionRequest struct {
	// Comma separated string or array of the role names allowed to get creds from this database connection. If empty no roles are allowed. If \"*\" all roles are allowed.
	AllowedRoles []string `json:"allowed_roles,omitempty"`

	// Password policy to use when generating passwords.
	PasswordPolicy string `json:"password_policy,omitempty"`

	// The name of a builtin or previously registered plugin known to vault. This endpoint will create an instance of that plugin type.
	PluginName string `json:"plugin_name,omitempty"`

	// The version of the plugin to use.
	PluginVersion string `json:"plugin_version,omitempty"`

	// Specifies the database statements to be executed to rotate the root user's credentials. See the plugin's API page for more information on support and formatting for this parameter.
	RootRotationStatements []string `json:"root_rotation_statements,omitempty"`

	// If true, the connection details are verified by actually connecting to the database. Defaults to true.
	VerifyConnection bool `json:"verify_connection,omitempty"`
}

DatabaseConfigureConnectionRequest struct for DatabaseConfigureConnectionRequest

type DatabaseWriteRoleRequest ¶ 

type DatabaseWriteRoleRequest struct {
	// Specifies the database statements executed to create and configure a user. See the plugin's API page for more information on support and formatting for this parameter.
	CreationStatements []string `json:"creation_statements,omitempty"`

	// The configuration for the given credential_type.
	CredentialConfig map[string]interface{} `json:"credential_config,omitempty"`

	// The type of credential to manage. Options include: 'password', 'rsa_private_key'. Defaults to 'password'.
	CredentialType string `json:"credential_type,omitempty"`

	// Name of the database this role acts on.
	DbName string `json:"db_name,omitempty"`

	// Default ttl for role.
	DefaultTtl string `json:"default_ttl,omitempty"`

	// Maximum time a credential is valid for
	MaxTtl string `json:"max_ttl,omitempty"`

	// Specifies the database statements to be executed to renew a user. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.
	RenewStatements []string `json:"renew_statements,omitempty"`

	// Specifies the database statements to be executed to revoke a user. See the plugin's API page for more information on support and formatting for this parameter.
	RevocationStatements []string `json:"revocation_statements,omitempty"`

	// Specifies the database statements to be executed rollback a create operation in the event of an error. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.
	RollbackStatements []string `json:"rollback_statements,omitempty"`
}

DatabaseWriteRoleRequest struct for DatabaseWriteRoleRequest

type DatabaseWriteStaticRoleRequest ¶ 

type DatabaseWriteStaticRoleRequest struct {
	// The configuration for the given credential_type.
	CredentialConfig map[string]interface{} `json:"credential_config,omitempty"`

	// The type of credential to manage. Options include: 'password', 'rsa_private_key'. Defaults to 'password'.
	CredentialType string `json:"credential_type,omitempty"`

	// Name of the database this role acts on.
	DbName string `json:"db_name,omitempty"`

	// Period for automatic credential rotation of the given username. Not valid unless used with \"username\". Mutually exclusive with \"rotation_schedule.\"
	RotationPeriod string `json:"rotation_period,omitempty"`

	// Schedule for automatic credential rotation of the given username. Mutually exclusive with \"rotation_period.\"
	RotationSchedule string `json:"rotation_schedule,omitempty"`

	// Specifies the database statements to be executed to rotate the accounts credentials. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.
	RotationStatements []string `json:"rotation_statements,omitempty"`

	// The window of time in which rotations are allowed to occur starting from a given \"rotation_schedule\". Requires \"rotation_schedule\" to be specified
	RotationWindow string `json:"rotation_window,omitempty"`

	// Name of the static user account for Vault to manage. Requires \"rotation_period\" to be specified
	Username string `json:"username,omitempty"`
}

DatabaseWriteStaticRoleRequest struct for DatabaseWriteStaticRoleRequest

type DecodeRequest ¶ added in v0.4.0 

type DecodeRequest struct {
	// Specifies the encoded token (result from generate-root).
	EncodedToken string `json:"encoded_token,omitempty"`

	// Specifies the otp code for decode.
	Otp string `json:"otp,omitempty"`
}

DecodeRequest struct for DecodeRequest

type EncryptionKeyConfigureRotationRequest ¶ added in v0.3.0 

type EncryptionKeyConfigureRotationRequest struct {
	// Whether automatic rotation is enabled.
	Enabled bool `json:"enabled,omitempty"`

	// How long after installation of an active key term that the key will be automatically rotated.
	Interval string `json:"interval,omitempty"`

	// The number of encryption operations performed before the barrier key is automatically rotated.
	MaxOperations int64 `json:"max_operations,omitempty"`
}

EncryptionKeyConfigureRotationRequest struct for EncryptionKeyConfigureRotationRequest

type EncryptionKeyReadRotationConfigurationResponse ¶ added in v0.3.0 

type EncryptionKeyReadRotationConfigurationResponse struct {
	Enabled bool `json:"enabled,omitempty"`

	Interval string `json:"interval,omitempty"`

	MaxOperations int64 `json:"max_operations,omitempty"`
}

EncryptionKeyReadRotationConfigurationResponse struct for EncryptionKeyReadRotationConfigurationResponse

type EntityBatchDeleteRequest ¶ 

type EntityBatchDeleteRequest struct {
	// Entity IDs to delete
	EntityIds []string `json:"entity_ids,omitempty"`
}

EntityBatchDeleteRequest struct for EntityBatchDeleteRequest

type EntityCreateAliasRequest ¶ added in v0.3.0 

type EntityCreateAliasRequest struct {
	// Entity ID to which this alias belongs
	CanonicalId string `json:"canonical_id,omitempty"`

	// User provided key-value pairs
	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	// Entity ID to which this alias belongs. This field is deprecated, use canonical_id.
	EntityId string `json:"entity_id,omitempty"`

	// ID of the entity alias. If set, updates the corresponding entity alias.
	Id string `json:"id,omitempty"`

	// Mount accessor to which this alias belongs to; unused for a modify
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Name of the alias; unused for a modify
	Name string `json:"name,omitempty"`
}

EntityCreateAliasRequest struct for EntityCreateAliasRequest

type EntityCreateRequest ¶ added in v0.3.0 

type EntityCreateRequest struct {
	// If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
	Disabled bool `json:"disabled,omitempty"`

	// ID of the entity. If set, updates the corresponding existing entity.
	Id string `json:"id,omitempty"`

	// Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Name of the entity
	Name string `json:"name,omitempty"`

	// Policies to be tied to the entity.
	Policies []string `json:"policies,omitempty"`
}

EntityCreateRequest struct for EntityCreateRequest

type EntityLookUpRequest ¶ added in v0.3.0 

type EntityLookUpRequest struct {
	// ID of the alias.
	AliasId string `json:"alias_id,omitempty"`

	// Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
	AliasMountAccessor string `json:"alias_mount_accessor,omitempty"`

	// Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
	AliasName string `json:"alias_name,omitempty"`

	// ID of the entity.
	Id string `json:"id,omitempty"`

	// Name of the entity.
	Name string `json:"name,omitempty"`
}

EntityLookUpRequest struct for EntityLookUpRequest

type EntityMergeRequest ¶ 

type EntityMergeRequest struct {
	// Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
	ConflictingAliasIdsToKeep []string `json:"conflicting_alias_ids_to_keep,omitempty"`

	// Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
	Force bool `json:"force,omitempty"`

	// Entity IDs which need to get merged
	FromEntityIds []string `json:"from_entity_ids,omitempty"`

	// Entity ID into which all the other entities need to get merged
	ToEntityId string `json:"to_entity_id,omitempty"`
}

EntityMergeRequest struct for EntityMergeRequest

type EntityUpdateAliasByIdRequest ¶ added in v0.3.0 

type EntityUpdateAliasByIdRequest struct {
	// Entity ID to which this alias should be tied to
	CanonicalId string `json:"canonical_id,omitempty"`

	// User provided key-value pairs
	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	// Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.
	EntityId string `json:"entity_id,omitempty"`

	// (Unused)
	MountAccessor string `json:"mount_accessor,omitempty"`

	// (Unused)
	Name string `json:"name,omitempty"`
}

EntityUpdateAliasByIdRequest struct for EntityUpdateAliasByIdRequest

type EntityUpdateByIdRequest ¶ added in v0.3.0 

type EntityUpdateByIdRequest struct {
	// If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
	Disabled bool `json:"disabled,omitempty"`

	// Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Name of the entity
	Name string `json:"name,omitempty"`

	// Policies to be tied to the entity.
	Policies []string `json:"policies,omitempty"`
}

EntityUpdateByIdRequest struct for EntityUpdateByIdRequest

type EntityUpdateByNameRequest ¶ added in v0.3.0 

type EntityUpdateByNameRequest struct {
	// If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
	Disabled bool `json:"disabled,omitempty"`

	// ID of the entity. If set, updates the corresponding existing entity.
	Id string `json:"id,omitempty"`

	// Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Policies to be tied to the entity.
	Policies []string `json:"policies,omitempty"`
}

EntityUpdateByNameRequest struct for EntityUpdateByNameRequest

type GenerateHashRequest ¶ added in v0.3.0 

type GenerateHashRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".
	Format string `json:"format,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`
}

GenerateHashRequest struct for GenerateHashRequest

type GenerateHashResponse ¶ added in v0.3.0 

type GenerateHashResponse struct {
	Sum string `json:"sum,omitempty"`
}

GenerateHashResponse struct for GenerateHashResponse

type GenerateHashWithAlgorithmRequest ¶ added in v0.3.0 

type GenerateHashWithAlgorithmRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".
	Format string `json:"format,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`
}

GenerateHashWithAlgorithmRequest struct for GenerateHashWithAlgorithmRequest

type GenerateHashWithAlgorithmResponse ¶ added in v0.3.0 

type GenerateHashWithAlgorithmResponse struct {
	Sum string `json:"sum,omitempty"`
}

GenerateHashWithAlgorithmResponse struct for GenerateHashWithAlgorithmResponse

type GenerateRandomRequest ¶ added in v0.3.0 

type GenerateRandomRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

GenerateRandomRequest struct for GenerateRandomRequest

type GenerateRandomResponse ¶ added in v0.3.0 

type GenerateRandomResponse struct {
	RandomBytes string `json:"random_bytes,omitempty"`
}

GenerateRandomResponse struct for GenerateRandomResponse

type GenerateRandomWithBytesRequest ¶ added in v0.3.0 

type GenerateRandomWithBytesRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

GenerateRandomWithBytesRequest struct for GenerateRandomWithBytesRequest

type GenerateRandomWithBytesResponse ¶ added in v0.3.0 

type GenerateRandomWithBytesResponse struct {
	RandomBytes string `json:"random_bytes,omitempty"`
}

GenerateRandomWithBytesResponse struct for GenerateRandomWithBytesResponse

type GenerateRandomWithSourceAndBytesRequest ¶ added in v0.3.0 

type GenerateRandomWithSourceAndBytesRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

GenerateRandomWithSourceAndBytesRequest struct for GenerateRandomWithSourceAndBytesRequest

type GenerateRandomWithSourceAndBytesResponse ¶ added in v0.3.0 

type GenerateRandomWithSourceAndBytesResponse struct {
	RandomBytes string `json:"random_bytes,omitempty"`
}

GenerateRandomWithSourceAndBytesResponse struct for GenerateRandomWithSourceAndBytesResponse

type GenerateRandomWithSourceRequest ¶ added in v0.3.0 

type GenerateRandomWithSourceRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

GenerateRandomWithSourceRequest struct for GenerateRandomWithSourceRequest

type GenerateRandomWithSourceResponse ¶ added in v0.3.0 

type GenerateRandomWithSourceResponse struct {
	RandomBytes string `json:"random_bytes,omitempty"`
}

GenerateRandomWithSourceResponse struct for GenerateRandomWithSourceResponse

type GithubConfigureRequest ¶ added in v0.3.0 

type GithubConfigureRequest struct {
	// The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.
	BaseUrl string `json:"base_url,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// The organization users must be part of
	Organization string `json:"organization"`

	// The ID of the organization users must be part of
	OrganizationId int64 `json:"organization_id,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any policies configured for specific users/groups.
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

GithubConfigureRequest struct for GithubConfigureRequest

type GithubLoginRequest ¶ added in v0.3.0 

type GithubLoginRequest struct {
	// GitHub personal API token
	Token string `json:"token,omitempty"`
}

GithubLoginRequest struct for GithubLoginRequest

type GithubWriteTeamMappingRequest ¶ added in v0.3.0 

type GithubWriteTeamMappingRequest struct {
	// Value for teams mapping
	Value string `json:"value,omitempty"`
}

GithubWriteTeamMappingRequest struct for GithubWriteTeamMappingRequest

type GithubWriteUserMappingRequest ¶ added in v0.3.0 

type GithubWriteUserMappingRequest struct {
	// Value for users mapping
	Value string `json:"value,omitempty"`
}

GithubWriteUserMappingRequest struct for GithubWriteUserMappingRequest

type GoogleCloudConfigureAuthRequest ¶ added in v0.3.0 

type GoogleCloudConfigureAuthRequest struct {
	// Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials
	Credentials string `json:"credentials,omitempty"`

	// Specifies overrides for various Google API Service Endpoints used in requests.
	CustomEndpoint map[string]interface{} `json:"custom_endpoint,omitempty"`

	// Indicates what value to use when generating an alias for GCE authentications.
	GceAlias string `json:"gce_alias,omitempty"`

	// The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: instance_creation_timestamp, instance_id, instance_name, project_id, project_number, role, service_account_id, service_account_email, zone. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.
	GceMetadata []string `json:"gce_metadata,omitempty"`

	// Deprecated. This field does nothing and be removed in a future release
	// Deprecated
	GoogleCertsEndpoint string `json:"google_certs_endpoint,omitempty"`

	// Indicates what value to use when generating an alias for IAM authentications.
	IamAlias string `json:"iam_alias,omitempty"`

	// The metadata to include on the aliases and audit logs generated by this plugin. When set to 'default', includes: project_id, role, service_account_id, service_account_email. Not editing this field means the 'default' fields are included. Explicitly setting this field to empty overrides the 'default' and means no metadata will be included. If not using 'default', explicit fields must be sent like: 'field1,field2'.
	IamMetadata []string `json:"iam_metadata,omitempty"`
}

GoogleCloudConfigureAuthRequest struct for GoogleCloudConfigureAuthRequest

type GoogleCloudConfigureRequest ¶ added in v0.3.0 

type GoogleCloudConfigureRequest struct {
	// GCP IAM service account credentials JSON with permissions to create new service accounts and set IAM policies
	Credentials string `json:"credentials,omitempty"`

	// Maximum time a service account key is valid for. If <= 0, will use system default.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Default lease for generated keys. If <= 0, will use system default.
	Ttl string `json:"ttl,omitempty"`
}

GoogleCloudConfigureRequest struct for GoogleCloudConfigureRequest

type GoogleCloudEditLabelsForRoleRequest ¶ added in v0.3.0 

type GoogleCloudEditLabelsForRoleRequest struct {
	// BoundLabels to add (in $key:$value)
	Add []string `json:"add,omitempty"`

	// Label key values to remove
	Remove []string `json:"remove,omitempty"`
}

GoogleCloudEditLabelsForRoleRequest struct for GoogleCloudEditLabelsForRoleRequest

type GoogleCloudEditServiceAccountsForRoleRequest ¶ added in v0.3.0 

type GoogleCloudEditServiceAccountsForRoleRequest struct {
	// Service-account emails or IDs to add.
	Add []string `json:"add,omitempty"`

	// Service-account emails or IDs to remove.
	Remove []string `json:"remove,omitempty"`
}

GoogleCloudEditServiceAccountsForRoleRequest struct for GoogleCloudEditServiceAccountsForRoleRequest

type GoogleCloudGenerateRolesetKeyRequest ¶ added in v0.4.0 

type GoogleCloudGenerateRolesetKeyRequest struct {
	// Private key algorithm for service account key - defaults to KEY_ALG_RSA_2048\"
	KeyAlgorithm string `json:"key_algorithm,omitempty"`

	// Private key type for service account key - defaults to TYPE_GOOGLE_CREDENTIALS_FILE\"
	KeyType string `json:"key_type,omitempty"`

	// Lifetime of the service account key
	Ttl string `json:"ttl,omitempty"`
}

GoogleCloudGenerateRolesetKeyRequest struct for GoogleCloudGenerateRolesetKeyRequest

type GoogleCloudGenerateStaticAccountKeyRequest ¶ added in v0.4.0 

type GoogleCloudGenerateStaticAccountKeyRequest struct {
	// Private key algorithm for service account key. Defaults to KEY_ALG_RSA_2048.\"
	KeyAlgorithm string `json:"key_algorithm,omitempty"`

	// Private key type for service account key. Defaults to TYPE_GOOGLE_CREDENTIALS_FILE.\"
	KeyType string `json:"key_type,omitempty"`

	// Lifetime of the service account key
	Ttl string `json:"ttl,omitempty"`
}

GoogleCloudGenerateStaticAccountKeyRequest struct for GoogleCloudGenerateStaticAccountKeyRequest

type GoogleCloudKmsConfigureKeyRequest ¶ added in v0.3.0 

type GoogleCloudKmsConfigureKeyRequest struct {
	// Maximum allowed crypto key version. If set to a positive value, key versions greater than the given value are not permitted to be used. If set to 0 or a negative value, there is no maximum key version.
	MaxVersion int32 `json:"max_version,omitempty"`

	// Minimum allowed crypto key version. If set to a positive value, key versions less than the given value are not permitted to be used. If set to 0 or a negative value, there is no minimum key version. This value only affects encryption/re-encryption, not decryption. To restrict old values from being decrypted, increase this value and then perform a trim operation.
	MinVersion int32 `json:"min_version,omitempty"`
}

GoogleCloudKmsConfigureKeyRequest struct for GoogleCloudKmsConfigureKeyRequest

type GoogleCloudKmsConfigureRequest ¶ added in v0.3.0 

type GoogleCloudKmsConfigureRequest struct {
	// The credentials to use for authenticating to Google Cloud. Leave this blank to use the Default Application Credentials or instance metadata authentication.
	Credentials string `json:"credentials,omitempty"`

	// The list of full-URL scopes to request when authenticating. By default, this requests https://www.googleapis.com/auth/cloudkms.
	Scopes []string `json:"scopes,omitempty"`
}

GoogleCloudKmsConfigureRequest struct for GoogleCloudKmsConfigureRequest

type GoogleCloudKmsDecryptRequest ¶ added in v0.3.0 

type GoogleCloudKmsDecryptRequest struct {
	// Optional data that was specified during encryption of this payload.
	AdditionalAuthenticatedData string `json:"additional_authenticated_data,omitempty"`

	// Ciphertext to decrypt as previously returned from an encrypt operation. This must be base64-encoded ciphertext as previously returned from an encrypt operation.
	Ciphertext string `json:"ciphertext,omitempty"`

	// Integer version of the crypto key version to use for decryption. This is required for asymmetric keys. For symmetric keys, Cloud KMS will choose the correct version automatically.
	KeyVersion int32 `json:"key_version,omitempty"`
}

GoogleCloudKmsDecryptRequest struct for GoogleCloudKmsDecryptRequest

type GoogleCloudKmsEncryptRequest ¶ added in v0.3.0 

type GoogleCloudKmsEncryptRequest struct {
	// Optional base64-encoded data that, if specified, must also be provided to decrypt this payload.
	AdditionalAuthenticatedData string `json:"additional_authenticated_data,omitempty"`

	// Integer version of the crypto key version to use for encryption. If unspecified, this defaults to the latest active crypto key version.
	KeyVersion int32 `json:"key_version,omitempty"`

	// Plaintext value to be encrypted. This can be a string or binary, but the size is limited. See the Google Cloud KMS documentation for information on size limitations by key types.
	Plaintext string `json:"plaintext,omitempty"`
}

GoogleCloudKmsEncryptRequest struct for GoogleCloudKmsEncryptRequest

type GoogleCloudKmsReencryptRequest ¶ added in v0.3.0 

type GoogleCloudKmsReencryptRequest struct {
	// Optional data that, if specified, must also be provided during decryption.
	AdditionalAuthenticatedData string `json:"additional_authenticated_data,omitempty"`

	// Ciphertext to be re-encrypted to the latest key version. This must be ciphertext that Vault previously generated for this named key.
	Ciphertext string `json:"ciphertext,omitempty"`

	// Integer version of the crypto key version to use for the new encryption. If unspecified, this defaults to the latest active crypto key version.
	KeyVersion int32 `json:"key_version,omitempty"`
}

GoogleCloudKmsReencryptRequest struct for GoogleCloudKmsReencryptRequest

type GoogleCloudKmsRegisterKeyRequest ¶ added in v0.3.0 

type GoogleCloudKmsRegisterKeyRequest struct {
	// Full resource ID of the crypto key including the project, location, key ring, and crypto key like \"projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s\". This crypto key must already exist in Google Cloud KMS unless verify is set to \"false\".
	CryptoKey string `json:"crypto_key,omitempty"`

	// Verify that the given Google Cloud KMS crypto key exists and is accessible before creating the storage entry in Vault. Set this to \"false\" if the key will not exist at creation time.
	Verify bool `json:"verify,omitempty"`
}

GoogleCloudKmsRegisterKeyRequest struct for GoogleCloudKmsRegisterKeyRequest

type GoogleCloudKmsSignRequest ¶ added in v0.3.0 

type GoogleCloudKmsSignRequest struct {
	// Digest to sign. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required.
	Digest string `json:"digest,omitempty"`

	// Integer version of the crypto key version to use for signing. This field is required.
	KeyVersion int32 `json:"key_version,omitempty"`
}

GoogleCloudKmsSignRequest struct for GoogleCloudKmsSignRequest

type GoogleCloudKmsVerifyRequest ¶ added in v0.3.0 

type GoogleCloudKmsVerifyRequest struct {
	// Digest to verify. This digest must use the same SHA algorithm as the underlying Cloud KMS key. The digest must be the base64-encoded binary value. This field is required.
	Digest string `json:"digest,omitempty"`

	// Integer version of the crypto key version to use for verification. This field is required.
	KeyVersion int32 `json:"key_version,omitempty"`

	// Base64-encoded signature to use for verification. This field is required.
	Signature string `json:"signature,omitempty"`
}

GoogleCloudKmsVerifyRequest struct for GoogleCloudKmsVerifyRequest

type GoogleCloudKmsWriteKeyRequest ¶ added in v0.3.0 

type GoogleCloudKmsWriteKeyRequest struct {
	// Algorithm to use for encryption, decryption, or signing. The value depends on the key purpose. The value cannot be changed after creation. For a key purpose of \"encrypt_decrypt\", the valid values are: - symmetric_encryption (default) For a key purpose of \"asymmetric_sign\", valid values are: - rsa_sign_pss_2048_sha256 - rsa_sign_pss_3072_sha256 - rsa_sign_pss_4096_sha256 - rsa_sign_pkcs1_2048_sha256 - rsa_sign_pkcs1_3072_sha256 - rsa_sign_pkcs1_4096_sha256 - ec_sign_p256_sha256 - ec_sign_p384_sha384 For a key purpose of \"asymmetric_decrypt\", valid values are: - rsa_decrypt_oaep_2048_sha256 - rsa_decrypt_oaep_3072_sha256 - rsa_decrypt_oaep_4096_sha256
	Algorithm string `json:"algorithm,omitempty"`

	// Name of the crypto key to use. If the given crypto key does not exist, Vault will try to create it. This defaults to the name of the key given to Vault as the parameter if unspecified.
	CryptoKey string `json:"crypto_key,omitempty"`

	// Full Google Cloud resource ID of the key ring with the project and location (e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given key ring does not exist, Vault will try to create it during a create operation.
	KeyRing string `json:"key_ring,omitempty"`

	// Arbitrary key=value label to apply to the crypto key. To specify multiple labels, specify this argument multiple times (e.g. labels=\"a=b\" labels=\"c=d\").
	Labels map[string]interface{} `json:"labels,omitempty"`

	// Level of protection to use for the key management. Valid values are \"software\" and \"hsm\". The default value is \"software\". The value cannot be changed after creation.
	ProtectionLevel string `json:"protection_level,omitempty"`

	// Purpose of the key. Valid options are \"asymmetric_decrypt\", \"asymmetric_sign\", and \"encrypt_decrypt\". The default value is \"encrypt_decrypt\". The value cannot be changed after creation.
	Purpose string `json:"purpose,omitempty"`

	// Amount of time between crypto key version rotations. This is specified as a time duration value like 72h (72 hours). The smallest possible value is 24h. This value only applies to keys with a purpose of \"encrypt_decrypt\".
	RotationPeriod string `json:"rotation_period,omitempty"`
}

GoogleCloudKmsWriteKeyRequest struct for GoogleCloudKmsWriteKeyRequest

type GoogleCloudLoginRequest ¶ 

type GoogleCloudLoginRequest struct {
	// A signed JWT. This is either a self-signed service account JWT ('iam' roles only) or a GCE identity metadata token ('iam', 'gce' roles).
	Jwt string `json:"jwt,omitempty"`

	// Name of the role against which the login is being attempted. Required.
	Role string `json:"role,omitempty"`
}

GoogleCloudLoginRequest struct for GoogleCloudLoginRequest

type GoogleCloudWriteImpersonatedAccountRequest ¶ added in v0.3.0 

type GoogleCloudWriteImpersonatedAccountRequest struct {
	// Required. Email of the GCP service account to manage. Cannot be updated.
	ServiceAccountEmail string `json:"service_account_email,omitempty"`

	// List of OAuth scopes to assign to access tokens generated under this account.
	TokenScopes []string `json:"token_scopes,omitempty"`

	// Lifetime of the token for the impersonated account.
	Ttl string `json:"ttl,omitempty"`
}

GoogleCloudWriteImpersonatedAccountRequest struct for GoogleCloudWriteImpersonatedAccountRequest

type GoogleCloudWriteRoleRequest ¶ 

type GoogleCloudWriteRoleRequest struct {
	// If true, will add group aliases to auth tokens generated under this role. This will add the full list of ancestors (projects, folders, organizations) for the given entity's project. Requires IAM permission `resourcemanager.projects.get` on this project.
	AddGroupAliases bool `json:"add_group_aliases,omitempty"`

	// 'iam' roles only. If false, Vault will not not allow GCE instances to login in against this role
	AllowGceInference bool `json:"allow_gce_inference,omitempty"`

	// Deprecated: use \"bound_instance_groups\" instead.
	BoundInstanceGroup string `json:"bound_instance_group,omitempty"`

	// Comma-separated list of permitted instance groups to which the GCE instance must belong. This option only applies to \"gce\" roles.
	BoundInstanceGroups []string `json:"bound_instance_groups,omitempty"`

	// Comma-separated list of GCP labels formatted as\"key:value\" strings that must be present on the GCE instance in order to authenticate. This option only applies to \"gce\" roles.
	BoundLabels []string `json:"bound_labels,omitempty"`

	// GCP Projects that authenticating entities must belong to.
	BoundProjects []string `json:"bound_projects,omitempty"`

	// Deprecated: use \"bound_regions\" instead.
	BoundRegion string `json:"bound_region,omitempty"`

	// Comma-separated list of permitted regions to which the GCE instance must belong. If a group is provided, it is assumed to be a regional group. If \"zone\" is provided, this option is ignored. This can be a self-link or region name. This option only applies to \"gce\" roles.
	BoundRegions []string `json:"bound_regions,omitempty"`

	// Can be set for both 'iam' and 'gce' roles (required for 'iam'). A comma-seperated list of authorized service accounts. If the single value \"*\" is given, this is assumed to be all service accounts under the role's project. If this is set on a GCE role, the inferred service account from the instance metadata token will be used.
	BoundServiceAccounts []string `json:"bound_service_accounts,omitempty"`

	// Deprecated: use \"bound_zones\" instead.
	BoundZone string `json:"bound_zone,omitempty"`

	// Comma-separated list of permitted zones to which the GCE instance must belong. If a group is provided, it is assumed to be a zonal group. This can be a self-link or zone name. This option only applies to \"gce\" roles.
	BoundZones []string `json:"bound_zones,omitempty"`

	// Currently enabled for 'iam' only. Duration in seconds from time of validation that a JWT must expire within.
	MaxJwtExp string `json:"max_jwt_exp,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Deprecated: use \"bound_projects\" instead
	ProjectId string `json:"project_id,omitempty"`

	// Deprecated: use \"bound_service_accounts\" instead.
	ServiceAccounts []string `json:"service_accounts,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`

	// Type of the role. Currently supported: iam, gce
	Type string `json:"type,omitempty"`
}

GoogleCloudWriteRoleRequest struct for GoogleCloudWriteRoleRequest

type GoogleCloudWriteRolesetRequest ¶ 

type GoogleCloudWriteRolesetRequest struct {
	// Bindings configuration string.
	Bindings string `json:"bindings,omitempty"`

	// Name of the GCP project that this roleset's service account will belong to.
	Project string `json:"project,omitempty"`

	// Type of secret generated for this role set. Defaults to 'access_token'
	SecretType string `json:"secret_type,omitempty"`

	// List of OAuth scopes to assign to credentials generated under this role set
	TokenScopes []string `json:"token_scopes,omitempty"`
}

GoogleCloudWriteRolesetRequest struct for GoogleCloudWriteRolesetRequest

type GoogleCloudWriteStaticAccountRequest ¶ 

type GoogleCloudWriteStaticAccountRequest struct {
	// Bindings configuration string.
	Bindings string `json:"bindings,omitempty"`

	// Type of secret generated for this account. Cannot be updated. Defaults to \"access_token\"
	SecretType string `json:"secret_type,omitempty"`

	// Required. Email of the GCP service account to manage. Cannot be updated.
	ServiceAccountEmail string `json:"service_account_email,omitempty"`

	// List of OAuth scopes to assign to access tokens generated under this account. Ignored if \"secret_type\" is not \"\"access_token\"\"
	TokenScopes []string `json:"token_scopes,omitempty"`
}

GoogleCloudWriteStaticAccountRequest struct for GoogleCloudWriteStaticAccountRequest

type GroupCreateAliasRequest ¶ added in v0.3.0 

type GroupCreateAliasRequest struct {
	// ID of the group to which this is an alias.
	CanonicalId string `json:"canonical_id,omitempty"`

	// ID of the group alias.
	Id string `json:"id,omitempty"`

	// Mount accessor to which this alias belongs to.
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Alias of the group.
	Name string `json:"name,omitempty"`
}

GroupCreateAliasRequest struct for GroupCreateAliasRequest

type GroupCreateRequest ¶ added in v0.3.0 

type GroupCreateRequest struct {
	// ID of the group. If set, updates the corresponding existing group.
	Id string `json:"id,omitempty"`

	// Entity IDs to be assigned as group members.
	MemberEntityIds []string `json:"member_entity_ids,omitempty"`

	// Group IDs to be assigned as group members.
	MemberGroupIds []string `json:"member_group_ids,omitempty"`

	// Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Name of the group.
	Name string `json:"name,omitempty"`

	// Policies to be tied to the group.
	Policies []string `json:"policies,omitempty"`

	// Type of the group, 'internal' or 'external'. Defaults to 'internal'
	Type string `json:"type,omitempty"`
}

GroupCreateRequest struct for GroupCreateRequest

type GroupLookUpRequest ¶ added in v0.3.0 

type GroupLookUpRequest struct {
	// ID of the alias.
	AliasId string `json:"alias_id,omitempty"`

	// Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
	AliasMountAccessor string `json:"alias_mount_accessor,omitempty"`

	// Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
	AliasName string `json:"alias_name,omitempty"`

	// ID of the group.
	Id string `json:"id,omitempty"`

	// Name of the group.
	Name string `json:"name,omitempty"`
}

GroupLookUpRequest struct for GroupLookUpRequest

type GroupUpdateAliasByIdRequest ¶ added in v0.3.0 

type GroupUpdateAliasByIdRequest struct {
	// ID of the group to which this is an alias.
	CanonicalId string `json:"canonical_id,omitempty"`

	// Mount accessor to which this alias belongs to.
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Alias of the group.
	Name string `json:"name,omitempty"`
}

GroupUpdateAliasByIdRequest struct for GroupUpdateAliasByIdRequest

type GroupUpdateByIdRequest ¶ added in v0.3.0 

type GroupUpdateByIdRequest struct {
	// Entity IDs to be assigned as group members.
	MemberEntityIds []string `json:"member_entity_ids,omitempty"`

	// Group IDs to be assigned as group members.
	MemberGroupIds []string `json:"member_group_ids,omitempty"`

	// Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Name of the group.
	Name string `json:"name,omitempty"`

	// Policies to be tied to the group.
	Policies []string `json:"policies,omitempty"`

	// Type of the group, 'internal' or 'external'. Defaults to 'internal'
	Type string `json:"type,omitempty"`
}

GroupUpdateByIdRequest struct for GroupUpdateByIdRequest

type GroupUpdateByNameRequest ¶ added in v0.3.0 

type GroupUpdateByNameRequest struct {
	// ID of the group. If set, updates the corresponding existing group.
	Id string `json:"id,omitempty"`

	// Entity IDs to be assigned as group members.
	MemberEntityIds []string `json:"member_entity_ids,omitempty"`

	// Group IDs to be assigned as group members.
	MemberGroupIds []string `json:"member_group_ids,omitempty"`

	// Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Policies to be tied to the group.
	Policies []string `json:"policies,omitempty"`

	// Type of the group, 'internal' or 'external'. Defaults to 'internal'
	Type string `json:"type,omitempty"`
}

GroupUpdateByNameRequest struct for GroupUpdateByNameRequest

type HaStatusResponse ¶ added in v0.3.0 

type HaStatusResponse struct {
	Nodes []map[string]interface{} `json:"nodes,omitempty"`
}

HaStatusResponse struct for HaStatusResponse

type InitializeRequest ¶ added in v0.3.0 

type InitializeRequest struct {
	// Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`.
	PgpKeys []string `json:"pgp_keys,omitempty"`

	// Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`.
	RecoveryPgpKeys []string `json:"recovery_pgp_keys,omitempty"`

	// Specifies the number of shares to split the recovery key into.
	RecoveryShares int32 `json:"recovery_shares,omitempty"`

	// Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`.
	RecoveryThreshold int32 `json:"recovery_threshold,omitempty"`

	// Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
	RootTokenPgpKey string `json:"root_token_pgp_key,omitempty"`

	// Specifies the number of shares to split the unseal key into.
	SecretShares int32 `json:"secret_shares,omitempty"`

	// Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`.
	SecretThreshold int32 `json:"secret_threshold,omitempty"`

	// Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.
	StoredShares int32 `json:"stored_shares,omitempty"`
}

InitializeRequest struct for InitializeRequest

type InternalClientActivityConfigureRequest ¶ added in v0.3.0 

type InternalClientActivityConfigureRequest struct {
	// Number of months to report if no start date specified.
	DefaultReportMonths int32 `json:"default_report_months,omitempty"`

	// Enable or disable collection of client count: enable, disable, or default.
	Enabled string `json:"enabled,omitempty"`

	// Number of months of client data to retain. Setting to 0 will clear all existing data.
	RetentionMonths int32 `json:"retention_months,omitempty"`
}

InternalClientActivityConfigureRequest struct for InternalClientActivityConfigureRequest

type InternalCountEntitiesResponse ¶ added in v0.3.0 

type InternalCountEntitiesResponse struct {
	Counters map[string]interface{} `json:"counters,omitempty"`
}

InternalCountEntitiesResponse struct for InternalCountEntitiesResponse

type InternalCountTokensResponse ¶ added in v0.3.0 

type InternalCountTokensResponse struct {
	Counters map[string]interface{} `json:"counters,omitempty"`
}

InternalCountTokensResponse struct for InternalCountTokensResponse

type InternalGenerateOpenApiDocumentWithParametersRequest ¶ added in v0.4.0 

type InternalGenerateOpenApiDocumentWithParametersRequest struct {
	// Context string appended to every operationId
	Context string `json:"context,omitempty"`

	// Use generic mount paths
	GenericMountPaths bool `json:"generic_mount_paths,omitempty"`
}

InternalGenerateOpenApiDocumentWithParametersRequest struct for InternalGenerateOpenApiDocumentWithParametersRequest

type InternalUiListEnabledFeatureFlagsResponse ¶ added in v0.3.0 

type InternalUiListEnabledFeatureFlagsResponse struct {
	FeatureFlags []string `json:"feature_flags,omitempty"`
}

InternalUiListEnabledFeatureFlagsResponse struct for InternalUiListEnabledFeatureFlagsResponse

type InternalUiListEnabledVisibleMountsResponse ¶ added in v0.3.0 

type InternalUiListEnabledVisibleMountsResponse struct {
	// auth mounts
	Auth map[string]interface{} `json:"auth,omitempty"`

	// secret mounts
	Secret map[string]interface{} `json:"secret,omitempty"`
}

InternalUiListEnabledVisibleMountsResponse struct for InternalUiListEnabledVisibleMountsResponse

type InternalUiListNamespacesResponse ¶ added in v0.3.0 

type InternalUiListNamespacesResponse struct {
	// field is only returned if there are one or more namespaces
	Keys []string `json:"keys,omitempty"`
}

InternalUiListNamespacesResponse struct for InternalUiListNamespacesResponse

type InternalUiReadMountInformationResponse ¶ added in v0.3.0 

type InternalUiReadMountInformationResponse struct {
	Accessor string `json:"accessor,omitempty"`

	Config map[string]interface{} `json:"config,omitempty"`

	Description string `json:"description,omitempty"`

	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	Local bool `json:"local,omitempty"`

	Options map[string]interface{} `json:"options,omitempty"`

	Path string `json:"path,omitempty"`

	PluginVersion string `json:"plugin_version,omitempty"`

	RunningPluginVersion string `json:"running_plugin_version,omitempty"`

	RunningSha256 string `json:"running_sha256,omitempty"`

	SealWrap bool `json:"seal_wrap,omitempty"`

	Type string `json:"type,omitempty"`

	Uuid string `json:"uuid,omitempty"`
}

InternalUiReadMountInformationResponse struct for InternalUiReadMountInformationResponse

type InternalUiReadResultantAclResponse ¶ added in v0.3.0 

type InternalUiReadResultantAclResponse struct {
	ExactPaths map[string]interface{} `json:"exact_paths,omitempty"`

	GlobPaths map[string]interface{} `json:"glob_paths,omitempty"`

	Root bool `json:"root,omitempty"`
}

InternalUiReadResultantAclResponse struct for InternalUiReadResultantAclResponse

type JwtConfigureRequest ¶ added in v0.3.0 

type JwtConfigureRequest struct {
	// The value against which to match the 'iss' claim in a JWT. Optional.
	BoundIssuer string `json:"bound_issuer,omitempty"`

	// The default role to use if none is provided during login. If not set, a role is required during login.
	DefaultRole string `json:"default_role,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	JwksCaPem string `json:"jwks_ca_pem,omitempty"`

	// JWKS URL to use to authenticate signatures. Cannot be used with \"oidc_discovery_url\" or \"jwt_validation_pubkeys\".
	JwksUrl string `json:"jwks_url,omitempty"`

	// A list of supported signing algorithms. Defaults to RS256.
	JwtSupportedAlgs []string `json:"jwt_supported_algs,omitempty"`

	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with \"jwks_url\" or \"oidc_discovery_url\".
	JwtValidationPubkeys []string `json:"jwt_validation_pubkeys,omitempty"`

	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
	NamespaceInState bool `json:"namespace_in_state,omitempty"`

	// The OAuth Client ID configured with your OIDC provider.
	OidcClientId string `json:"oidc_client_id,omitempty"`

	// The OAuth Client Secret configured with your OIDC provider.
	OidcClientSecret string `json:"oidc_client_secret,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
	OidcDiscoveryCaPem string `json:"oidc_discovery_ca_pem,omitempty"`

	// OIDC Discovery URL, without any .well-known component (base path). Cannot be used with \"jwks_url\" or \"jwt_validation_pubkeys\".
	OidcDiscoveryUrl string `json:"oidc_discovery_url,omitempty"`

	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'.
	OidcResponseMode string `json:"oidc_response_mode,omitempty"`

	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'.
	OidcResponseTypes []string `json:"oidc_response_types,omitempty"`

	// Provider-specific configuration. Optional.
	ProviderConfig map[string]interface{} `json:"provider_config,omitempty"`
}

JwtConfigureRequest struct for JwtConfigureRequest

type JwtLoginRequest ¶ added in v0.3.0 

type JwtLoginRequest struct {
	// The signed JWT to validate.
	Jwt string `json:"jwt,omitempty"`

	// The role to log in against.
	Role string `json:"role,omitempty"`
}

JwtLoginRequest struct for JwtLoginRequest

type JwtOidcCallbackFormPostRequest ¶ added in v0.4.0 

type JwtOidcCallbackFormPostRequest struct {
	ClientNonce string `json:"client_nonce,omitempty"`

	Code string `json:"code,omitempty"`

	IdToken string `json:"id_token,omitempty"`

	State string `json:"state,omitempty"`
}

JwtOidcCallbackFormPostRequest struct for JwtOidcCallbackFormPostRequest

type JwtOidcRequestAuthorizationUrlRequest ¶ added in v0.3.0 

type JwtOidcRequestAuthorizationUrlRequest struct {
	// Optional client-provided nonce that must match during callback, if present.
	ClientNonce string `json:"client_nonce,omitempty"`

	// The OAuth redirect_uri to use in the authorization URL.
	RedirectUri string `json:"redirect_uri,omitempty"`

	// The role to issue an OIDC authorization URL against.
	Role string `json:"role,omitempty"`
}

JwtOidcRequestAuthorizationUrlRequest struct for JwtOidcRequestAuthorizationUrlRequest

type JwtWriteRoleRequest ¶ added in v0.3.0 

type JwtWriteRoleRequest struct {
	// Comma-separated list of allowed values for redirect_uri
	AllowedRedirectUris []string `json:"allowed_redirect_uris,omitempty"`

	// Comma-separated list of 'aud' claims that are valid for login; any match is sufficient
	BoundAudiences []string `json:"bound_audiences,omitempty"`

	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// Map of claims/values which must match for login
	BoundClaims map[string]interface{} `json:"bound_claims,omitempty"`

	// How to interpret values in the map of claims/values (which must match for login): allowed values are 'string' or 'glob'
	BoundClaimsType string `json:"bound_claims_type,omitempty"`

	// The 'sub' claim that is valid for login. Optional.
	BoundSubject string `json:"bound_subject,omitempty"`

	// Mappings of claims (key) that will be copied to a metadata field (value)
	ClaimMappings map[string]interface{} `json:"claim_mappings,omitempty"`

	// Duration in seconds of leeway when validating all claims to account for clock skew. Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.
	ClockSkewLeeway string `json:"clock_skew_leeway,omitempty"`

	// Duration in seconds of leeway when validating expiration of a token to account for clock skew. Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.
	ExpirationLeeway string `json:"expiration_leeway,omitempty"`

	// The claim to use for the Identity group alias names
	GroupsClaim string `json:"groups_claim,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	MaxAge string `json:"max_age,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Duration in seconds of leeway when validating not before values of a token to account for clock skew. Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.
	NotBeforeLeeway string `json:"not_before_leeway,omitempty"`

	// Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.
	// Deprecated
	NumUses int32 `json:"num_uses,omitempty"`

	// Comma-separated list of OIDC scopes
	OidcScopes []string `json:"oidc_scopes,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Type of the role, either 'jwt' or 'oidc'.
	RoleType string `json:"role_type,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`

	// The claim to use for the Identity entity alias name
	UserClaim string `json:"user_claim,omitempty"`

	// If true, the user_claim value will use JSON pointer syntax for referencing claims.
	UserClaimJsonPointer bool `json:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	VerboseOidcLogging bool `json:"verbose_oidc_logging,omitempty"`
}

JwtWriteRoleRequest struct for JwtWriteRoleRequest

type KerberosConfigureLdapRequest ¶ added in v0.3.0 

type KerberosConfigureLdapRequest struct {
	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
	AnonymousGroupSearch bool `json:"anonymous_group_search,omitempty"`

	// LDAP DN for searching for the user DN (optional)
	Binddn string `json:"binddn,omitempty"`

	// LDAP password for searching for the user DN (optional)
	Bindpass string `json:"bindpass,omitempty"`

	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
	CaseSensitiveNames bool `json:"case_sensitive_names,omitempty"`

	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)
	Certificate string `json:"certificate,omitempty"`

	// Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsCert string `json:"client_tls_cert,omitempty"`

	// Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsKey string `json:"client_tls_key,omitempty"`

	// Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
	ConnectionTimeout string `json:"connection_timeout,omitempty"`

	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
	DenyNullBind bool `json:"deny_null_bind,omitempty"`

	// When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.
	DereferenceAliases string `json:"dereference_aliases,omitempty"`

	// Use anonymous bind to discover the bind DN of a user (optional)
	Discoverdn bool `json:"discoverdn,omitempty"`

	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn
	Groupattr string `json:"groupattr,omitempty"`

	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
	Groupdn string `json:"groupdn,omitempty"`

	// Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
	Groupfilter string `json:"groupfilter,omitempty"`

	// Skip LDAP server SSL Certificate verification - VERY insecure (optional)
	InsecureTls bool `json:"insecure_tls,omitempty"`

	// If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.
	MaxPageSize int32 `json:"max_page_size,omitempty"`

	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
	RequestTimeout string `json:"request_timeout,omitempty"`

	// Issue a StartTLS command after establishing unencrypted connection (optional)
	Starttls bool `json:"starttls,omitempty"`

	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMaxVersion string `json:"tls_max_version,omitempty"`

	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMinVersion string `json:"tls_min_version,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Enables userPrincipalDomain login with [username]@UPNDomain (optional)
	Upndomain string `json:"upndomain,omitempty"`

	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
	Url string `json:"url,omitempty"`

	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
	UsePre111GroupCnBehavior bool `json:"use_pre111_group_cn_behavior,omitempty"`

	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
	UseTokenGroups bool `json:"use_token_groups,omitempty"`

	// Attribute used for users (default: cn)
	Userattr string `json:"userattr,omitempty"`

	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
	Userdn string `json:"userdn,omitempty"`

	// Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})
	Userfilter string `json:"userfilter,omitempty"`

	// If true, sets the alias name to the username
	UsernameAsAlias bool `json:"username_as_alias,omitempty"`
}

KerberosConfigureLdapRequest struct for KerberosConfigureLdapRequest

type KerberosConfigureRequest ¶ added in v0.3.0 

type KerberosConfigureRequest struct {
	// If set to true, returns any groups found in LDAP as a group alias.
	AddGroupAliases bool `json:"add_group_aliases,omitempty"`

	// Base64 encoded keytab
	Keytab string `json:"keytab,omitempty"`

	// Remove instance/FQDN from keytab principal names.
	RemoveInstanceName bool `json:"remove_instance_name,omitempty"`

	// Service Account
	ServiceAccount string `json:"service_account,omitempty"`
}

KerberosConfigureRequest struct for KerberosConfigureRequest

type KerberosLoginRequest ¶ 

type KerberosLoginRequest struct {
	// SPNEGO Authorization header. Required.
	Authorization string `json:"authorization,omitempty"`
}

KerberosLoginRequest struct for KerberosLoginRequest

type KerberosWriteGroupRequest ¶ 

type KerberosWriteGroupRequest struct {
	// Comma-separated list of policies associated to the group.
	Policies []string `json:"policies,omitempty"`
}

KerberosWriteGroupRequest struct for KerberosWriteGroupRequest

type KubernetesConfigureAuthRequest ¶ added in v0.3.0 

type KubernetesConfigureAuthRequest struct {
	// Disable JWT issuer validation (Deprecated, will be removed in a future release)
	// Deprecated
	DisableIssValidation bool `json:"disable_iss_validation,omitempty"`

	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod
	DisableLocalCaJwt bool `json:"disable_local_ca_jwt,omitempty"`

	// Optional JWT issuer. If no issuer is specified, then this plugin will use kubernetes.io/serviceaccount as the default issuer. (Deprecated, will be removed in a future release)
	// Deprecated
	Issuer string `json:"issuer,omitempty"`

	// PEM encoded CA cert for use by the TLS client used to talk with the API.
	KubernetesCaCert string `json:"kubernetes_ca_cert,omitempty"`

	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost string `json:"kubernetes_host,omitempty"`

	// Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys []string `json:"pem_keys,omitempty"`

	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt string `json:"token_reviewer_jwt,omitempty"`
}

KubernetesConfigureAuthRequest struct for KubernetesConfigureAuthRequest

type KubernetesConfigureRequest ¶ added in v0.3.0 

type KubernetesConfigureRequest struct {
	// Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.
	DisableLocalCaJwt bool `json:"disable_local_ca_jwt,omitempty"`

	// PEM encoded CA certificate to use to verify the Kubernetes API server certificate. Defaults to the local pod's CA if found.
	KubernetesCaCert string `json:"kubernetes_ca_cert,omitempty"`

	// Kubernetes API URL to connect to. Defaults to https://$KUBERNETES_SERVICE_HOST:KUBERNETES_SERVICE_PORT if those environment variables are set.
	KubernetesHost string `json:"kubernetes_host,omitempty"`

	// The JSON web token of the service account used by the secret engine to manage Kubernetes credentials. Defaults to the local pod's JWT if found.
	ServiceAccountJwt string `json:"service_account_jwt,omitempty"`
}

KubernetesConfigureRequest struct for KubernetesConfigureRequest

type KubernetesGenerateCredentialsRequest ¶ added in v0.3.0 

type KubernetesGenerateCredentialsRequest struct {
	// The intended audiences of the generated credentials
	Audiences []string `json:"audiences,omitempty"`

	// If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace. Requires the Vault role to have kubernetes_role_type set to ClusterRole.
	ClusterRoleBinding bool `json:"cluster_role_binding,omitempty"`

	// The name of the Kubernetes namespace in which to generate the credentials
	KubernetesNamespace string `json:"kubernetes_namespace"`

	// The TTL of the generated credentials
	Ttl string `json:"ttl,omitempty"`
}

KubernetesGenerateCredentialsRequest struct for KubernetesGenerateCredentialsRequest

type KubernetesLoginRequest ¶ 

type KubernetesLoginRequest struct {
	// A signed JWT for authenticating a service account. This field is required.
	Jwt string `json:"jwt,omitempty"`

	// Name of the role against which the login is being attempted. This field is required
	Role string `json:"role,omitempty"`
}

KubernetesLoginRequest struct for KubernetesLoginRequest

type KubernetesWriteAuthRoleRequest ¶ 

type KubernetesWriteAuthRoleRequest struct {
	// Source to use when deriving the Alias name. valid choices: \"serviceaccount_uid\" : <token.uid> e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) \"serviceaccount_name\" : <namespace>/<serviceaccount> e.g. vault/vault-agent default: \"serviceaccount_uid\"
	AliasNameSource string `json:"alias_name_source,omitempty"`

	// Optional Audience claim to verify in the jwt.
	Audience string `json:"audience,omitempty"`

	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// List of service account names able to access this role. If set to \"*\" all names are allowed.
	BoundServiceAccountNames []string `json:"bound_service_account_names,omitempty"`

	// List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed.
	BoundServiceAccountNamespaces []string `json:"bound_service_account_namespaces,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Use \"token_num_uses\" instead. If this and \"token_num_uses\" are both specified, only \"token_num_uses\" will be used.
	// Deprecated
	NumUses int32 `json:"num_uses,omitempty"`

	// Use \"token_period\" instead. If this and \"token_period\" are both specified, only \"token_period\" will be used.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

KubernetesWriteAuthRoleRequest struct for KubernetesWriteAuthRoleRequest

type KubernetesWriteRoleRequest ¶ 

type KubernetesWriteRoleRequest struct {
	// A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. If set with allowed_kubernetes_namespaces, the conditions are conjuncted.
	AllowedKubernetesNamespaceSelector string `json:"allowed_kubernetes_namespace_selector,omitempty"`

	// A list of the Kubernetes namespaces in which credentials can be generated. If set to \"*\" all namespaces are allowed.
	AllowedKubernetesNamespaces []string `json:"allowed_kubernetes_namespaces,omitempty"`

	// Additional annotations to apply to all generated Kubernetes objects.
	ExtraAnnotations map[string]interface{} `json:"extra_annotations,omitempty"`

	// Additional labels to apply to all generated Kubernetes objects.
	ExtraLabels map[string]interface{} `json:"extra_labels,omitempty"`

	// The Role or ClusterRole rules to use when generating a role. Accepts either a JSON or YAML object. If set, the entire chain of Kubernetes objects will be generated.
	GeneratedRoleRules string `json:"generated_role_rules,omitempty"`

	// The pre-existing Role or ClusterRole to bind a generated service account to. If set, Kubernetes token, service account, and role binding objects will be created.
	KubernetesRoleName string `json:"kubernetes_role_name,omitempty"`

	// Specifies whether the Kubernetes role is a Role or ClusterRole.
	KubernetesRoleType string `json:"kubernetes_role_type,omitempty"`

	// The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
	NameTemplate string `json:"name_template,omitempty"`

	// The pre-existing service account to generate tokens for. Mutually exclusive with all role parameters. If set, only a Kubernetes service account token will be created.
	ServiceAccountName string `json:"service_account_name,omitempty"`

	// The default audiences for generated Kubernetes service account tokens. If not set or set to \"\", will use k8s cluster default.
	TokenDefaultAudiences []string `json:"token_default_audiences,omitempty"`

	// The default ttl for generated Kubernetes service account tokens. If not set or set to 0, will use system default.
	TokenDefaultTtl string `json:"token_default_ttl,omitempty"`

	// The maximum ttl for generated Kubernetes service account tokens. If not set or set to 0, will use system default.
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`
}

KubernetesWriteRoleRequest struct for KubernetesWriteRoleRequest

type KvV2ConfigureRequest ¶ added in v0.3.0 

type KvV2ConfigureRequest struct {
	// If true, the backend will require the cas parameter to be set for each write
	CasRequired bool `json:"cas_required,omitempty"`

	// If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string.
	DeleteVersionAfter string `json:"delete_version_after,omitempty"`

	// The number of versions to keep for each key. Defaults to 10
	MaxVersions int32 `json:"max_versions,omitempty"`
}

KvV2ConfigureRequest struct for KvV2ConfigureRequest

type KvV2DeleteVersionsRequest ¶ added in v0.3.0 

type KvV2DeleteVersionsRequest struct {
	// The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests.
	Versions []int32 `json:"versions,omitempty"`
}

KvV2DeleteVersionsRequest struct for KvV2DeleteVersionsRequest

type KvV2DestroyVersionsRequest ¶ added in v0.3.0 

type KvV2DestroyVersionsRequest struct {
	// The versions to destroy. Their data will be permanently deleted.
	Versions []int32 `json:"versions,omitempty"`
}

KvV2DestroyVersionsRequest struct for KvV2DestroyVersionsRequest

type KvV2PatchResponse ¶ added in v0.3.0 

type KvV2PatchResponse struct {
	CreatedTime time.Time `json:"created_time,omitempty"`

	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	DeletionTime string `json:"deletion_time,omitempty"`

	Destroyed bool `json:"destroyed,omitempty"`

	Version int64 `json:"version,omitempty"`
}

KvV2PatchResponse struct for KvV2PatchResponse

type KvV2ReadConfigurationResponse ¶ added in v0.3.0 

type KvV2ReadConfigurationResponse struct {
	// If true, the backend will require the cas parameter to be set for each write
	CasRequired bool `json:"cas_required,omitempty"`

	// The length of time before a version is deleted.
	DeleteVersionAfter string `json:"delete_version_after,omitempty"`

	// The number of versions to keep for each key.
	MaxVersions int32 `json:"max_versions,omitempty"`
}

KvV2ReadConfigurationResponse struct for KvV2ReadConfigurationResponse

type KvV2ReadMetadataResponse ¶ added in v0.3.0 

type KvV2ReadMetadataResponse struct {
	CasRequired bool `json:"cas_required,omitempty"`

	CreatedTime time.Time `json:"created_time,omitempty"`

	CurrentVersion int64 `json:"current_version,omitempty"`

	// User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret.
	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	// The length of time before a version is deleted.
	DeleteVersionAfter string `json:"delete_version_after,omitempty"`

	// The number of versions to keep
	MaxVersions int64 `json:"max_versions,omitempty"`

	OldestVersion int64 `json:"oldest_version,omitempty"`

	UpdatedTime time.Time `json:"updated_time,omitempty"`

	Versions map[string]interface{} `json:"versions,omitempty"`
}

KvV2ReadMetadataResponse struct for KvV2ReadMetadataResponse

type KvV2ReadResponse ¶ added in v0.3.0 

type KvV2ReadResponse struct {
	Data map[string]interface{} `json:"data,omitempty"`

	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

KvV2ReadResponse struct for KvV2ReadResponse

type KvV2ReadSubkeysResponse ¶ added in v0.3.0 

type KvV2ReadSubkeysResponse struct {
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	Subkeys map[string]interface{} `json:"subkeys,omitempty"`
}

KvV2ReadSubkeysResponse struct for KvV2ReadSubkeysResponse

type KvV2UndeleteVersionsRequest ¶ added in v0.3.0 

type KvV2UndeleteVersionsRequest struct {
	// The versions to unarchive. The versions will be restored and their data will be returned on normal get requests.
	Versions []int32 `json:"versions,omitempty"`
}

KvV2UndeleteVersionsRequest struct for KvV2UndeleteVersionsRequest

type KvV2WriteMetadataRequest ¶ added in v0.3.0 

type KvV2WriteMetadataRequest struct {
	// If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used.
	CasRequired bool `json:"cas_required,omitempty"`

	// User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret.
	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	// The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error.
	DeleteVersionAfter string `json:"delete_version_after,omitempty"`

	// The number of versions to keep. If not set, the backend’s configured max version is used.
	MaxVersions int32 `json:"max_versions,omitempty"`
}

KvV2WriteMetadataRequest struct for KvV2WriteMetadataRequest

type KvV2WriteRequest ¶ added in v0.3.0 

type KvV2WriteRequest struct {
	// The contents of the data map will be stored and returned on read.
	Data map[string]interface{} `json:"data,omitempty"`

	// Options for writing a KV entry. Set the \"cas\" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter.
	Options map[string]interface{} `json:"options,omitempty"`

	// If provided during a read, the value at the version number will be returned
	Version int32 `json:"version,omitempty"`
}

KvV2WriteRequest struct for KvV2WriteRequest

type KvV2WriteResponse ¶ added in v0.3.0 

type KvV2WriteResponse struct {
	CreatedTime time.Time `json:"created_time,omitempty"`

	CustomMetadata map[string]interface{} `json:"custom_metadata,omitempty"`

	DeletionTime string `json:"deletion_time,omitempty"`

	Destroyed bool `json:"destroyed,omitempty"`

	Version int64 `json:"version,omitempty"`
}

KvV2WriteResponse struct for KvV2WriteResponse

type LdapConfigureAuthRequest ¶ added in v0.3.0 

type LdapConfigureAuthRequest struct {
	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
	AnonymousGroupSearch bool `json:"anonymous_group_search,omitempty"`

	// LDAP DN for searching for the user DN (optional)
	Binddn string `json:"binddn,omitempty"`

	// LDAP password for searching for the user DN (optional)
	Bindpass string `json:"bindpass,omitempty"`

	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
	CaseSensitiveNames bool `json:"case_sensitive_names,omitempty"`

	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)
	Certificate string `json:"certificate,omitempty"`

	// Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsCert string `json:"client_tls_cert,omitempty"`

	// Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsKey string `json:"client_tls_key,omitempty"`

	// Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
	ConnectionTimeout string `json:"connection_timeout,omitempty"`

	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
	DenyNullBind bool `json:"deny_null_bind,omitempty"`

	// When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.
	DereferenceAliases string `json:"dereference_aliases,omitempty"`

	// Use anonymous bind to discover the bind DN of a user (optional)
	Discoverdn bool `json:"discoverdn,omitempty"`

	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn
	Groupattr string `json:"groupattr,omitempty"`

	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
	Groupdn string `json:"groupdn,omitempty"`

	// Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
	Groupfilter string `json:"groupfilter,omitempty"`

	// Skip LDAP server SSL Certificate verification - VERY insecure (optional)
	InsecureTls bool `json:"insecure_tls,omitempty"`

	// If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.
	MaxPageSize int32 `json:"max_page_size,omitempty"`

	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
	RequestTimeout string `json:"request_timeout,omitempty"`

	// Issue a StartTLS command after establishing unencrypted connection (optional)
	Starttls bool `json:"starttls,omitempty"`

	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMaxVersion string `json:"tls_max_version,omitempty"`

	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMinVersion string `json:"tls_min_version,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Enables userPrincipalDomain login with [username]@UPNDomain (optional)
	Upndomain string `json:"upndomain,omitempty"`

	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
	Url string `json:"url,omitempty"`

	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
	UsePre111GroupCnBehavior bool `json:"use_pre111_group_cn_behavior,omitempty"`

	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
	UseTokenGroups bool `json:"use_token_groups,omitempty"`

	// Attribute used for users (default: cn)
	Userattr string `json:"userattr,omitempty"`

	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
	Userdn string `json:"userdn,omitempty"`

	// Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})
	Userfilter string `json:"userfilter,omitempty"`

	// If true, sets the alias name to the username
	UsernameAsAlias bool `json:"username_as_alias,omitempty"`
}

LdapConfigureAuthRequest struct for LdapConfigureAuthRequest

type LdapConfigureRequest ¶ added in v0.3.0 

type LdapConfigureRequest struct {
	// Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
	AnonymousGroupSearch bool `json:"anonymous_group_search,omitempty"`

	// LDAP DN for searching for the user DN (optional)
	Binddn string `json:"binddn,omitempty"`

	// LDAP password for searching for the user DN (optional)
	Bindpass string `json:"bindpass,omitempty"`

	// If true, case sensitivity will be used when comparing usernames and groups for matching policies.
	CaseSensitiveNames bool `json:"case_sensitive_names,omitempty"`

	// CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)
	Certificate string `json:"certificate,omitempty"`

	// Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsCert string `json:"client_tls_cert,omitempty"`

	// Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)
	ClientTlsKey string `json:"client_tls_key,omitempty"`

	// Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
	ConnectionTimeout string `json:"connection_timeout,omitempty"`

	// Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true
	DenyNullBind bool `json:"deny_null_bind,omitempty"`

	// When aliases should be dereferenced on search operations. Accepted values are 'never', 'finding', 'searching', 'always'. Defaults to 'never'.
	DereferenceAliases string `json:"dereference_aliases,omitempty"`

	// Use anonymous bind to discover the bind DN of a user (optional)
	Discoverdn bool `json:"discoverdn,omitempty"`

	// LDAP attribute to follow on objects returned by <groupfilter> in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn
	Groupattr string `json:"groupattr,omitempty"`

	// LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)
	Groupdn string `json:"groupdn,omitempty"`

	// Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
	Groupfilter string `json:"groupfilter,omitempty"`

	// Skip LDAP server SSL Certificate verification - VERY insecure (optional)
	InsecureTls bool `json:"insecure_tls,omitempty"`

	// The desired length of passwords that Vault generates.
	// Deprecated
	Length int32 `json:"length,omitempty"`

	// If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.
	MaxPageSize int32 `json:"max_page_size,omitempty"`

	// The maximum password time-to-live.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Password policy to use to generate passwords
	PasswordPolicy string `json:"password_policy,omitempty"`

	// Timeout, in seconds, for the connection when making requests against the server before returning back an error.
	RequestTimeout string `json:"request_timeout,omitempty"`

	// The desired LDAP schema used when modifying user account passwords.
	Schema string `json:"schema,omitempty"`

	// Issue a StartTLS command after establishing unencrypted connection (optional)
	Starttls bool `json:"starttls,omitempty"`

	// Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMaxVersion string `json:"tls_max_version,omitempty"`

	// Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'
	TlsMinVersion string `json:"tls_min_version,omitempty"`

	// The default password time-to-live.
	Ttl string `json:"ttl,omitempty"`

	// Enables userPrincipalDomain login with [username]@UPNDomain (optional)
	Upndomain string `json:"upndomain,omitempty"`

	// LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.
	Url string `json:"url,omitempty"`

	// In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
	UsePre111GroupCnBehavior bool `json:"use_pre111_group_cn_behavior,omitempty"`

	// If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
	UseTokenGroups bool `json:"use_token_groups,omitempty"`

	// Attribute used for users (default: cn)
	Userattr string `json:"userattr,omitempty"`

	// LDAP domain to use for users (eg: ou=People,dc=example,dc=org)
	Userdn string `json:"userdn,omitempty"`

	// Go template for LDAP user search filer (optional) The template can access the following context variables: UserAttr, Username Default: ({{.UserAttr}}={{.Username}})
	Userfilter string `json:"userfilter,omitempty"`

	// If true, sets the alias name to the username
	UsernameAsAlias bool `json:"username_as_alias,omitempty"`
}

LdapConfigureRequest struct for LdapConfigureRequest

type LdapLibraryCheckInRequest ¶ added in v0.3.0 

type LdapLibraryCheckInRequest struct {
	// The username/logon name for the service accounts to check in.
	ServiceAccountNames []string `json:"service_account_names,omitempty"`
}

LdapLibraryCheckInRequest struct for LdapLibraryCheckInRequest

type LdapLibraryCheckOutRequest ¶ added in v0.3.0 

type LdapLibraryCheckOutRequest struct {
	// The length of time before the check-out will expire, in seconds.
	Ttl string `json:"ttl,omitempty"`
}

LdapLibraryCheckOutRequest struct for LdapLibraryCheckOutRequest

type LdapLibraryConfigureRequest ¶ added in v0.3.0 

type LdapLibraryConfigureRequest struct {
	// Disable the default behavior of requiring that check-ins are performed by the entity that checked them out.
	DisableCheckInEnforcement bool `json:"disable_check_in_enforcement,omitempty"`

	// In seconds, the max amount of time a check-out's renewals should last. Defaults to 24 hours.
	MaxTtl string `json:"max_ttl,omitempty"`

	// The username/logon name for the service accounts with which this set will be associated.
	ServiceAccountNames []string `json:"service_account_names,omitempty"`

	// In seconds, the amount of time a check-out should last. Defaults to 24 hours.
	Ttl string `json:"ttl,omitempty"`
}

LdapLibraryConfigureRequest struct for LdapLibraryConfigureRequest

type LdapLibraryForceCheckInRequest ¶ added in v0.3.0 

type LdapLibraryForceCheckInRequest struct {
	// The username/logon name for the service accounts to check in.
	ServiceAccountNames []string `json:"service_account_names,omitempty"`
}

LdapLibraryForceCheckInRequest struct for LdapLibraryForceCheckInRequest

type LdapLoginRequest ¶ added in v0.3.0 

type LdapLoginRequest struct {
	// Password for this user.
	Password string `json:"password,omitempty"`
}

LdapLoginRequest struct for LdapLoginRequest

type LdapWriteDynamicRoleRequest ¶ added in v0.3.0 

type LdapWriteDynamicRoleRequest struct {
	// LDIF string used to create new entities within the LDAP system. This LDIF can be templated.
	CreationLdif string `json:"creation_ldif"`

	// Default TTL for dynamic credentials
	DefaultTtl string `json:"default_ttl,omitempty"`

	// LDIF string used to delete entities created within the LDAP system. This LDIF can be templated.
	DeletionLdif string `json:"deletion_ldif"`

	// Max TTL a dynamic credential can be extended to
	MaxTtl string `json:"max_ttl,omitempty"`

	// LDIF string used to rollback changes in the event of a failure to create credentials. This LDIF can be templated.
	RollbackLdif string `json:"rollback_ldif,omitempty"`

	// The template used to create a username
	UsernameTemplate string `json:"username_template,omitempty"`
}

LdapWriteDynamicRoleRequest struct for LdapWriteDynamicRoleRequest

type LdapWriteGroupRequest ¶ added in v0.3.0 

type LdapWriteGroupRequest struct {
	// Comma-separated list of policies associated to the group.
	Policies []string `json:"policies,omitempty"`
}

LdapWriteGroupRequest struct for LdapWriteGroupRequest

type LdapWriteStaticRoleRequest ¶ added in v0.3.0 

type LdapWriteStaticRoleRequest struct {
	// The distinguished name of the entry to manage.
	Dn string `json:"dn,omitempty"`

	// Period for automatic credential rotation of the given entry.
	RotationPeriod string `json:"rotation_period,omitempty"`

	// The username/logon name for the entry with which this role will be associated.
	Username string `json:"username,omitempty"`
}

LdapWriteStaticRoleRequest struct for LdapWriteStaticRoleRequest

type LdapWriteUserRequest ¶ added in v0.3.0 

type LdapWriteUserRequest struct {
	// Comma-separated list of additional groups associated with the user.
	Groups []string `json:"groups,omitempty"`

	// Comma-separated list of policies associated with the user.
	Policies []string `json:"policies,omitempty"`
}

LdapWriteUserRequest struct for LdapWriteUserRequest

type LeaderStatusResponse ¶ added in v0.3.0 

type LeaderStatusResponse struct {
	ActiveTime time.Time `json:"active_time,omitempty"`

	HaEnabled bool `json:"ha_enabled,omitempty"`

	IsSelf bool `json:"is_self,omitempty"`

	LastWal int64 `json:"last_wal,omitempty"`

	LeaderAddress string `json:"leader_address,omitempty"`

	LeaderClusterAddress string `json:"leader_cluster_address,omitempty"`

	PerformanceStandby bool `json:"performance_standby,omitempty"`

	PerformanceStandbyLastRemoteWal int64 `json:"performance_standby_last_remote_wal,omitempty"`

	RaftAppliedIndex int64 `json:"raft_applied_index,omitempty"`

	RaftCommittedIndex int64 `json:"raft_committed_index,omitempty"`
}

LeaderStatusResponse struct for LeaderStatusResponse

type LeasesCountResponse ¶ added in v0.3.0 

type LeasesCountResponse struct {
	// Number of matching leases per mount
	Counts int32 `json:"counts,omitempty"`

	// Number of matching leases
	LeaseCount int32 `json:"lease_count,omitempty"`
}

LeasesCountResponse struct for LeasesCountResponse

type LeasesListResponse ¶ added in v0.3.0 

type LeasesListResponse struct {
	// Number of matching leases per mount
	Counts int32 `json:"counts,omitempty"`

	// Number of matching leases
	LeaseCount int32 `json:"lease_count,omitempty"`
}

LeasesListResponse struct for LeasesListResponse

type LeasesLookUpResponse ¶ added in v0.3.0 

type LeasesLookUpResponse struct {
	// A list of lease ids
	Keys []string `json:"keys,omitempty"`
}

LeasesLookUpResponse struct for LeasesLookUpResponse

type LeasesReadLeaseRequest ¶ added in v0.3.0 

type LeasesReadLeaseRequest struct {
	// The lease identifier to renew. This is included with a lease.
	LeaseId string `json:"lease_id,omitempty"`
}

LeasesReadLeaseRequest struct for LeasesReadLeaseRequest

type LeasesReadLeaseResponse ¶ added in v0.3.0 

type LeasesReadLeaseResponse struct {
	// Optional lease expiry time
	ExpireTime time.Time `json:"expire_time,omitempty"`

	// Lease id
	Id string `json:"id,omitempty"`

	// Timestamp for the lease's issue time
	IssueTime time.Time `json:"issue_time,omitempty"`

	// Optional Timestamp of the last time the lease was renewed
	LastRenewal time.Time `json:"last_renewal,omitempty"`

	// True if the lease is able to be renewed
	Renewable bool `json:"renewable,omitempty"`

	// Time to Live set for the lease, returns 0 if unset
	Ttl int32 `json:"ttl,omitempty"`
}

LeasesReadLeaseResponse struct for LeasesReadLeaseResponse

type LeasesRenewLeaseRequest ¶ added in v0.3.0 

type LeasesRenewLeaseRequest struct {
	// The desired increment in seconds to the lease
	Increment string `json:"increment,omitempty"`

	// The lease identifier to renew. This is included with a lease.
	LeaseId string `json:"lease_id,omitempty"`
}

LeasesRenewLeaseRequest struct for LeasesRenewLeaseRequest

type LeasesRenewLeaseWithIdRequest ¶ added in v0.3.0 

type LeasesRenewLeaseWithIdRequest struct {
	// The desired increment in seconds to the lease
	Increment string `json:"increment,omitempty"`

	// The lease identifier to renew. This is included with a lease.
	LeaseId string `json:"lease_id,omitempty"`
}

LeasesRenewLeaseWithIdRequest struct for LeasesRenewLeaseWithIdRequest

type LeasesRevokeLeaseRequest ¶ added in v0.3.0 

type LeasesRevokeLeaseRequest struct {
	// The lease identifier to renew. This is included with a lease.
	LeaseId string `json:"lease_id,omitempty"`

	// Whether or not to perform the revocation synchronously
	Sync bool `json:"sync,omitempty"`
}

LeasesRevokeLeaseRequest struct for LeasesRevokeLeaseRequest

type LeasesRevokeLeaseWithIdRequest ¶ added in v0.3.0 

type LeasesRevokeLeaseWithIdRequest struct {
	// The lease identifier to renew. This is included with a lease.
	LeaseId string `json:"lease_id,omitempty"`

	// Whether or not to perform the revocation synchronously
	Sync bool `json:"sync,omitempty"`
}

LeasesRevokeLeaseWithIdRequest struct for LeasesRevokeLeaseWithIdRequest

type LeasesRevokeLeaseWithPrefixRequest ¶ added in v0.3.0 

type LeasesRevokeLeaseWithPrefixRequest struct {
	// Whether or not to perform the revocation synchronously
	Sync bool `json:"sync,omitempty"`
}

LeasesRevokeLeaseWithPrefixRequest struct for LeasesRevokeLeaseWithPrefixRequest

type LoggersUpdateVerbosityLevelForRequest ¶ added in v0.3.0 

type LoggersUpdateVerbosityLevelForRequest struct {
	// Log verbosity level. Supported values (in order of detail) are \"trace\", \"debug\", \"info\", \"warn\", and \"error\".
	Level string `json:"level,omitempty"`
}

LoggersUpdateVerbosityLevelForRequest struct for LoggersUpdateVerbosityLevelForRequest

type LoggersUpdateVerbosityLevelRequest ¶ added in v0.3.0 

type LoggersUpdateVerbosityLevelRequest struct {
	// Log verbosity level. Supported values (in order of detail) are \"trace\", \"debug\", \"info\", \"warn\", and \"error\".
	Level string `json:"level,omitempty"`
}

LoggersUpdateVerbosityLevelRequest struct for LoggersUpdateVerbosityLevelRequest

type MfaAdminDestroyTotpSecretRequest ¶ added in v0.3.0 

type MfaAdminDestroyTotpSecretRequest struct {
	// Identifier of the entity from which the MFA method secret needs to be removed.
	EntityId string `json:"entity_id"`

	// The unique identifier for this MFA method.
	MethodId string `json:"method_id"`
}

MfaAdminDestroyTotpSecretRequest struct for MfaAdminDestroyTotpSecretRequest

type MfaAdminGenerateTotpSecretRequest ¶ added in v0.3.0 

type MfaAdminGenerateTotpSecretRequest struct {
	// Entity ID on which the generated secret needs to get stored.
	EntityId string `json:"entity_id"`

	// The unique identifier for this MFA method.
	MethodId string `json:"method_id"`
}

MfaAdminGenerateTotpSecretRequest struct for MfaAdminGenerateTotpSecretRequest

type MfaCreateDuoMethodRequest ¶ added in v0.4.0 

type MfaCreateDuoMethodRequest struct {
	// API host name for Duo.
	ApiHostname string `json:"api_hostname,omitempty"`

	// Integration key for Duo.
	IntegrationKey string `json:"integration_key,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// Push information for Duo.
	PushInfo string `json:"push_info,omitempty"`

	// Secret key for Duo.
	SecretKey string `json:"secret_key,omitempty"`

	// If true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false.
	UsePasscode bool `json:"use_passcode,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaCreateDuoMethodRequest struct for MfaCreateDuoMethodRequest

type MfaCreateOktaMethodRequest ¶ added in v0.4.0 

type MfaCreateOktaMethodRequest struct {
	// Okta API key.
	ApiToken string `json:"api_token,omitempty"`

	// The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.
	BaseUrl string `json:"base_url,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// Name of the organization to be used in the Okta API.
	OrgName string `json:"org_name,omitempty"`

	// If true, the username will only match the primary email for the account. Defaults to false.
	PrimaryEmail bool `json:"primary_email,omitempty"`

	// (DEPRECATED) Use base_url instead.
	Production bool `json:"production,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, \"{{entity.name}}@example.com\". If blank, the Entity's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaCreateOktaMethodRequest struct for MfaCreateOktaMethodRequest

type MfaCreatePingIdMethodRequest ¶ added in v0.4.0 

type MfaCreatePingIdMethodRequest struct {
	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
	SettingsFileBase64 string `json:"settings_file_base64,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaCreatePingIdMethodRequest struct for MfaCreatePingIdMethodRequest

type MfaCreateTotpMethodRequest ¶ added in v0.4.0 

type MfaCreateTotpMethodRequest struct {
	// The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
	Algorithm string `json:"algorithm,omitempty"`

	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
	Digits int32 `json:"digits,omitempty"`

	// The name of the key's issuing organization.
	Issuer string `json:"issuer,omitempty"`

	// Determines the size in bytes of the generated key.
	KeySize int32 `json:"key_size,omitempty"`

	// Max number of allowed validation attempts.
	MaxValidationAttempts int32 `json:"max_validation_attempts,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// The length of time used to generate a counter for the TOTP token calculation.
	Period string `json:"period,omitempty"`

	// The pixel size of the generated square QR code.
	QrSize int32 `json:"qr_size,omitempty"`

	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
	Skew int32 `json:"skew,omitempty"`
}

MfaCreateTotpMethodRequest struct for MfaCreateTotpMethodRequest

type MfaGenerateTotpSecretRequest ¶ added in v0.3.0 

type MfaGenerateTotpSecretRequest struct {
	// The unique identifier for this MFA method.
	MethodId string `json:"method_id"`
}

MfaGenerateTotpSecretRequest struct for MfaGenerateTotpSecretRequest

type MfaUpdateDuoMethodRequest ¶ added in v0.4.0 

type MfaUpdateDuoMethodRequest struct {
	// API host name for Duo.
	ApiHostname string `json:"api_hostname,omitempty"`

	// Integration key for Duo.
	IntegrationKey string `json:"integration_key,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// Push information for Duo.
	PushInfo string `json:"push_info,omitempty"`

	// Secret key for Duo.
	SecretKey string `json:"secret_key,omitempty"`

	// If true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false.
	UsePasscode bool `json:"use_passcode,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaUpdateDuoMethodRequest struct for MfaUpdateDuoMethodRequest

type MfaUpdateOktaMethodRequest ¶ added in v0.4.0 

type MfaUpdateOktaMethodRequest struct {
	// Okta API key.
	ApiToken string `json:"api_token,omitempty"`

	// The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.
	BaseUrl string `json:"base_url,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// Name of the organization to be used in the Okta API.
	OrgName string `json:"org_name,omitempty"`

	// If true, the username will only match the primary email for the account. Defaults to false.
	PrimaryEmail bool `json:"primary_email,omitempty"`

	// (DEPRECATED) Use base_url instead.
	Production bool `json:"production,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, \"{{entity.name}}@example.com\". If blank, the Entity's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaUpdateOktaMethodRequest struct for MfaUpdateOktaMethodRequest

type MfaUpdatePingIdMethodRequest ¶ added in v0.4.0 

type MfaUpdatePingIdMethodRequest struct {
	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
	SettingsFileBase64 string `json:"settings_file_base64,omitempty"`

	// A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
	UsernameFormat string `json:"username_format,omitempty"`
}

MfaUpdatePingIdMethodRequest struct for MfaUpdatePingIdMethodRequest

type MfaUpdateTotpMethodRequest ¶ added in v0.4.0 

type MfaUpdateTotpMethodRequest struct {
	// The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
	Algorithm string `json:"algorithm,omitempty"`

	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
	Digits int32 `json:"digits,omitempty"`

	// The name of the key's issuing organization.
	Issuer string `json:"issuer,omitempty"`

	// Determines the size in bytes of the generated key.
	KeySize int32 `json:"key_size,omitempty"`

	// Max number of allowed validation attempts.
	MaxValidationAttempts int32 `json:"max_validation_attempts,omitempty"`

	// The unique name identifier for this MFA method.
	MethodName string `json:"method_name,omitempty"`

	// The length of time used to generate a counter for the TOTP token calculation.
	Period string `json:"period,omitempty"`

	// The pixel size of the generated square QR code.
	QrSize int32 `json:"qr_size,omitempty"`

	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
	Skew int32 `json:"skew,omitempty"`
}

MfaUpdateTotpMethodRequest struct for MfaUpdateTotpMethodRequest

type MfaValidateRequest ¶ added in v0.3.0 

type MfaValidateRequest struct {
	// A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
	MfaPayload map[string]interface{} `json:"mfa_payload"`

	// ID for this MFA request
	MfaRequestId string `json:"mfa_request_id"`
}

MfaValidateRequest struct for MfaValidateRequest

type MfaWriteLoginEnforcementRequest ¶ added in v0.3.0 

type MfaWriteLoginEnforcementRequest struct {
	// Array of auth mount accessor IDs
	AuthMethodAccessors []string `json:"auth_method_accessors,omitempty"`

	// Array of auth mount types
	AuthMethodTypes []string `json:"auth_method_types,omitempty"`

	// Array of identity entity IDs
	IdentityEntityIds []string `json:"identity_entity_ids,omitempty"`

	// Array of identity group IDs
	IdentityGroupIds []string `json:"identity_group_ids,omitempty"`

	// Array of Method IDs that determine what methods will be enforced
	MfaMethodIds []string `json:"mfa_method_ids"`
}

MfaWriteLoginEnforcementRequest struct for MfaWriteLoginEnforcementRequest

type MongoDbAtlasConfigureRequest ¶ added in v0.3.0 

type MongoDbAtlasConfigureRequest struct {
	// MongoDB Atlas Programmatic Private Key
	PrivateKey string `json:"private_key"`

	// MongoDB Atlas Programmatic Public Key
	PublicKey string `json:"public_key"`
}

MongoDbAtlasConfigureRequest struct for MongoDbAtlasConfigureRequest

type MongoDbAtlasWriteRoleRequest ¶ added in v0.3.0 

type MongoDbAtlasWriteRoleRequest struct {
	// Access list entry in CIDR notation to be added for the API key. Optional for organization and project keys.
	CidrBlocks []string `json:"cidr_blocks,omitempty"`

	// IP address to be added to the access list for the API key. Optional for organization and project keys.
	IpAddresses []string `json:"ip_addresses,omitempty"`

	// The maximum allowed lifetime of credentials issued using this role.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Organization ID required for an organization API key
	OrganizationId string `json:"organization_id,omitempty"`

	// Project ID the project API key belongs to.
	ProjectId string `json:"project_id,omitempty"`

	// Roles assigned when an organization API Key is assigned to a project API key
	ProjectRoles []string `json:"project_roles,omitempty"`

	// List of roles that the API Key should be granted. A minimum of one role must be provided. Any roles provided must be valid for the assigned Project, required for organization and project keys.
	Roles []string `json:"roles"`

	// Duration in seconds after which the issued credential should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
	Ttl string `json:"ttl,omitempty"`
}

MongoDbAtlasWriteRoleRequest struct for MongoDbAtlasWriteRoleRequest

type MountsEnableSecretsEngineRequest ¶ added in v0.3.0 

type MountsEnableSecretsEngineRequest struct {
	// Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
	Config map[string]interface{} `json:"config,omitempty"`

	// User-friendly description for this mount.
	Description string `json:"description,omitempty"`

	// Whether to give the mount access to Vault's external entropy.
	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	// Mark the mount as a local mount, which is not replicated and is unaffected by replication.
	Local bool `json:"local,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	// Name of the plugin to mount based from the name registered in the plugin catalog.
	PluginName string `json:"plugin_name,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	// Whether to turn on seal wrapping for the mount.
	SealWrap bool `json:"seal_wrap,omitempty"`

	// The type of the backend. Example: \"passthrough\"
	Type string `json:"type,omitempty"`
}

MountsEnableSecretsEngineRequest struct for MountsEnableSecretsEngineRequest

type MountsReadConfigurationResponse ¶ added in v0.3.0 

type MountsReadConfigurationResponse struct {
	Accessor string `json:"accessor,omitempty"`

	// Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
	Config map[string]interface{} `json:"config,omitempty"`

	DeprecationStatus string `json:"deprecation_status,omitempty"`

	// User-friendly description for this mount.
	Description string `json:"description,omitempty"`

	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	// Mark the mount as a local mount, which is not replicated and is unaffected by replication.
	Local bool `json:"local,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	RunningPluginVersion string `json:"running_plugin_version,omitempty"`

	RunningSha256 string `json:"running_sha256,omitempty"`

	// Whether to turn on seal wrapping for the mount.
	SealWrap bool `json:"seal_wrap,omitempty"`

	// The type of the backend. Example: \"passthrough\"
	Type string `json:"type,omitempty"`

	Uuid string `json:"uuid,omitempty"`
}

MountsReadConfigurationResponse struct for MountsReadConfigurationResponse

type MountsReadTuningInformationResponse ¶ added in v0.3.0 

type MountsReadTuningInformationResponse struct {
	AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty"`

	// A list of headers to whitelist and allow a plugin to set on responses.
	AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty"`

	AuditNonHmacRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty"`

	AuditNonHmacResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty"`

	// The default lease TTL for this mount.
	DefaultLeaseTtl int32 `json:"default_lease_ttl,omitempty"`

	// User-friendly description for this credential backend.
	Description string `json:"description,omitempty"`

	ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"`

	ForceNoCache bool `json:"force_no_cache,omitempty"`

	ListingVisibility string `json:"listing_visibility,omitempty"`

	// The max lease TTL for this mount.
	MaxLeaseTtl int32 `json:"max_lease_ttl,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	// The type of token to issue (service or batch).
	TokenType string `json:"token_type,omitempty"`

	UserLockoutCounterResetDuration int64 `json:"user_lockout_counter_reset_duration,omitempty"`

	UserLockoutDisable bool `json:"user_lockout_disable,omitempty"`

	UserLockoutDuration int64 `json:"user_lockout_duration,omitempty"`

	UserLockoutThreshold int64 `json:"user_lockout_threshold,omitempty"`
}

MountsReadTuningInformationResponse struct for MountsReadTuningInformationResponse

type MountsTuneConfigurationParametersRequest ¶ added in v0.3.0 

type MountsTuneConfigurationParametersRequest struct {
	AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty"`

	// A list of headers to whitelist and allow a plugin to set on responses.
	AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty"`

	// The list of keys in the request data object that will not be HMAC'ed by audit devices.
	AuditNonHmacRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty"`

	// The list of keys in the response data object that will not be HMAC'ed by audit devices.
	AuditNonHmacResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty"`

	// The default lease TTL for this mount.
	DefaultLeaseTtl string `json:"default_lease_ttl,omitempty"`

	// User-friendly description for this credential backend.
	Description string `json:"description,omitempty"`

	// Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default (”) behaving like 'hidden'.
	ListingVisibility string `json:"listing_visibility,omitempty"`

	// The max lease TTL for this mount.
	MaxLeaseTtl string `json:"max_lease_ttl,omitempty"`

	// The options to pass into the backend. Should be a json object with string keys and values.
	Options map[string]interface{} `json:"options,omitempty"`

	// A list of headers to whitelist and pass from the request to the plugin.
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	PluginVersion string `json:"plugin_version,omitempty"`

	// The type of token to issue (service or batch).
	TokenType string `json:"token_type,omitempty"`

	// The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
	UserLockoutConfig map[string]interface{} `json:"user_lockout_config,omitempty"`
}

MountsTuneConfigurationParametersRequest struct for MountsTuneConfigurationParametersRequest

type NomadConfigureAccessRequest ¶ added in v0.3.0 

type NomadConfigureAccessRequest struct {
	// Nomad server address
	Address string `json:"address,omitempty"`

	// CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.
	CaCert string `json:"ca_cert,omitempty"`

	// Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.
	ClientCert string `json:"client_cert,omitempty"`

	// Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.
	ClientKey string `json:"client_key,omitempty"`

	// Max length for name of generated Nomad tokens
	MaxTokenNameLength int32 `json:"max_token_name_length,omitempty"`

	// Token for API calls
	Token string `json:"token,omitempty"`
}

NomadConfigureAccessRequest struct for NomadConfigureAccessRequest

type NomadConfigureLeaseRequest ¶ added in v0.3.0 

type NomadConfigureLeaseRequest struct {
	// Duration after which the issued token should not be allowed to be renewed
	MaxTtl string `json:"max_ttl,omitempty"`

	// Duration before which the issued token needs renewal
	Ttl string `json:"ttl,omitempty"`
}

NomadConfigureLeaseRequest struct for NomadConfigureLeaseRequest

type NomadWriteRoleRequest ¶ 

type NomadWriteRoleRequest struct {
	// Boolean value describing if the token should be global or not. Defaults to false.
	Global bool `json:"global,omitempty"`

	// Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.
	Policies []string `json:"policies,omitempty"`

	// Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'.
	Type string `json:"type,omitempty"`
}

NomadWriteRoleRequest struct for NomadWriteRoleRequest

type OciConfigureRequest ¶ added in v0.3.0 

type OciConfigureRequest struct {
	// The tenancy id of the account.
	HomeTenancyId string `json:"home_tenancy_id,omitempty"`
}

OciConfigureRequest struct for OciConfigureRequest

type OciLoginRequest ¶ added in v0.3.0 

type OciLoginRequest struct {
	// The signed headers of the client
	RequestHeaders string `json:"request_headers,omitempty"`
}

OciLoginRequest struct for OciLoginRequest

type OciWriteRoleRequest ¶ added in v0.3.0 

type OciWriteRoleRequest struct {
	// A comma separated list of Group or Dynamic Group OCIDs that are allowed to take this role.
	OcidList []string `json:"ocid_list,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`
}

OciWriteRoleRequest struct for OciWriteRoleRequest

type OidcConfigureRequest ¶ added in v0.3.0 

type OidcConfigureRequest struct {
	// Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used.
	Issuer string `json:"issuer,omitempty"`
}

OidcConfigureRequest struct for OidcConfigureRequest

type OidcIntrospectRequest ¶ added in v0.3.0 

type OidcIntrospectRequest struct {
	// Optional client_id to verify
	ClientId string `json:"client_id,omitempty"`

	// Token to verify
	Token string `json:"token,omitempty"`
}

OidcIntrospectRequest struct for OidcIntrospectRequest

type OidcProviderAuthorizeWithParametersRequest ¶ added in v0.4.0 

type OidcProviderAuthorizeWithParametersRequest struct {
	// The ID of the requesting client.
	ClientId string `json:"client_id"`

	// The code challenge derived from the code verifier.
	CodeChallenge string `json:"code_challenge,omitempty"`

	// The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.
	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`

	// The allowable elapsed time in seconds since the last time the end-user was actively authenticated.
	MaxAge int32 `json:"max_age,omitempty"`

	// The value that will be returned in the ID token nonce claim after a token exchange.
	Nonce string `json:"nonce,omitempty"`

	// The redirection URI to which the response will be sent.
	RedirectUri string `json:"redirect_uri"`

	// The OIDC authentication flow to be used. The following response types are supported: 'code'
	ResponseType string `json:"response_type"`

	// A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.
	Scope string `json:"scope"`

	// The value used to maintain state between the authentication request and client.
	State string `json:"state,omitempty"`
}

OidcProviderAuthorizeWithParametersRequest struct for OidcProviderAuthorizeWithParametersRequest

type OidcProviderTokenRequest ¶ added in v0.3.0 

type OidcProviderTokenRequest struct {
	// The ID of the requesting client.
	ClientId string `json:"client_id,omitempty"`

	// The secret of the requesting client.
	ClientSecret string `json:"client_secret,omitempty"`

	// The authorization code received from the provider's authorization endpoint.
	Code string `json:"code"`

	// The code verifier associated with the authorization code.
	CodeVerifier string `json:"code_verifier,omitempty"`

	// The authorization grant type. The following grant types are supported: 'authorization_code'.
	GrantType string `json:"grant_type"`

	// The callback location where the authentication response was sent.
	RedirectUri string `json:"redirect_uri"`
}

OidcProviderTokenRequest struct for OidcProviderTokenRequest

type OidcRotateKeyRequest ¶ added in v0.3.0 

type OidcRotateKeyRequest struct {
	// Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
	VerificationTtl string `json:"verification_ttl,omitempty"`
}

OidcRotateKeyRequest struct for OidcRotateKeyRequest

type OidcWriteAssignmentRequest ¶ added in v0.3.0 

type OidcWriteAssignmentRequest struct {
	// Comma separated string or array of identity entity IDs
	EntityIds []string `json:"entity_ids,omitempty"`

	// Comma separated string or array of identity group IDs
	GroupIds []string `json:"group_ids,omitempty"`
}

OidcWriteAssignmentRequest struct for OidcWriteAssignmentRequest

type OidcWriteClientRequest ¶ added in v0.3.0 

type OidcWriteClientRequest struct {
	// The time-to-live for access tokens obtained by the client.
	AccessTokenTtl string `json:"access_token_ttl,omitempty"`

	// Comma separated string or array of assignment resources.
	Assignments []string `json:"assignments,omitempty"`

	// The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.
	ClientType string `json:"client_type,omitempty"`

	// The time-to-live for ID tokens obtained by the client.
	IdTokenTtl string `json:"id_token_ttl,omitempty"`

	// A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.
	Key string `json:"key,omitempty"`

	// Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
	RedirectUris []string `json:"redirect_uris,omitempty"`
}

OidcWriteClientRequest struct for OidcWriteClientRequest

type OidcWriteKeyRequest ¶ added in v0.3.0 

type OidcWriteKeyRequest struct {
	// Signing algorithm to use. This will default to RS256.
	Algorithm string `json:"algorithm,omitempty"`

	// Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If \"*\" all roles are allowed.
	AllowedClientIds []string `json:"allowed_client_ids,omitempty"`

	// How often to generate a new keypair.
	RotationPeriod string `json:"rotation_period,omitempty"`

	// Controls how long the public portion of a key will be available for verification after being rotated.
	VerificationTtl string `json:"verification_ttl,omitempty"`
}

OidcWriteKeyRequest struct for OidcWriteKeyRequest

type OidcWriteProviderRequest ¶ added in v0.3.0 

type OidcWriteProviderRequest struct {
	// The client IDs that are permitted to use the provider
	AllowedClientIds []string `json:"allowed_client_ids,omitempty"`

	// Specifies what will be used for the iss claim of ID tokens.
	Issuer string `json:"issuer,omitempty"`

	// The scopes supported for requesting on the provider
	ScopesSupported []string `json:"scopes_supported,omitempty"`
}

OidcWriteProviderRequest struct for OidcWriteProviderRequest

type OidcWriteRoleRequest ¶ added in v0.3.0 

type OidcWriteRoleRequest struct {
	// Optional client_id
	ClientId string `json:"client_id,omitempty"`

	// The OIDC key to use for generating tokens. The specified key must already exist.
	Key string `json:"key"`

	// The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
	Template string `json:"template,omitempty"`

	// TTL of the tokens generated against the role.
	Ttl string `json:"ttl,omitempty"`
}

OidcWriteRoleRequest struct for OidcWriteRoleRequest

type OidcWriteScopeRequest ¶ added in v0.3.0 

type OidcWriteScopeRequest struct {
	// The description of the scope
	Description string `json:"description,omitempty"`

	// The template string to use for the scope. This may be in string-ified JSON or base64 format.
	Template string `json:"template,omitempty"`
}

OidcWriteScopeRequest struct for OidcWriteScopeRequest

type OktaConfigureRequest ¶ added in v0.3.0 

type OktaConfigureRequest struct {
	// Okta API key.
	ApiToken string `json:"api_token,omitempty"`

	// The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.
	BaseUrl string `json:"base_url,omitempty"`

	// When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.
	BypassOktaMfa bool `json:"bypass_okta_mfa,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Name of the organization to be used in the Okta API.
	OrgName string `json:"org_name,omitempty"`

	// Use org_name instead.
	// Deprecated
	Organization string `json:"organization,omitempty"`

	// Use base_url instead.
	// Deprecated
	Production bool `json:"production,omitempty"`

	// Use api_token instead.
	// Deprecated
	Token string `json:"token,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

OktaConfigureRequest struct for OktaConfigureRequest

type OktaLoginRequest ¶ 

type OktaLoginRequest struct {
	// Nonce provided if performing login that requires number verification challenge. Logins through the vault login CLI command will automatically generate a nonce.
	Nonce string `json:"nonce,omitempty"`

	// Password for this user.
	Password string `json:"password,omitempty"`

	// Preferred factor provider.
	Provider string `json:"provider,omitempty"`

	// TOTP passcode.
	Totp string `json:"totp,omitempty"`
}

OktaLoginRequest struct for OktaLoginRequest

type OktaWriteGroupRequest ¶ 

type OktaWriteGroupRequest struct {
	// Comma-separated list of policies associated to the group.
	Policies []string `json:"policies,omitempty"`
}

OktaWriteGroupRequest struct for OktaWriteGroupRequest

type OktaWriteUserRequest ¶ 

type OktaWriteUserRequest struct {
	// List of groups associated with the user.
	Groups []string `json:"groups,omitempty"`

	// List of policies associated with the user.
	Policies []string `json:"policies,omitempty"`
}

OktaWriteUserRequest struct for OktaWriteUserRequest

type PersonaCreateRequest ¶ added in v0.3.0 

type PersonaCreateRequest struct {
	// Entity ID to which this persona belongs to
	EntityId string `json:"entity_id,omitempty"`

	// ID of the persona
	Id string `json:"id,omitempty"`

	// Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Mount accessor to which this persona belongs to
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Name of the persona
	Name string `json:"name,omitempty"`
}

PersonaCreateRequest struct for PersonaCreateRequest

type PersonaUpdateByIdRequest ¶ added in v0.3.0 

type PersonaUpdateByIdRequest struct {
	// Entity ID to which this persona should be tied to
	EntityId string `json:"entity_id,omitempty"`

	// Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault <command> <path> metadata=key1=value1 metadata=key2=value2
	Metadata map[string]interface{} `json:"metadata,omitempty"`

	// Mount accessor to which this persona belongs to
	MountAccessor string `json:"mount_accessor,omitempty"`

	// Name of the persona
	Name string `json:"name,omitempty"`
}

PersonaUpdateByIdRequest struct for PersonaUpdateByIdRequest

type PkiConfigureAcmeRequest ¶ added in v0.4.0 

type PkiConfigureAcmeRequest struct {
	// whether the ExtKeyUsage field from a role is used, defaults to false meaning that certificate will be signed with ServerAuth.
	AllowRoleExtKeyUsage bool `json:"allow_role_ext_key_usage,omitempty"`

	// which issuers are allowed for use with ACME; by default, this will only be the primary (default) issuer
	AllowedIssuers []string `json:"allowed_issuers,omitempty"`

	// which roles are allowed for use with ACME; by default via '*', these will be all roles including sign-verbatim; when concrete role names are specified, any default_directory_policy role must be included to allow usage of the default acme directories under /pki/acme/directory and /pki/issuer/:issuer_id/acme/directory.
	AllowedRoles []string `json:"allowed_roles,omitempty"`

	// the policy to be used for non-role-qualified ACME requests; by default ACME issuance will be otherwise unrestricted, equivalent to the sign-verbatim endpoint; one may also specify a role to use as this policy, as \"role:<role_name>\", the specified role must be allowed by allowed_roles
	DefaultDirectoryPolicy string `json:"default_directory_policy,omitempty"`

	// DNS resolver to use for domain resolution on this mount. Defaults to using the default system resolver. Must be in the format <host>:<port>, with both parts mandatory.
	DnsResolver string `json:"dns_resolver,omitempty"`

	// Specify the policy to use for external account binding behaviour, 'not-required', 'new-account-required' or 'always-required'
	EabPolicy string `json:"eab_policy,omitempty"`

	// whether ACME is enabled, defaults to false meaning that clusters will by default not get ACME support
	Enabled bool `json:"enabled,omitempty"`
}

PkiConfigureAcmeRequest struct for PkiConfigureAcmeRequest

type PkiConfigureAutoTidyRequest ¶ added in v0.3.0 

type PkiConfigureAutoTidyRequest struct {
	// The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.
	AcmeAccountSafetyBuffer string `json:"acme_account_safety_buffer,omitempty"`

	// Set to true to enable automatic tidy operations.
	Enabled bool `json:"enabled,omitempty"`

	// Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.
	IntervalDuration string `json:"interval_duration,omitempty"`

	// The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).
	IssuerSafetyBuffer string `json:"issuer_safety_buffer,omitempty"`

	// This configures whether stored certificates are counted upon initialization of the backend, and whether during normal operation, a running count of certificates stored is maintained.
	MaintainStoredCertificateCounts bool `json:"maintain_stored_certificate_counts,omitempty"`

	// The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.
	PauseDuration string `json:"pause_duration,omitempty"`

	// This configures whether the stored certificate count is published to the metrics consumer. It does not affect if the stored certificate count is maintained, and if maintained, it will be available on the tidy-status endpoint.
	PublishStoredCertificateCountMetrics bool `json:"publish_stored_certificate_count_metrics,omitempty"`

	// The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.
	RevocationQueueSafetyBuffer string `json:"revocation_queue_safety_buffer,omitempty"`

	// The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.
	SafetyBuffer string `json:"safety_buffer,omitempty"`

	// Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Set to true to enable tidying up the certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	// Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node.
	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation.
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	// Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios).
	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	// Deprecated; synonym for 'tidy_revoked_certs
	TidyRevocationList bool `json:"tidy_revocation_list,omitempty"`

	// Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node
	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses.
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`
}

PkiConfigureAutoTidyRequest struct for PkiConfigureAutoTidyRequest

type PkiConfigureAutoTidyResponse ¶ added in v0.3.0 

type PkiConfigureAutoTidyResponse struct {
	// Safety buffer after creation after which accounts lacking orders are revoked
	AcmeAccountSafetyBuffer int32 `json:"acme_account_safety_buffer,omitempty"`

	// Specifies whether automatic tidy is enabled or not
	Enabled bool `json:"enabled,omitempty"`

	// Specifies the duration between automatic tidy operation
	IntervalDuration int32 `json:"interval_duration,omitempty"`

	// Issuer safety buffer
	IssuerSafetyBuffer int32 `json:"issuer_safety_buffer,omitempty"`

	MaintainStoredCertificateCounts bool `json:"maintain_stored_certificate_counts,omitempty"`

	// Duration to pause between tidying certificates
	PauseDuration string `json:"pause_duration,omitempty"`

	PublishStoredCertificateCountMetrics bool `json:"publish_stored_certificate_count_metrics,omitempty"`

	RevocationQueueSafetyBuffer int32 `json:"revocation_queue_safety_buffer,omitempty"`

	// Safety buffer time duration
	SafetyBuffer int32 `json:"safety_buffer,omitempty"`

	// Tidy Unused Acme Accounts, and Orders
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Specifies whether to tidy up the certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	// Tidy the cross-cluster revoked certificate store
	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Specifies whether tidy expired issuers
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Specifies whether to associate revoked certificates with their corresponding issuers
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Specifies whether to remove all invalid and expired certificates from storage
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`
}

PkiConfigureAutoTidyResponse struct for PkiConfigureAutoTidyResponse

type PkiConfigureCaRequest ¶ added in v0.3.0 

type PkiConfigureCaRequest struct {
	// PEM-format, concatenated unencrypted secret key and certificate.
	PemBundle string `json:"pem_bundle,omitempty"`
}

PkiConfigureCaRequest struct for PkiConfigureCaRequest

type PkiConfigureCaResponse ¶ added in v0.3.0 

type PkiConfigureCaResponse struct {
	// Existing issuers specified as part of the import bundle of this request
	ExistingIssuers []string `json:"existing_issuers,omitempty"`

	// Existing keys specified as part of the import bundle of this request
	ExistingKeys []string `json:"existing_keys,omitempty"`

	// Net-new issuers imported as a part of this request
	ImportedIssuers []string `json:"imported_issuers,omitempty"`

	// Net-new keys imported as a part of this request
	ImportedKeys []string `json:"imported_keys,omitempty"`

	// A mapping of issuer_id to key_id for all issuers included in this request
	Mapping map[string]interface{} `json:"mapping,omitempty"`
}

PkiConfigureCaResponse struct for PkiConfigureCaResponse

type PkiConfigureClusterRequest ¶ added in v0.3.0 

type PkiConfigureClusterRequest struct {
	// Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki
	AiaPath string `json:"aia_path,omitempty"`

	// Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki
	Path string `json:"path,omitempty"`
}

PkiConfigureClusterRequest struct for PkiConfigureClusterRequest

type PkiConfigureClusterResponse ¶ added in v0.3.0 

type PkiConfigureClusterResponse struct {
	// Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki
	AiaPath string `json:"aia_path,omitempty"`

	// Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki
	Path string `json:"path,omitempty"`
}

PkiConfigureClusterResponse struct for PkiConfigureClusterResponse

type PkiConfigureCrlRequest ¶ added in v0.3.0 

type PkiConfigureCrlRequest struct {
	// If set to true, enables automatic rebuilding of the CRL
	AutoRebuild bool `json:"auto_rebuild,omitempty"`

	// The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.
	AutoRebuildGracePeriod string `json:"auto_rebuild_grace_period,omitempty"`

	// Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true.
	CrossClusterRevocation bool `json:"cross_cluster_revocation,omitempty"`

	// The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.
	DeltaRebuildInterval string `json:"delta_rebuild_interval,omitempty"`

	// If set to true, disables generating the CRL entirely.
	Disable bool `json:"disable,omitempty"`

	// Whether to enable delta CRLs between authoritative CRL rebuilds
	EnableDelta bool `json:"enable_delta,omitempty"`

	// The amount of time the generated CRL should be valid; defaults to 72 hours
	Expiry string `json:"expiry,omitempty"`

	// If set to true, ocsp unauthorized responses will be returned.
	OcspDisable bool `json:"ocsp_disable,omitempty"`

	// The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours
	OcspExpiry string `json:"ocsp_expiry,omitempty"`

	// If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.
	UnifiedCrl bool `json:"unified_crl,omitempty"`

	// If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data
	UnifiedCrlOnExistingPaths bool `json:"unified_crl_on_existing_paths,omitempty"`
}

PkiConfigureCrlRequest struct for PkiConfigureCrlRequest

type PkiConfigureCrlResponse ¶ added in v0.3.0 

type PkiConfigureCrlResponse struct {
	// If set to true, enables automatic rebuilding of the CRL
	AutoRebuild bool `json:"auto_rebuild,omitempty"`

	// The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.
	AutoRebuildGracePeriod string `json:"auto_rebuild_grace_period,omitempty"`

	// Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true.
	CrossClusterRevocation bool `json:"cross_cluster_revocation,omitempty"`

	// The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.
	DeltaRebuildInterval string `json:"delta_rebuild_interval,omitempty"`

	// If set to true, disables generating the CRL entirely.
	Disable bool `json:"disable,omitempty"`

	// Whether to enable delta CRLs between authoritative CRL rebuilds
	EnableDelta bool `json:"enable_delta,omitempty"`

	// The amount of time the generated CRL should be valid; defaults to 72 hours
	Expiry string `json:"expiry,omitempty"`

	// If set to true, ocsp unauthorized responses will be returned.
	OcspDisable bool `json:"ocsp_disable,omitempty"`

	// The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours
	OcspExpiry string `json:"ocsp_expiry,omitempty"`

	// If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.
	UnifiedCrl bool `json:"unified_crl,omitempty"`

	// If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data
	UnifiedCrlOnExistingPaths bool `json:"unified_crl_on_existing_paths,omitempty"`
}

PkiConfigureCrlResponse struct for PkiConfigureCrlResponse

type PkiConfigureIssuersRequest ¶ added in v0.3.0 

type PkiConfigureIssuersRequest struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`

	// Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.
	DefaultFollowsLatestIssuer bool `json:"default_follows_latest_issuer,omitempty"`
}

PkiConfigureIssuersRequest struct for PkiConfigureIssuersRequest

type PkiConfigureIssuersResponse ¶ added in v0.3.0 

type PkiConfigureIssuersResponse struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`

	// Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.
	DefaultFollowsLatestIssuer bool `json:"default_follows_latest_issuer,omitempty"`
}

PkiConfigureIssuersResponse struct for PkiConfigureIssuersResponse

type PkiConfigureKeysRequest ¶ added in v0.3.0 

type PkiConfigureKeysRequest struct {
	// Reference (name or identifier) of the default key.
	Default string `json:"default,omitempty"`
}

PkiConfigureKeysRequest struct for PkiConfigureKeysRequest

type PkiConfigureKeysResponse ¶ added in v0.3.0 

type PkiConfigureKeysResponse struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`
}

PkiConfigureKeysResponse struct for PkiConfigureKeysResponse

type PkiConfigureUrlsRequest ¶ added in v0.3.0 

type PkiConfigureUrlsRequest struct {
	// Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', and '{{cluster_aia_path}}' are available, but the addresses are not checked for URI validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.
	EnableTemplating bool `json:"enable_templating,omitempty"`

	// Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.
	OcspServers []string `json:"ocsp_servers,omitempty"`
}

PkiConfigureUrlsRequest struct for PkiConfigureUrlsRequest

type PkiConfigureUrlsResponse ¶ added in v0.3.0 

type PkiConfigureUrlsResponse struct {
	// Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters.
	EnableTemplating bool `json:"enable_templating,omitempty"`

	// Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.
	OcspServers []string `json:"ocsp_servers,omitempty"`
}

PkiConfigureUrlsResponse struct for PkiConfigureUrlsResponse

type PkiCrossSignIntermediateRequest ¶ added in v0.3.0 

type PkiCrossSignIntermediateRequest struct {
	// Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.
	AddBasicConstraints bool `json:"add_basic_constraints,omitempty"`

	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!
	Exported string `json:"exported,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`
}

PkiCrossSignIntermediateRequest struct for PkiCrossSignIntermediateRequest

type PkiCrossSignIntermediateResponse ¶ added in v0.3.0 

type PkiCrossSignIntermediateResponse struct {
	// Certificate signing request.
	Csr string `json:"csr,omitempty"`

	// Id of the key.
	KeyId string `json:"key_id,omitempty"`

	// Generated private key.
	PrivateKey string `json:"private_key,omitempty"`

	// Specifies the format used for marshaling the private key.
	PrivateKeyType string `json:"private_key_type,omitempty"`
}

PkiCrossSignIntermediateResponse struct for PkiCrossSignIntermediateResponse

type PkiGenerateEabKeyForIssuerAndRoleResponse ¶ added in v0.4.0 

type PkiGenerateEabKeyForIssuerAndRoleResponse struct {
	// The ACME directory to which the key belongs
	AcmeDirectory string `json:"acme_directory,omitempty"`

	// An RFC3339 formatted date time when the EAB token was created
	CreatedOn time.Time `json:"created_on,omitempty"`

	// The EAB key identifier
	Id string `json:"id,omitempty"`

	// The EAB hmac key
	Key string `json:"key,omitempty"`

	// The EAB key type
	KeyType string `json:"key_type,omitempty"`
}

PkiGenerateEabKeyForIssuerAndRoleResponse struct for PkiGenerateEabKeyForIssuerAndRoleResponse

type PkiGenerateEabKeyForIssuerResponse ¶ added in v0.4.0 

type PkiGenerateEabKeyForIssuerResponse struct {
	// The ACME directory to which the key belongs
	AcmeDirectory string `json:"acme_directory,omitempty"`

	// An RFC3339 formatted date time when the EAB token was created
	CreatedOn time.Time `json:"created_on,omitempty"`

	// The EAB key identifier
	Id string `json:"id,omitempty"`

	// The EAB hmac key
	Key string `json:"key,omitempty"`

	// The EAB key type
	KeyType string `json:"key_type,omitempty"`
}

PkiGenerateEabKeyForIssuerResponse struct for PkiGenerateEabKeyForIssuerResponse

type PkiGenerateEabKeyForRoleResponse ¶ added in v0.4.0 

type PkiGenerateEabKeyForRoleResponse struct {
	// The ACME directory to which the key belongs
	AcmeDirectory string `json:"acme_directory,omitempty"`

	// An RFC3339 formatted date time when the EAB token was created
	CreatedOn time.Time `json:"created_on,omitempty"`

	// The EAB key identifier
	Id string `json:"id,omitempty"`

	// The EAB hmac key
	Key string `json:"key,omitempty"`

	// The EAB key type
	KeyType string `json:"key_type,omitempty"`
}

PkiGenerateEabKeyForRoleResponse struct for PkiGenerateEabKeyForRoleResponse

type PkiGenerateEabKeyResponse ¶ added in v0.4.0 

type PkiGenerateEabKeyResponse struct {
	// The ACME directory to which the key belongs
	AcmeDirectory string `json:"acme_directory,omitempty"`

	// An RFC3339 formatted date time when the EAB token was created
	CreatedOn time.Time `json:"created_on,omitempty"`

	// The EAB key identifier
	Id string `json:"id,omitempty"`

	// The EAB hmac key
	Key string `json:"key,omitempty"`

	// The EAB key type
	KeyType string `json:"key_type,omitempty"`
}

PkiGenerateEabKeyResponse struct for PkiGenerateEabKeyResponse

type PkiGenerateExportedKeyRequest ¶ added in v0.3.0 

type PkiGenerateExportedKeyRequest struct {
	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Optional name to be used for this key
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`
}

PkiGenerateExportedKeyRequest struct for PkiGenerateExportedKeyRequest

type PkiGenerateExportedKeyResponse ¶ added in v0.3.0 

type PkiGenerateExportedKeyResponse struct {
	// ID assigned to this key.
	KeyId string `json:"key_id,omitempty"`

	// Name assigned to this key.
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The private key string
	PrivateKey string `json:"private_key,omitempty"`
}

PkiGenerateExportedKeyResponse struct for PkiGenerateExportedKeyResponse

type PkiGenerateIntermediateRequest ¶ added in v0.3.0 

type PkiGenerateIntermediateRequest struct {
	// Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.
	AddBasicConstraints bool `json:"add_basic_constraints,omitempty"`

	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`
}

PkiGenerateIntermediateRequest struct for PkiGenerateIntermediateRequest

type PkiGenerateIntermediateResponse ¶ added in v0.3.0 

type PkiGenerateIntermediateResponse struct {
	// Certificate signing request.
	Csr string `json:"csr,omitempty"`

	// Id of the key.
	KeyId string `json:"key_id,omitempty"`

	// Generated private key.
	PrivateKey string `json:"private_key,omitempty"`

	// Specifies the format used for marshaling the private key.
	PrivateKeyType string `json:"private_key_type,omitempty"`
}

PkiGenerateIntermediateResponse struct for PkiGenerateIntermediateResponse

type PkiGenerateInternalKeyRequest ¶ added in v0.3.0 

type PkiGenerateInternalKeyRequest struct {
	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Optional name to be used for this key
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`
}

PkiGenerateInternalKeyRequest struct for PkiGenerateInternalKeyRequest

type PkiGenerateInternalKeyResponse ¶ added in v0.3.0 

type PkiGenerateInternalKeyResponse struct {
	// ID assigned to this key.
	KeyId string `json:"key_id,omitempty"`

	// Name assigned to this key.
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The private key string
	PrivateKey string `json:"private_key,omitempty"`
}

PkiGenerateInternalKeyResponse struct for PkiGenerateInternalKeyResponse

type PkiGenerateKmsKeyRequest ¶ added in v0.3.0 

type PkiGenerateKmsKeyRequest struct {
	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Optional name to be used for this key
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`
}

PkiGenerateKmsKeyRequest struct for PkiGenerateKmsKeyRequest

type PkiGenerateKmsKeyResponse ¶ added in v0.3.0 

type PkiGenerateKmsKeyResponse struct {
	// ID assigned to this key.
	KeyId string `json:"key_id,omitempty"`

	// Name assigned to this key.
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// The private key string
	PrivateKey string `json:"private_key,omitempty"`
}

PkiGenerateKmsKeyResponse struct for PkiGenerateKmsKeyResponse

type PkiGenerateRootRequest ¶ added in v0.3.0 

type PkiGenerateRootRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// The maximum allowable path length
	MaxPathLength int32 `json:"max_path_length,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
	PermittedDnsDomains []string `json:"permitted_dns_domains,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiGenerateRootRequest struct for PkiGenerateRootRequest

type PkiGenerateRootResponse ¶ added in v0.3.0 

type PkiGenerateRootResponse struct {
	// The generated self-signed CA certificate.
	Certificate string `json:"certificate,omitempty"`

	// The expiration of the given issuer.
	Expiration int64 `json:"expiration,omitempty"`

	// The ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// The name of the issuer.
	IssuerName string `json:"issuer_name,omitempty"`

	// The issuing certificate authority.
	IssuingCa string `json:"issuing_ca,omitempty"`

	// The ID of the key.
	KeyId string `json:"key_id,omitempty"`

	// The key name if given.
	KeyName string `json:"key_name,omitempty"`

	// The private key if exported was specified.
	PrivateKey string `json:"private_key,omitempty"`

	// The requested Subject's named serial number.
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiGenerateRootResponse struct for PkiGenerateRootResponse

type PkiImportKeyRequest ¶ added in v0.3.0 

type PkiImportKeyRequest struct {
	// Optional name to be used for this key
	KeyName string `json:"key_name,omitempty"`

	// PEM-format, unencrypted secret key
	PemBundle string `json:"pem_bundle,omitempty"`
}

PkiImportKeyRequest struct for PkiImportKeyRequest

type PkiImportKeyResponse ¶ added in v0.3.0 

type PkiImportKeyResponse struct {
	// ID assigned to this key.
	KeyId string `json:"key_id,omitempty"`

	// Name assigned to this key.
	KeyName string `json:"key_name,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`
}

PkiImportKeyResponse struct for PkiImportKeyResponse

type PkiIssueWithRoleRequest ¶ added in v0.3.0 

type PkiIssueWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiIssueWithRoleRequest struct for PkiIssueWithRoleRequest

type PkiIssueWithRoleResponse ¶ added in v0.3.0 

type PkiIssueWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Private key
	PrivateKey string `json:"private_key,omitempty"`

	// Private key type
	PrivateKeyType string `json:"private_key_type,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssueWithRoleResponse struct for PkiIssueWithRoleResponse

type PkiIssuerIssueWithRoleRequest ¶ added in v0.3.0 

type PkiIssuerIssueWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiIssuerIssueWithRoleRequest struct for PkiIssuerIssueWithRoleRequest

type PkiIssuerIssueWithRoleResponse ¶ added in v0.3.0 

type PkiIssuerIssueWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Private key
	PrivateKey string `json:"private_key,omitempty"`

	// Private key type
	PrivateKeyType string `json:"private_key_type,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuerIssueWithRoleResponse struct for PkiIssuerIssueWithRoleResponse

type PkiIssuerReadCrlDeltaDerResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlDeltaDerResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlDeltaDerResponse struct for PkiIssuerReadCrlDeltaDerResponse

type PkiIssuerReadCrlDeltaPemResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlDeltaPemResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlDeltaPemResponse struct for PkiIssuerReadCrlDeltaPemResponse

type PkiIssuerReadCrlDeltaResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlDeltaResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlDeltaResponse struct for PkiIssuerReadCrlDeltaResponse

type PkiIssuerReadCrlDerResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlDerResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlDerResponse struct for PkiIssuerReadCrlDerResponse

type PkiIssuerReadCrlPemResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlPemResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlPemResponse struct for PkiIssuerReadCrlPemResponse

type PkiIssuerReadCrlResponse ¶ added in v0.3.0 

type PkiIssuerReadCrlResponse struct {
	Crl string `json:"crl,omitempty"`
}

PkiIssuerReadCrlResponse struct for PkiIssuerReadCrlResponse

type PkiIssuerResignCrlsRequest ¶ added in v0.3.0 

type PkiIssuerResignCrlsRequest struct {
	// The sequence number to be written within the CRL Number extension.
	CrlNumber int32 `json:"crl_number,omitempty"`

	// A list of PEM encoded CRLs to combine, originally signed by the requested issuer.
	Crls []string `json:"crls,omitempty"`

	// Using a zero or greater value specifies the base CRL revision number to encode within a Delta CRL indicator extension, otherwise the extension will not be added.
	DeltaCrlBaseNumber int32 `json:"delta_crl_base_number,omitempty"`

	// The format of the combined CRL, can be \"pem\" or \"der\". If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The amount of time the generated CRL should be valid; defaults to 72 hours.
	NextUpdate string `json:"next_update,omitempty"`
}

PkiIssuerResignCrlsRequest struct for PkiIssuerResignCrlsRequest

type PkiIssuerResignCrlsResponse ¶ added in v0.3.0 

type PkiIssuerResignCrlsResponse struct {
	// CRL
	Crl string `json:"crl,omitempty"`
}

PkiIssuerResignCrlsResponse struct for PkiIssuerResignCrlsResponse

type PkiIssuerSignIntermediateRequest ¶ added in v0.3.0 

type PkiIssuerSignIntermediateRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// PEM-format CSR to be signed.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowable path length
	MaxPathLength int32 `json:"max_path_length,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
	PermittedDnsDomains []string `json:"permitted_dns_domains,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). This value should ONLY be used when cross-signing to mimic the existing certificate's SKID value; this is necessary to allow certain TLS implementations (such as OpenSSL) which use SKID/AKID matches in chain building to restrict possible valid chains. Specified as a string in hex format. Default is empty, allowing Vault to automatically calculate the SKID according to method one in the above RFC section.
	Skid string `json:"skid,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag; 3) Extensions requested in the CSR will be copied into the issued certificate.
	UseCsrValues bool `json:"use_csr_values,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiIssuerSignIntermediateRequest struct for PkiIssuerSignIntermediateRequest

type PkiIssuerSignIntermediateResponse ¶ added in v0.3.0 

type PkiIssuerSignIntermediateResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Expiration Time
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing CA
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuerSignIntermediateResponse struct for PkiIssuerSignIntermediateResponse

type PkiIssuerSignRevocationListRequest ¶ added in v0.3.0 

type PkiIssuerSignRevocationListRequest struct {
	// The sequence number to be written within the CRL Number extension.
	CrlNumber int32 `json:"crl_number,omitempty"`

	// Using a zero or greater value specifies the base CRL revision number to encode within a Delta CRL indicator extension, otherwise the extension will not be added.
	DeltaCrlBaseNumber int32 `json:"delta_crl_base_number,omitempty"`

	// A list of maps containing extensions with keys id (string), critical (bool), value (string)
	Extensions []map[string]interface{} `json:"extensions,omitempty"`

	// The format of the combined CRL, can be \"pem\" or \"der\". If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The amount of time the generated CRL should be valid; defaults to 72 hours.
	NextUpdate string `json:"next_update,omitempty"`

	// A list of maps containing the keys serial_number (string), revocation_time (string), and extensions (map with keys id (string), critical (bool), value (string))
	RevokedCerts []map[string]interface{} `json:"revoked_certs,omitempty"`
}

PkiIssuerSignRevocationListRequest struct for PkiIssuerSignRevocationListRequest

type PkiIssuerSignRevocationListResponse ¶ added in v0.3.0 

type PkiIssuerSignRevocationListResponse struct {
	// CRL
	Crl string `json:"crl,omitempty"`
}

PkiIssuerSignRevocationListResponse struct for PkiIssuerSignRevocationListResponse

type PkiIssuerSignSelfIssuedRequest ¶ added in v0.3.0 

type PkiIssuerSignSelfIssuedRequest struct {
	// PEM-format self-issued certificate to be signed.
	Certificate string `json:"certificate,omitempty"`

	// If true, require the public key algorithm of the signer to match that of the self issued certificate.
	RequireMatchingCertificateAlgorithms bool `json:"require_matching_certificate_algorithms,omitempty"`
}

PkiIssuerSignSelfIssuedRequest struct for PkiIssuerSignSelfIssuedRequest

type PkiIssuerSignSelfIssuedResponse ¶ added in v0.3.0 

type PkiIssuerSignSelfIssuedResponse struct {
	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Issuing CA
	IssuingCa string `json:"issuing_ca,omitempty"`
}

PkiIssuerSignSelfIssuedResponse struct for PkiIssuerSignSelfIssuedResponse

type PkiIssuerSignVerbatimRequest ¶ added in v0.3.0 

type PkiIssuerSignVerbatimRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	KeyUsage []string `json:"key_usage,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiIssuerSignVerbatimRequest struct for PkiIssuerSignVerbatimRequest

type PkiIssuerSignVerbatimResponse ¶ added in v0.3.0 

type PkiIssuerSignVerbatimResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuerSignVerbatimResponse struct for PkiIssuerSignVerbatimResponse

type PkiIssuerSignVerbatimWithRoleRequest ¶ added in v0.3.0 

type PkiIssuerSignVerbatimWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	KeyUsage []string `json:"key_usage,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiIssuerSignVerbatimWithRoleRequest struct for PkiIssuerSignVerbatimWithRoleRequest

type PkiIssuerSignVerbatimWithRoleResponse ¶ added in v0.3.0 

type PkiIssuerSignVerbatimWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuerSignVerbatimWithRoleResponse struct for PkiIssuerSignVerbatimWithRoleResponse

type PkiIssuerSignWithRoleRequest ¶ added in v0.3.0 

type PkiIssuerSignWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiIssuerSignWithRoleRequest struct for PkiIssuerSignWithRoleRequest

type PkiIssuerSignWithRoleResponse ¶ added in v0.3.0 

type PkiIssuerSignWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuerSignWithRoleResponse struct for PkiIssuerSignWithRoleResponse

type PkiIssuersGenerateIntermediateRequest ¶ added in v0.3.0 

type PkiIssuersGenerateIntermediateRequest struct {
	// Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.
	AddBasicConstraints bool `json:"add_basic_constraints,omitempty"`

	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`
}

PkiIssuersGenerateIntermediateRequest struct for PkiIssuersGenerateIntermediateRequest

type PkiIssuersGenerateIntermediateResponse ¶ added in v0.3.0 

type PkiIssuersGenerateIntermediateResponse struct {
	// Certificate signing request.
	Csr string `json:"csr,omitempty"`

	// Id of the key.
	KeyId string `json:"key_id,omitempty"`

	// Generated private key.
	PrivateKey string `json:"private_key,omitempty"`

	// Specifies the format used for marshaling the private key.
	PrivateKeyType string `json:"private_key_type,omitempty"`
}

PkiIssuersGenerateIntermediateResponse struct for PkiIssuersGenerateIntermediateResponse

type PkiIssuersGenerateRootRequest ¶ added in v0.3.0 

type PkiIssuersGenerateRootRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// The maximum allowable path length
	MaxPathLength int32 `json:"max_path_length,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
	PermittedDnsDomains []string `json:"permitted_dns_domains,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiIssuersGenerateRootRequest struct for PkiIssuersGenerateRootRequest

type PkiIssuersGenerateRootResponse ¶ added in v0.3.0 

type PkiIssuersGenerateRootResponse struct {
	// The generated self-signed CA certificate.
	Certificate string `json:"certificate,omitempty"`

	// The expiration of the given issuer.
	Expiration int64 `json:"expiration,omitempty"`

	// The ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// The name of the issuer.
	IssuerName string `json:"issuer_name,omitempty"`

	// The issuing certificate authority.
	IssuingCa string `json:"issuing_ca,omitempty"`

	// The ID of the key.
	KeyId string `json:"key_id,omitempty"`

	// The key name if given.
	KeyName string `json:"key_name,omitempty"`

	// The private key if exported was specified.
	PrivateKey string `json:"private_key,omitempty"`

	// The requested Subject's named serial number.
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiIssuersGenerateRootResponse struct for PkiIssuersGenerateRootResponse

type PkiIssuersImportBundleRequest ¶ added in v0.3.0 

type PkiIssuersImportBundleRequest struct {
	// PEM-format, concatenated unencrypted secret-key (optional) and certificates.
	PemBundle string `json:"pem_bundle,omitempty"`
}

PkiIssuersImportBundleRequest struct for PkiIssuersImportBundleRequest

type PkiIssuersImportBundleResponse ¶ added in v0.3.0 

type PkiIssuersImportBundleResponse struct {
	// Existing issuers specified as part of the import bundle of this request
	ExistingIssuers []string `json:"existing_issuers,omitempty"`

	// Existing keys specified as part of the import bundle of this request
	ExistingKeys []string `json:"existing_keys,omitempty"`

	// Net-new issuers imported as a part of this request
	ImportedIssuers []string `json:"imported_issuers,omitempty"`

	// Net-new keys imported as a part of this request
	ImportedKeys []string `json:"imported_keys,omitempty"`

	// A mapping of issuer_id to key_id for all issuers included in this request
	Mapping map[string]interface{} `json:"mapping,omitempty"`
}

PkiIssuersImportBundleResponse struct for PkiIssuersImportBundleResponse

type PkiIssuersImportCertRequest ¶ added in v0.3.0 

type PkiIssuersImportCertRequest struct {
	// PEM-format, concatenated unencrypted secret-key (optional) and certificates.
	PemBundle string `json:"pem_bundle,omitempty"`
}

PkiIssuersImportCertRequest struct for PkiIssuersImportCertRequest

type PkiIssuersImportCertResponse ¶ added in v0.3.0 

type PkiIssuersImportCertResponse struct {
	// Existing issuers specified as part of the import bundle of this request
	ExistingIssuers []string `json:"existing_issuers,omitempty"`

	// Existing keys specified as part of the import bundle of this request
	ExistingKeys []string `json:"existing_keys,omitempty"`

	// Net-new issuers imported as a part of this request
	ImportedIssuers []string `json:"imported_issuers,omitempty"`

	// Net-new keys imported as a part of this request
	ImportedKeys []string `json:"imported_keys,omitempty"`

	// A mapping of issuer_id to key_id for all issuers included in this request
	Mapping map[string]interface{} `json:"mapping,omitempty"`
}

PkiIssuersImportCertResponse struct for PkiIssuersImportCertResponse

type PkiListEabKeysResponse ¶ added in v0.4.0 

type PkiListEabKeysResponse struct {
	// EAB details keyed by the eab key id
	KeyInfo map[string]interface{} `json:"key_info,omitempty"`

	// A list of unused eab keys
	Keys []string `json:"keys,omitempty"`
}

PkiListEabKeysResponse struct for PkiListEabKeysResponse

type PkiListIssuersResponse ¶ added in v0.3.0 

type PkiListIssuersResponse struct {
	// Key info with issuer name
	KeyInfo map[string]interface{} `json:"key_info,omitempty"`

	// A list of keys
	Keys []string `json:"keys,omitempty"`
}

PkiListIssuersResponse struct for PkiListIssuersResponse

type PkiListKeysResponse ¶ added in v0.3.0 

type PkiListKeysResponse struct {
	// Key info with issuer name
	KeyInfo map[string]interface{} `json:"key_info,omitempty"`

	// A list of keys
	Keys []string `json:"keys,omitempty"`
}

PkiListKeysResponse struct for PkiListKeysResponse

type PkiPatchIssuerResponse ¶ added in v0.3.0 

type PkiPatchIssuerResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// CRL Distribution Points
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not templating is enabled for AIA fields
	EnableAiaUrlTemplating bool `json:"enable_aia_url_templating,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`

	// Issuing Certificates
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Key Id
	KeyId string `json:"key_id,omitempty"`

	// Leaf Not After Behavior
	LeafNotAfterBehavior string `json:"leaf_not_after_behavior,omitempty"`

	// Manual Chain
	ManualChain []string `json:"manual_chain,omitempty"`

	// OCSP Servers
	OcspServers []string `json:"ocsp_servers,omitempty"`

	// Revocation Signature Alogrithm
	RevocationSignatureAlgorithm string `json:"revocation_signature_algorithm,omitempty"`

	RevocationTime int32 `json:"revocation_time,omitempty"`

	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`

	// Revoked
	Revoked bool `json:"revoked,omitempty"`

	// Usage
	Usage string `json:"usage,omitempty"`
}

PkiPatchIssuerResponse struct for PkiPatchIssuerResponse

type PkiPatchRoleResponse ¶ added in v0.3.0 

type PkiPatchRoleResponse struct {
	// If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information.
	AllowAnyName bool `json:"allow_any_name,omitempty"`

	// If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information.
	AllowBareDomains bool `json:"allow_bare_domains,omitempty"`

	// If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.
	AllowGlobDomains bool `json:"allow_glob_domains,omitempty"`

	// If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed.
	AllowIpSans bool `json:"allow_ip_sans,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowLocalhost bool `json:"allow_localhost,omitempty"`

	// If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information.
	AllowSubdomains bool `json:"allow_subdomains,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowTokenDisplayname bool `json:"allow_token_displayname,omitempty"`

	// If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information.
	AllowWildcardCertificates bool `json:"allow_wildcard_certificates,omitempty"`

	// Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.
	AllowedDomains []string `json:"allowed_domains,omitempty"`

	// If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.
	AllowedDomainsTemplate bool `json:"allowed_domains_template,omitempty"`

	// If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).
	AllowedOtherSans []string `json:"allowed_other_sans,omitempty"`

	// If set, an array of allowed serial numbers to put in Subject. These values support globbing.
	AllowedSerialNumbers []string `json:"allowed_serial_numbers,omitempty"`

	// If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.
	AllowedUriSans []string `json:"allowed_uri_sans,omitempty"`

	// If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted.
	AllowedUriSansTemplate bool `json:"allowed_uri_sans_template,omitempty"`

	// If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1
	AllowedUserIds []string `json:"allowed_user_ids,omitempty"`

	// Mark Basic Constraints valid when issuing non-CA certificates.
	BasicConstraintsValidForNonCa bool `json:"basic_constraints_valid_for_non_ca,omitempty"`

	// If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ClientFlag bool `json:"client_flag,omitempty"`

	// List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.
	CnValidations []string `json:"cn_validations,omitempty"`

	// If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	CodeSigningFlag bool `json:"code_signing_flag,omitempty"`

	// If set, Country will be set to this value in certificates issued by this role.
	Country []string `json:"country,omitempty"`

	// If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	EmailProtectionFlag bool `json:"email_protection_flag,omitempty"`

	// If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true.
	EnforceHostnames bool `json:"enforce_hostnames,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke <lease_id>\" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.
	GenerateLease bool `json:"generate_lease,omitempty"`

	// Reference to the issuer used to sign requests serviced by this role.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.
	KeyUsage []string `json:"key_usage,omitempty"`

	// If set, Locality will be set to this value in certificates issued by this role.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.
	MaxTtl int64 `json:"max_ttl,omitempty"`

	// If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".
	NoStore bool `json:"no_store,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ.
	NotAfter string `json:"not_after,omitempty"`

	// The duration in seconds before now which the certificate needs to be backdated by.
	NotBeforeDuration int64 `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value in certificates issued by this role.
	Organization []string `json:"organization,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.
	Ou []string `json:"ou,omitempty"`

	// A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].
	PolicyIdentifiers []string `json:"policy_identifiers,omitempty"`

	// If set, Postal Code will be set to this value in certificates issued by this role.
	PostalCode []string `json:"postal_code,omitempty"`

	// If set, Province will be set to this value in certificates issued by this role.
	Province []string `json:"province,omitempty"`

	// If set to false, makes the 'common_name' field optional while generating a certificate.
	RequireCn bool `json:"require_cn,omitempty"`

	// If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ServerFlag bool `json:"server_flag,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value in certificates issued by this role.
	StreetAddress []string `json:"street_address,omitempty"`

	// The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.
	Ttl int64 `json:"ttl,omitempty"`

	// If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true.
	UseCsrCommonName bool `json:"use_csr_common_name,omitempty"`

	// If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true.
	UseCsrSans bool `json:"use_csr_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiPatchRoleResponse struct for PkiPatchRoleResponse

type PkiReadAutoTidyConfigurationResponse ¶ added in v0.3.0 

type PkiReadAutoTidyConfigurationResponse struct {
	// Safety buffer after creation after which accounts lacking orders are revoked
	AcmeAccountSafetyBuffer int32 `json:"acme_account_safety_buffer,omitempty"`

	// Specifies whether automatic tidy is enabled or not
	Enabled bool `json:"enabled,omitempty"`

	// Specifies the duration between automatic tidy operation
	IntervalDuration int32 `json:"interval_duration,omitempty"`

	// Issuer safety buffer
	IssuerSafetyBuffer int32 `json:"issuer_safety_buffer,omitempty"`

	MaintainStoredCertificateCounts bool `json:"maintain_stored_certificate_counts,omitempty"`

	// Duration to pause between tidying certificates
	PauseDuration string `json:"pause_duration,omitempty"`

	PublishStoredCertificateCountMetrics bool `json:"publish_stored_certificate_count_metrics,omitempty"`

	RevocationQueueSafetyBuffer int32 `json:"revocation_queue_safety_buffer,omitempty"`

	// Safety buffer time duration
	SafetyBuffer int32 `json:"safety_buffer,omitempty"`

	// Tidy Unused Acme Accounts, and Orders
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Specifies whether to tidy up the certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Specifies whether tidy expired issuers
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Specifies whether to associate revoked certificates with their corresponding issuers
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Specifies whether to remove all invalid and expired certificates from storage
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`
}

PkiReadAutoTidyConfigurationResponse struct for PkiReadAutoTidyConfigurationResponse

type PkiReadCaChainPemResponse ¶ added in v0.3.0 

type PkiReadCaChainPemResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCaChainPemResponse struct for PkiReadCaChainPemResponse

type PkiReadCaDerResponse ¶ added in v0.3.0 

type PkiReadCaDerResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCaDerResponse struct for PkiReadCaDerResponse

type PkiReadCaPemResponse ¶ added in v0.3.0 

type PkiReadCaPemResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCaPemResponse struct for PkiReadCaPemResponse

type PkiReadCertCaChainResponse ¶ added in v0.3.0 

type PkiReadCertCaChainResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertCaChainResponse struct for PkiReadCertCaChainResponse

type PkiReadCertCrlResponse ¶ added in v0.3.0 

type PkiReadCertCrlResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertCrlResponse struct for PkiReadCertCrlResponse

type PkiReadCertDeltaCrlResponse ¶ added in v0.3.0 

type PkiReadCertDeltaCrlResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertDeltaCrlResponse struct for PkiReadCertDeltaCrlResponse

type PkiReadCertRawDerResponse ¶ added in v0.3.0 

type PkiReadCertRawDerResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertRawDerResponse struct for PkiReadCertRawDerResponse

type PkiReadCertRawPemResponse ¶ added in v0.3.0 

type PkiReadCertRawPemResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertRawPemResponse struct for PkiReadCertRawPemResponse

type PkiReadCertResponse ¶ added in v0.3.0 

type PkiReadCertResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCertResponse struct for PkiReadCertResponse

type PkiReadClusterConfigurationResponse ¶ added in v0.3.0 

type PkiReadClusterConfigurationResponse struct {
	// Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki
	AiaPath string `json:"aia_path,omitempty"`

	// Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki
	Path string `json:"path,omitempty"`
}

PkiReadClusterConfigurationResponse struct for PkiReadClusterConfigurationResponse

type PkiReadCrlConfigurationResponse ¶ added in v0.3.0 

type PkiReadCrlConfigurationResponse struct {
	// If set to true, enables automatic rebuilding of the CRL
	AutoRebuild bool `json:"auto_rebuild,omitempty"`

	// The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.
	AutoRebuildGracePeriod string `json:"auto_rebuild_grace_period,omitempty"`

	// Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true.
	CrossClusterRevocation bool `json:"cross_cluster_revocation,omitempty"`

	// The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.
	DeltaRebuildInterval string `json:"delta_rebuild_interval,omitempty"`

	// If set to true, disables generating the CRL entirely.
	Disable bool `json:"disable,omitempty"`

	// Whether to enable delta CRLs between authoritative CRL rebuilds
	EnableDelta bool `json:"enable_delta,omitempty"`

	// The amount of time the generated CRL should be valid; defaults to 72 hours
	Expiry string `json:"expiry,omitempty"`

	// If set to true, ocsp unauthorized responses will be returned.
	OcspDisable bool `json:"ocsp_disable,omitempty"`

	// The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours
	OcspExpiry string `json:"ocsp_expiry,omitempty"`

	// If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.
	UnifiedCrl bool `json:"unified_crl,omitempty"`

	// If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data
	UnifiedCrlOnExistingPaths bool `json:"unified_crl_on_existing_paths,omitempty"`
}

PkiReadCrlConfigurationResponse struct for PkiReadCrlConfigurationResponse

type PkiReadCrlDeltaPemResponse ¶ added in v0.3.0 

type PkiReadCrlDeltaPemResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCrlDeltaPemResponse struct for PkiReadCrlDeltaPemResponse

type PkiReadCrlDeltaResponse ¶ added in v0.3.0 

type PkiReadCrlDeltaResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCrlDeltaResponse struct for PkiReadCrlDeltaResponse

type PkiReadCrlDerResponse ¶ added in v0.3.0 

type PkiReadCrlDerResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCrlDerResponse struct for PkiReadCrlDerResponse

type PkiReadCrlPemResponse ¶ added in v0.3.0 

type PkiReadCrlPemResponse struct {
	// Issuing CA Chain
	CaChain string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Revocation time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation time RFC 3339 formatted
	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`
}

PkiReadCrlPemResponse struct for PkiReadCrlPemResponse

type PkiReadIssuerDerResponse ¶ added in v0.3.0 

type PkiReadIssuerDerResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`
}

PkiReadIssuerDerResponse struct for PkiReadIssuerDerResponse

type PkiReadIssuerJsonResponse ¶ added in v0.3.0 

type PkiReadIssuerJsonResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`
}

PkiReadIssuerJsonResponse struct for PkiReadIssuerJsonResponse

type PkiReadIssuerPemResponse ¶ added in v0.3.0 

type PkiReadIssuerPemResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`
}

PkiReadIssuerPemResponse struct for PkiReadIssuerPemResponse

type PkiReadIssuerResponse ¶ added in v0.3.0 

type PkiReadIssuerResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// CRL Distribution Points
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not templating is enabled for AIA fields
	EnableAiaUrlTemplating bool `json:"enable_aia_url_templating,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`

	// Issuing Certificates
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Key Id
	KeyId string `json:"key_id,omitempty"`

	// Leaf Not After Behavior
	LeafNotAfterBehavior string `json:"leaf_not_after_behavior,omitempty"`

	// Manual Chain
	ManualChain []string `json:"manual_chain,omitempty"`

	// OCSP Servers
	OcspServers []string `json:"ocsp_servers,omitempty"`

	// Revocation Signature Alogrithm
	RevocationSignatureAlgorithm string `json:"revocation_signature_algorithm,omitempty"`

	RevocationTime int32 `json:"revocation_time,omitempty"`

	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`

	// Revoked
	Revoked bool `json:"revoked,omitempty"`

	// Usage
	Usage string `json:"usage,omitempty"`
}

PkiReadIssuerResponse struct for PkiReadIssuerResponse

type PkiReadIssuersConfigurationResponse ¶ added in v0.3.0 

type PkiReadIssuersConfigurationResponse struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`

	// Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.
	DefaultFollowsLatestIssuer bool `json:"default_follows_latest_issuer,omitempty"`
}

PkiReadIssuersConfigurationResponse struct for PkiReadIssuersConfigurationResponse

type PkiReadKeyResponse ¶ added in v0.3.0 

type PkiReadKeyResponse struct {
	// Key Id
	KeyId string `json:"key_id,omitempty"`

	// Key Name
	KeyName string `json:"key_name,omitempty"`

	// Key Type
	KeyType string `json:"key_type,omitempty"`

	// Managed Key Id
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// Managed Key Name
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// RFC 5280 Subject Key Identifier of the public counterpart
	SubjectKeyId string `json:"subject_key_id,omitempty"`
}

PkiReadKeyResponse struct for PkiReadKeyResponse

type PkiReadKeysConfigurationResponse ¶ added in v0.3.0 

type PkiReadKeysConfigurationResponse struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`
}

PkiReadKeysConfigurationResponse struct for PkiReadKeysConfigurationResponse

type PkiReadRoleResponse ¶ added in v0.3.0 

type PkiReadRoleResponse struct {
	// If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information.
	AllowAnyName bool `json:"allow_any_name,omitempty"`

	// If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information.
	AllowBareDomains bool `json:"allow_bare_domains,omitempty"`

	// If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.
	AllowGlobDomains bool `json:"allow_glob_domains,omitempty"`

	// If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed.
	AllowIpSans bool `json:"allow_ip_sans,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowLocalhost bool `json:"allow_localhost,omitempty"`

	// If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information.
	AllowSubdomains bool `json:"allow_subdomains,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowTokenDisplayname bool `json:"allow_token_displayname,omitempty"`

	// If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information.
	AllowWildcardCertificates bool `json:"allow_wildcard_certificates,omitempty"`

	// Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.
	AllowedDomains []string `json:"allowed_domains,omitempty"`

	// If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.
	AllowedDomainsTemplate bool `json:"allowed_domains_template,omitempty"`

	// If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).
	AllowedOtherSans []string `json:"allowed_other_sans,omitempty"`

	// If set, an array of allowed serial numbers to put in Subject. These values support globbing.
	AllowedSerialNumbers []string `json:"allowed_serial_numbers,omitempty"`

	// If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.
	AllowedUriSans []string `json:"allowed_uri_sans,omitempty"`

	// If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted.
	AllowedUriSansTemplate bool `json:"allowed_uri_sans_template,omitempty"`

	// If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1
	AllowedUserIds []string `json:"allowed_user_ids,omitempty"`

	// Mark Basic Constraints valid when issuing non-CA certificates.
	BasicConstraintsValidForNonCa bool `json:"basic_constraints_valid_for_non_ca,omitempty"`

	// If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ClientFlag bool `json:"client_flag,omitempty"`

	// List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.
	CnValidations []string `json:"cn_validations,omitempty"`

	// If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	CodeSigningFlag bool `json:"code_signing_flag,omitempty"`

	// If set, Country will be set to this value in certificates issued by this role.
	Country []string `json:"country,omitempty"`

	// If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	EmailProtectionFlag bool `json:"email_protection_flag,omitempty"`

	// If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true.
	EnforceHostnames bool `json:"enforce_hostnames,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke <lease_id>\" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.
	GenerateLease bool `json:"generate_lease,omitempty"`

	// Reference to the issuer used to sign requests serviced by this role.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.
	KeyUsage []string `json:"key_usage,omitempty"`

	// If set, Locality will be set to this value in certificates issued by this role.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.
	MaxTtl int64 `json:"max_ttl,omitempty"`

	// If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".
	NoStore bool `json:"no_store,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ.
	NotAfter string `json:"not_after,omitempty"`

	// The duration in seconds before now which the certificate needs to be backdated by.
	NotBeforeDuration int64 `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value in certificates issued by this role.
	Organization []string `json:"organization,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.
	Ou []string `json:"ou,omitempty"`

	// A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].
	PolicyIdentifiers []string `json:"policy_identifiers,omitempty"`

	// If set, Postal Code will be set to this value in certificates issued by this role.
	PostalCode []string `json:"postal_code,omitempty"`

	// If set, Province will be set to this value in certificates issued by this role.
	Province []string `json:"province,omitempty"`

	// If set to false, makes the 'common_name' field optional while generating a certificate.
	RequireCn bool `json:"require_cn,omitempty"`

	// If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ServerFlag bool `json:"server_flag,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value in certificates issued by this role.
	StreetAddress []string `json:"street_address,omitempty"`

	// The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.
	Ttl int64 `json:"ttl,omitempty"`

	// If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true.
	UseCsrCommonName bool `json:"use_csr_common_name,omitempty"`

	// If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true.
	UseCsrSans bool `json:"use_csr_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiReadRoleResponse struct for PkiReadRoleResponse

type PkiReadUrlsConfigurationResponse ¶ added in v0.3.0 

type PkiReadUrlsConfigurationResponse struct {
	// Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not to enable templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters.
	EnableTemplating bool `json:"enable_templating,omitempty"`

	// Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.
	OcspServers []string `json:"ocsp_servers,omitempty"`
}

PkiReadUrlsConfigurationResponse struct for PkiReadUrlsConfigurationResponse

type PkiReplaceRootRequest ¶ added in v0.3.0 

type PkiReplaceRootRequest struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`
}

PkiReplaceRootRequest struct for PkiReplaceRootRequest

type PkiReplaceRootResponse ¶ added in v0.3.0 

type PkiReplaceRootResponse struct {
	// Reference (name or identifier) to the default issuer.
	Default string `json:"default,omitempty"`

	// Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.
	DefaultFollowsLatestIssuer bool `json:"default_follows_latest_issuer,omitempty"`
}

PkiReplaceRootResponse struct for PkiReplaceRootResponse

type PkiRevokeIssuerResponse ¶ added in v0.3.0 

type PkiRevokeIssuerResponse struct {
	// Certificate Authority Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Specifies the URL values for the CRL Distribution Points field
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// Name of the issuer
	IssuerName string `json:"issuer_name,omitempty"`

	// Specifies the URL values for the Issuing Certificate field
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// ID of the Key
	KeyId string `json:"key_id,omitempty"`

	LeafNotAfterBehavior string `json:"leaf_not_after_behavior,omitempty"`

	// Manual Chain
	ManualChain []string `json:"manual_chain,omitempty"`

	// Specifies the URL values for the OCSP Servers field
	OcspServers []string `json:"ocsp_servers,omitempty"`

	// Which signature algorithm to use when building CRLs
	RevocationSignatureAlgorithm string `json:"revocation_signature_algorithm,omitempty"`

	// Time of revocation
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// RFC formatted time of revocation
	RevocationTimeRfc3339 time.Time `json:"revocation_time_rfc3339,omitempty"`

	// Whether the issuer was revoked
	Revoked bool `json:"revoked,omitempty"`

	// Allowed usage
	Usage string `json:"usage,omitempty"`
}

PkiRevokeIssuerResponse struct for PkiRevokeIssuerResponse

type PkiRevokeRequest ¶ added in v0.3.0 

type PkiRevokeRequest struct {
	// Certificate to revoke in PEM format; must be signed by an issuer in this mount.
	Certificate string `json:"certificate,omitempty"`

	// Certificate serial number, in colon- or hyphen-separated octal
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiRevokeRequest struct for PkiRevokeRequest

type PkiRevokeResponse ¶ added in v0.3.0 

type PkiRevokeResponse struct {
	// Revocation Time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation Time
	RevocationTimeRfc3339 time.Time `json:"revocation_time_rfc3339,omitempty"`

	// Revocation State
	State string `json:"state,omitempty"`
}

PkiRevokeResponse struct for PkiRevokeResponse

type PkiRevokeWithKeyRequest ¶ added in v0.3.0 

type PkiRevokeWithKeyRequest struct {
	// Certificate to revoke in PEM format; must be signed by an issuer in this mount.
	Certificate string `json:"certificate,omitempty"`

	// Key to use to verify revocation permission; must be in PEM format.
	PrivateKey string `json:"private_key,omitempty"`

	// Certificate serial number, in colon- or hyphen-separated octal
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiRevokeWithKeyRequest struct for PkiRevokeWithKeyRequest

type PkiRevokeWithKeyResponse ¶ added in v0.3.0 

type PkiRevokeWithKeyResponse struct {
	// Revocation Time
	RevocationTime int64 `json:"revocation_time,omitempty"`

	// Revocation Time
	RevocationTimeRfc3339 time.Time `json:"revocation_time_rfc3339,omitempty"`

	// Revocation State
	State string `json:"state,omitempty"`
}

PkiRevokeWithKeyResponse struct for PkiRevokeWithKeyResponse

type PkiRootSignIntermediateRequest ¶ added in v0.3.0 

type PkiRootSignIntermediateRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// PEM-format CSR to be signed.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowable path length
	MaxPathLength int32 `json:"max_path_length,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
	PermittedDnsDomains []string `json:"permitted_dns_domains,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). This value should ONLY be used when cross-signing to mimic the existing certificate's SKID value; this is necessary to allow certain TLS implementations (such as OpenSSL) which use SKID/AKID matches in chain building to restrict possible valid chains. Specified as a string in hex format. Default is empty, allowing Vault to automatically calculate the SKID according to method one in the above RFC section.
	Skid string `json:"skid,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag; 3) Extensions requested in the CSR will be copied into the issued certificate.
	UseCsrValues bool `json:"use_csr_values,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiRootSignIntermediateRequest struct for PkiRootSignIntermediateRequest

type PkiRootSignIntermediateResponse ¶ added in v0.3.0 

type PkiRootSignIntermediateResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Expiration Time
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing CA
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiRootSignIntermediateResponse struct for PkiRootSignIntermediateResponse

type PkiRootSignSelfIssuedRequest ¶ added in v0.3.0 

type PkiRootSignSelfIssuedRequest struct {
	// PEM-format self-issued certificate to be signed.
	Certificate string `json:"certificate,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// If true, require the public key algorithm of the signer to match that of the self issued certificate.
	RequireMatchingCertificateAlgorithms bool `json:"require_matching_certificate_algorithms,omitempty"`
}

PkiRootSignSelfIssuedRequest struct for PkiRootSignSelfIssuedRequest

type PkiRootSignSelfIssuedResponse ¶ added in v0.3.0 

type PkiRootSignSelfIssuedResponse struct {
	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Issuing CA
	IssuingCa string `json:"issuing_ca,omitempty"`
}

PkiRootSignSelfIssuedResponse struct for PkiRootSignSelfIssuedResponse

type PkiRotateCrlResponse ¶ added in v0.3.0 

type PkiRotateCrlResponse struct {
	// Whether rotation was successful
	Success bool `json:"success,omitempty"`
}

PkiRotateCrlResponse struct for PkiRotateCrlResponse

type PkiRotateDeltaCrlResponse ¶ added in v0.3.0 

type PkiRotateDeltaCrlResponse struct {
	// Whether rotation was successful
	Success bool `json:"success,omitempty"`
}

PkiRotateDeltaCrlResponse struct for PkiRotateDeltaCrlResponse

type PkiRotateRootRequest ¶ added in v0.4.0 

type PkiRotateRootRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.
	CommonName string `json:"common_name,omitempty"`

	// If set, Country will be set to this value.
	Country []string `json:"country,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'
	KeyName string `json:"key_name,omitempty"`

	// Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.
	KeyRef string `json:"key_ref,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// If set, Locality will be set to this value.
	Locality []string `json:"locality,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types.
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types.
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// The maximum allowable path length
	MaxPathLength int32 `json:"max_path_length,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value.
	Organization []string `json:"organization,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value.
	Ou []string `json:"ou,omitempty"`

	// Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
	PermittedDnsDomains []string `json:"permitted_dns_domains,omitempty"`

	// If set, Postal Code will be set to this value.
	PostalCode []string `json:"postal_code,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// If set, Province will be set to this value.
	Province []string `json:"province,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value.
	StreetAddress []string `json:"street_address,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiRotateRootRequest struct for PkiRotateRootRequest

type PkiRotateRootResponse ¶ added in v0.4.0 

type PkiRotateRootResponse struct {
	// The generated self-signed CA certificate.
	Certificate string `json:"certificate,omitempty"`

	// The expiration of the given issuer.
	Expiration int64 `json:"expiration,omitempty"`

	// The ID of the issuer
	IssuerId string `json:"issuer_id,omitempty"`

	// The name of the issuer.
	IssuerName string `json:"issuer_name,omitempty"`

	// The issuing certificate authority.
	IssuingCa string `json:"issuing_ca,omitempty"`

	// The ID of the key.
	KeyId string `json:"key_id,omitempty"`

	// The key name if given.
	KeyName string `json:"key_name,omitempty"`

	// The private key if exported was specified.
	PrivateKey string `json:"private_key,omitempty"`

	// The requested Subject's named serial number.
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiRotateRootResponse struct for PkiRotateRootResponse

type PkiSetSignedIntermediateRequest ¶ added in v0.3.0 

type PkiSetSignedIntermediateRequest struct {
	// PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint. Additional parent CAs may be optionally appended to the bundle.
	Certificate string `json:"certificate,omitempty"`
}

PkiSetSignedIntermediateRequest struct for PkiSetSignedIntermediateRequest

type PkiSetSignedIntermediateResponse ¶ added in v0.3.0 

type PkiSetSignedIntermediateResponse struct {
	// Existing issuers specified as part of the import bundle of this request
	ExistingIssuers []string `json:"existing_issuers,omitempty"`

	// Existing keys specified as part of the import bundle of this request
	ExistingKeys []string `json:"existing_keys,omitempty"`

	// Net-new issuers imported as a part of this request
	ImportedIssuers []string `json:"imported_issuers,omitempty"`

	// Net-new keys imported as a part of this request
	ImportedKeys []string `json:"imported_keys,omitempty"`

	// A mapping of issuer_id to key_id for all issuers included in this request
	Mapping map[string]interface{} `json:"mapping,omitempty"`
}

PkiSetSignedIntermediateResponse struct for PkiSetSignedIntermediateResponse

type PkiSignVerbatimRequest ¶ added in v0.3.0 

type PkiSignVerbatimRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	KeyUsage []string `json:"key_usage,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiSignVerbatimRequest struct for PkiSignVerbatimRequest

type PkiSignVerbatimResponse ¶ added in v0.3.0 

type PkiSignVerbatimResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiSignVerbatimResponse struct for PkiSignVerbatimResponse

type PkiSignVerbatimWithRoleRequest ¶ added in v0.3.0 

type PkiSignVerbatimWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list.
	KeyUsage []string `json:"key_usage,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiSignVerbatimWithRoleRequest struct for PkiSignVerbatimWithRoleRequest

type PkiSignVerbatimWithRoleResponse ¶ added in v0.3.0 

type PkiSignVerbatimWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiSignVerbatimWithRoleResponse struct for PkiSignVerbatimWithRoleResponse

type PkiSignWithRoleRequest ¶ added in v0.3.0 

type PkiSignWithRoleRequest struct {
	// The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.
	AltNames string `json:"alt_names,omitempty"`

	// The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.
	CommonName string `json:"common_name,omitempty"`

	// PEM-format CSR to be signed.
	Csr string `json:"csr,omitempty"`

	// If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).
	ExcludeCnFromSans bool `json:"exclude_cn_from_sans,omitempty"`

	// Format for returned data. Can be \"pem\", \"der\", or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".
	Format string `json:"format,omitempty"`

	// The requested IP SANs, if any, in a comma-delimited list
	IpSans []string `json:"ip_sans,omitempty"`

	// Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"not_after,omitempty"`

	// Requested other SANs, in an array with the format <oid>;UTF8:<utf8 string value> for each entry.
	OtherSans []string `json:"other_sans,omitempty"`

	// Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".
	PrivateKeyFormat string `json:"private_key_format,omitempty"`

	// Whether or not to remove self-signed CA certificates in the output of the ca_chain field.
	RemoveRootsFromChain bool `json:"remove_roots_from_chain,omitempty"`

	// The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field.
	SerialNumber string `json:"serial_number,omitempty"`

	// The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// The requested URI SANs, if any, in a comma-delimited list.
	UriSans []string `json:"uri_sans,omitempty"`

	// The requested user_ids value to place in the subject, if any, in a comma-delimited list. Restricted by allowed_user_ids. Any values are added with OID 0.9.2342.19200300.100.1.1.
	UserIds []string `json:"user_ids,omitempty"`
}

PkiSignWithRoleRequest struct for PkiSignWithRoleRequest

type PkiSignWithRoleResponse ¶ added in v0.3.0 

type PkiSignWithRoleResponse struct {
	// Certificate Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// Time of expiration
	Expiration int64 `json:"expiration,omitempty"`

	// Issuing Certificate Authority
	IssuingCa string `json:"issuing_ca,omitempty"`

	// Serial Number
	SerialNumber string `json:"serial_number,omitempty"`
}

PkiSignWithRoleResponse struct for PkiSignWithRoleResponse

type PkiTidyCancelResponse ¶ added in v0.3.0 

type PkiTidyCancelResponse struct {
	// The number of revoked acme accounts removed
	AcmeAccountDeletedCount int32 `json:"acme_account_deleted_count,omitempty"`

	// The number of unused acme accounts revoked
	AcmeAccountRevokedCount int32 `json:"acme_account_revoked_count,omitempty"`

	// Safety buffer after creation after which accounts lacking orders are revoked
	AcmeAccountSafetyBuffer int32 `json:"acme_account_safety_buffer,omitempty"`

	// The number of expired, unused acme orders removed
	AcmeOrdersDeletedCount int32 `json:"acme_orders_deleted_count,omitempty"`

	// The number of certificate storage entries deleted
	CertStoreDeletedCount int32 `json:"cert_store_deleted_count,omitempty"`

	CrossRevokedCertDeletedCount int32 `json:"cross_revoked_cert_deleted_count,omitempty"`

	// The number of revoked certificate entries deleted
	CurrentCertStoreCount int32 `json:"current_cert_store_count,omitempty"`

	// The number of revoked certificate entries deleted
	CurrentRevokedCertCount int32 `json:"current_revoked_cert_count,omitempty"`

	// The error message
	Error string `json:"error,omitempty"`

	InternalBackendUuid string `json:"internal_backend_uuid,omitempty"`

	// Issuer safety buffer
	IssuerSafetyBuffer int32 `json:"issuer_safety_buffer,omitempty"`

	// Time the last auto-tidy operation finished
	LastAutoTidyFinished string `json:"last_auto_tidy_finished,omitempty"`

	// Message of the operation
	Message string `json:"message,omitempty"`

	MissingIssuerCertCount int32 `json:"missing_issuer_cert_count,omitempty"`

	// Duration to pause between tidying certificates
	PauseDuration string `json:"pause_duration,omitempty"`

	RevocationQueueDeletedCount int32 `json:"revocation_queue_deleted_count,omitempty"`

	// Revocation queue safety buffer
	RevocationQueueSafetyBuffer int32 `json:"revocation_queue_safety_buffer,omitempty"`

	// The number of revoked certificate entries deleted
	RevokedCertDeletedCount int32 `json:"revoked_cert_deleted_count,omitempty"`

	// Safety buffer time duration
	SafetyBuffer int32 `json:"safety_buffer,omitempty"`

	// One of Inactive, Running, Finished, or Error
	State string `json:"state,omitempty"`

	// Tidy Unused Acme Accounts, and Orders
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Tidy certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	// Tidy the cross-cluster revoked certificate store
	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Tidy expired issuers
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Tidy revoked certificate issuer associations
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Tidy revoked certificates
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`

	// Time the operation finished
	TimeFinished string `json:"time_finished,omitempty"`

	// Time the operation started
	TimeStarted string `json:"time_started,omitempty"`

	// Total number of acme accounts iterated over
	TotalAcmeAccountCount int32 `json:"total_acme_account_count,omitempty"`
}

PkiTidyCancelResponse struct for PkiTidyCancelResponse

type PkiTidyRequest ¶ added in v0.3.0 

type PkiTidyRequest struct {
	// The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.
	AcmeAccountSafetyBuffer string `json:"acme_account_safety_buffer,omitempty"`

	// The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).
	IssuerSafetyBuffer string `json:"issuer_safety_buffer,omitempty"`

	// The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.
	PauseDuration string `json:"pause_duration,omitempty"`

	// The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.
	RevocationQueueSafetyBuffer string `json:"revocation_queue_safety_buffer,omitempty"`

	// The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.
	SafetyBuffer string `json:"safety_buffer,omitempty"`

	// Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Set to true to enable tidying up the certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	// Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node.
	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation.
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	// Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios).
	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	// Deprecated; synonym for 'tidy_revoked_certs
	TidyRevocationList bool `json:"tidy_revocation_list,omitempty"`

	// Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node
	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses.
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`
}

PkiTidyRequest struct for PkiTidyRequest

type PkiTidyStatusResponse ¶ added in v0.3.0 

type PkiTidyStatusResponse struct {
	// The number of revoked acme accounts removed
	AcmeAccountDeletedCount int32 `json:"acme_account_deleted_count,omitempty"`

	// The number of unused acme accounts revoked
	AcmeAccountRevokedCount int32 `json:"acme_account_revoked_count,omitempty"`

	// Safety buffer after creation after which accounts lacking orders are revoked
	AcmeAccountSafetyBuffer int32 `json:"acme_account_safety_buffer,omitempty"`

	// The number of expired, unused acme orders removed
	AcmeOrdersDeletedCount int32 `json:"acme_orders_deleted_count,omitempty"`

	// The number of certificate storage entries deleted
	CertStoreDeletedCount int32 `json:"cert_store_deleted_count,omitempty"`

	CrossRevokedCertDeletedCount int32 `json:"cross_revoked_cert_deleted_count,omitempty"`

	// The number of revoked certificate entries deleted
	CurrentCertStoreCount int32 `json:"current_cert_store_count,omitempty"`

	// The number of revoked certificate entries deleted
	CurrentRevokedCertCount int32 `json:"current_revoked_cert_count,omitempty"`

	// The error message
	Error string `json:"error,omitempty"`

	InternalBackendUuid string `json:"internal_backend_uuid,omitempty"`

	// Issuer safety buffer
	IssuerSafetyBuffer int32 `json:"issuer_safety_buffer,omitempty"`

	// Time the last auto-tidy operation finished
	LastAutoTidyFinished string `json:"last_auto_tidy_finished,omitempty"`

	// Message of the operation
	Message string `json:"message,omitempty"`

	MissingIssuerCertCount int32 `json:"missing_issuer_cert_count,omitempty"`

	// Duration to pause between tidying certificates
	PauseDuration string `json:"pause_duration,omitempty"`

	RevocationQueueDeletedCount int32 `json:"revocation_queue_deleted_count,omitempty"`

	// Revocation queue safety buffer
	RevocationQueueSafetyBuffer int32 `json:"revocation_queue_safety_buffer,omitempty"`

	// The number of revoked certificate entries deleted
	RevokedCertDeletedCount int32 `json:"revoked_cert_deleted_count,omitempty"`

	// Safety buffer time duration
	SafetyBuffer int32 `json:"safety_buffer,omitempty"`

	// One of Inactive, Running, Finished, or Error
	State string `json:"state,omitempty"`

	// Tidy Unused Acme Accounts, and Orders
	TidyAcme bool `json:"tidy_acme,omitempty"`

	// Tidy certificate store
	TidyCertStore bool `json:"tidy_cert_store,omitempty"`

	// Tidy the cross-cluster revoked certificate store
	TidyCrossClusterRevokedCerts bool `json:"tidy_cross_cluster_revoked_certs,omitempty"`

	// Tidy expired issuers
	TidyExpiredIssuers bool `json:"tidy_expired_issuers,omitempty"`

	TidyMoveLegacyCaBundle bool `json:"tidy_move_legacy_ca_bundle,omitempty"`

	TidyRevocationQueue bool `json:"tidy_revocation_queue,omitempty"`

	// Tidy revoked certificate issuer associations
	TidyRevokedCertIssuerAssociations bool `json:"tidy_revoked_cert_issuer_associations,omitempty"`

	// Tidy revoked certificates
	TidyRevokedCerts bool `json:"tidy_revoked_certs,omitempty"`

	// Time the operation finished
	TimeFinished string `json:"time_finished,omitempty"`

	// Time the operation started
	TimeStarted string `json:"time_started,omitempty"`

	// Total number of acme accounts iterated over
	TotalAcmeAccountCount int32 `json:"total_acme_account_count,omitempty"`
}

PkiTidyStatusResponse struct for PkiTidyStatusResponse

type PkiWriteAcmeAccountKidRequest ¶ added in v0.4.0 

type PkiWriteAcmeAccountKidRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeAccountKidRequest struct for PkiWriteAcmeAccountKidRequest

type PkiWriteAcmeAuthorizationAuthIdRequest ¶ added in v0.4.0 

type PkiWriteAcmeAuthorizationAuthIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeAuthorizationAuthIdRequest struct for PkiWriteAcmeAuthorizationAuthIdRequest

type PkiWriteAcmeChallengeAuthIdChallengeTypeRequest ¶ added in v0.4.0 

type PkiWriteAcmeChallengeAuthIdChallengeTypeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeChallengeAuthIdChallengeTypeRequest struct for PkiWriteAcmeChallengeAuthIdChallengeTypeRequest

type PkiWriteAcmeNewAccountRequest ¶ added in v0.4.0 

type PkiWriteAcmeNewAccountRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeNewAccountRequest struct for PkiWriteAcmeNewAccountRequest

type PkiWriteAcmeNewOrderRequest ¶ added in v0.4.0 

type PkiWriteAcmeNewOrderRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeNewOrderRequest struct for PkiWriteAcmeNewOrderRequest

type PkiWriteAcmeOrderOrderIdCertRequest ¶ added in v0.4.0 

type PkiWriteAcmeOrderOrderIdCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeOrderOrderIdCertRequest struct for PkiWriteAcmeOrderOrderIdCertRequest

type PkiWriteAcmeOrderOrderIdFinalizeRequest ¶ added in v0.4.0 

type PkiWriteAcmeOrderOrderIdFinalizeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeOrderOrderIdFinalizeRequest struct for PkiWriteAcmeOrderOrderIdFinalizeRequest

type PkiWriteAcmeOrderOrderIdRequest ¶ added in v0.4.0 

type PkiWriteAcmeOrderOrderIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeOrderOrderIdRequest struct for PkiWriteAcmeOrderOrderIdRequest

type PkiWriteAcmeOrdersRequest ¶ added in v0.4.0 

type PkiWriteAcmeOrdersRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeOrdersRequest struct for PkiWriteAcmeOrdersRequest

type PkiWriteAcmeRevokeCertRequest ¶ added in v0.4.0 

type PkiWriteAcmeRevokeCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteAcmeRevokeCertRequest struct for PkiWriteAcmeRevokeCertRequest

type PkiWriteIssuerIssuerRefAcmeAccountKidRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeAccountKidRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeAccountKidRequest struct for PkiWriteIssuerIssuerRefAcmeAccountKidRequest

type PkiWriteIssuerIssuerRefAcmeAuthorizationAuthIdRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeAuthorizationAuthIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeAuthorizationAuthIdRequest struct for PkiWriteIssuerIssuerRefAcmeAuthorizationAuthIdRequest

type PkiWriteIssuerIssuerRefAcmeChallengeAuthIdChallengeTypeRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeChallengeAuthIdChallengeTypeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeChallengeAuthIdChallengeTypeRequest struct for PkiWriteIssuerIssuerRefAcmeChallengeAuthIdChallengeTypeRequest

type PkiWriteIssuerIssuerRefAcmeNewAccountRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeNewAccountRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeNewAccountRequest struct for PkiWriteIssuerIssuerRefAcmeNewAccountRequest

type PkiWriteIssuerIssuerRefAcmeNewOrderRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeNewOrderRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeNewOrderRequest struct for PkiWriteIssuerIssuerRefAcmeNewOrderRequest

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdCertRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeOrderOrderIdCertRequest struct for PkiWriteIssuerIssuerRefAcmeOrderOrderIdCertRequest

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdFinalizeRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdFinalizeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeOrderOrderIdFinalizeRequest struct for PkiWriteIssuerIssuerRefAcmeOrderOrderIdFinalizeRequest

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeOrderOrderIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeOrderOrderIdRequest struct for PkiWriteIssuerIssuerRefAcmeOrderOrderIdRequest

type PkiWriteIssuerIssuerRefAcmeOrdersRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeOrdersRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeOrdersRequest struct for PkiWriteIssuerIssuerRefAcmeOrdersRequest

type PkiWriteIssuerIssuerRefAcmeRevokeCertRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefAcmeRevokeCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefAcmeRevokeCertRequest struct for PkiWriteIssuerIssuerRefAcmeRevokeCertRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeAccountKidRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeAccountKidRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeAccountKidRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeAccountKidRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeAuthorizationAuthIdRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeAuthorizationAuthIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeAuthorizationAuthIdRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeAuthorizationAuthIdRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeChallengeAuthIdChallengeTypeRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeChallengeAuthIdChallengeTypeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeChallengeAuthIdChallengeTypeRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeChallengeAuthIdChallengeTypeRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeNewAccountRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeNewAccountRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeNewAccountRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeNewAccountRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeNewOrderRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeNewOrderRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeNewOrderRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeNewOrderRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdCertRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdCertRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdCertRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdFinalizeRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdFinalizeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdFinalizeRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdFinalizeRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeOrderOrderIdRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrdersRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeOrdersRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeOrdersRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeOrdersRequest

type PkiWriteIssuerIssuerRefRolesRoleAcmeRevokeCertRequest ¶ added in v0.4.0 

type PkiWriteIssuerIssuerRefRolesRoleAcmeRevokeCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteIssuerIssuerRefRolesRoleAcmeRevokeCertRequest struct for PkiWriteIssuerIssuerRefRolesRoleAcmeRevokeCertRequest

type PkiWriteIssuerRequest ¶ added in v0.3.0 

type PkiWriteIssuerRequest struct {
	// Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', '{{cluster_aia_path}}' are available, but the addresses are not checked for URL validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.
	EnableAiaUrlTemplating bool `json:"enable_aia_url_templating,omitempty"`

	// Provide a name to the generated or existing issuer, the name must be unique across all issuers and not be the reserved value 'default'
	IssuerName string `json:"issuer_name,omitempty"`

	// Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Behavior of leaf's NotAfter fields: \"err\" to error if the computed NotAfter date exceeds that of this issuer; \"truncate\" to silently truncate to that of this issuer; or \"permit\" to allow this issuance to succeed (with NotAfter exceeding that of an issuer). Note that not all values will results in certificates that can be validated through the entire validity period. It is suggested to use \"truncate\" for intermediate CAs and \"permit\" only for root CAs.
	LeafNotAfterBehavior string `json:"leaf_not_after_behavior,omitempty"`

	// Chain of issuer references to use to build this issuer's computed CAChain field, when non-empty.
	ManualChain []string `json:"manual_chain,omitempty"`

	// Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.
	OcspServers []string `json:"ocsp_servers,omitempty"`

	// Which x509.SignatureAlgorithm name to use for signing CRLs. This parameter allows differentiation between PKCS#1v1.5 and PSS keys and choice of signature hash algorithm. The default (empty string) value is for Go to select the signature algorithm. This can fail if the underlying key does not support the requested signature algorithm, which may not be known at modification time (such as with PKCS#11 managed RSA keys).
	RevocationSignatureAlgorithm string `json:"revocation_signature_algorithm,omitempty"`

	// Comma-separated list (or string slice) of usages for this issuer; valid values are \"read-only\", \"issuing-certificates\", \"crl-signing\", and \"ocsp-signing\". Multiple values may be specified. Read-only is implicit and always set.
	Usage []string `json:"usage,omitempty"`
}

PkiWriteIssuerRequest struct for PkiWriteIssuerRequest

type PkiWriteIssuerResponse ¶ added in v0.3.0 

type PkiWriteIssuerResponse struct {
	// CA Chain
	CaChain []string `json:"ca_chain,omitempty"`

	// Certificate
	Certificate string `json:"certificate,omitempty"`

	// CRL Distribution Points
	CrlDistributionPoints []string `json:"crl_distribution_points,omitempty"`

	// Whether or not templating is enabled for AIA fields
	EnableAiaUrlTemplating bool `json:"enable_aia_url_templating,omitempty"`

	// Issuer Id
	IssuerId string `json:"issuer_id,omitempty"`

	// Issuer Name
	IssuerName string `json:"issuer_name,omitempty"`

	// Issuing Certificates
	IssuingCertificates []string `json:"issuing_certificates,omitempty"`

	// Key Id
	KeyId string `json:"key_id,omitempty"`

	// Leaf Not After Behavior
	LeafNotAfterBehavior string `json:"leaf_not_after_behavior,omitempty"`

	// Manual Chain
	ManualChain []string `json:"manual_chain,omitempty"`

	// OCSP Servers
	OcspServers []string `json:"ocsp_servers,omitempty"`

	// Revocation Signature Alogrithm
	RevocationSignatureAlgorithm string `json:"revocation_signature_algorithm,omitempty"`

	RevocationTime int32 `json:"revocation_time,omitempty"`

	RevocationTimeRfc3339 string `json:"revocation_time_rfc3339,omitempty"`

	// Revoked
	Revoked bool `json:"revoked,omitempty"`

	// Usage
	Usage string `json:"usage,omitempty"`
}

PkiWriteIssuerResponse struct for PkiWriteIssuerResponse

type PkiWriteKeyRequest ¶ added in v0.3.0 

type PkiWriteKeyRequest struct {
	// Human-readable name for this key.
	KeyName string `json:"key_name,omitempty"`
}

PkiWriteKeyRequest struct for PkiWriteKeyRequest

type PkiWriteKeyResponse ¶ added in v0.3.0 

type PkiWriteKeyResponse struct {
	// Key Id
	KeyId string `json:"key_id,omitempty"`

	// Key Name
	KeyName string `json:"key_name,omitempty"`

	// Key Type
	KeyType string `json:"key_type,omitempty"`
}

PkiWriteKeyResponse struct for PkiWriteKeyResponse

type PkiWriteRoleRequest ¶ added in v0.3.0 

type PkiWriteRoleRequest struct {
	// If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information.
	AllowAnyName bool `json:"allow_any_name,omitempty"`

	// If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information.
	AllowBareDomains bool `json:"allow_bare_domains,omitempty"`

	// If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.
	AllowGlobDomains bool `json:"allow_glob_domains,omitempty"`

	// If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed.
	AllowIpSans bool `json:"allow_ip_sans,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowLocalhost bool `json:"allow_localhost,omitempty"`

	// If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information.
	AllowSubdomains bool `json:"allow_subdomains,omitempty"`

	// If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information.
	AllowWildcardCertificates bool `json:"allow_wildcard_certificates,omitempty"`

	// Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.
	AllowedDomains []string `json:"allowed_domains,omitempty"`

	// If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.
	AllowedDomainsTemplate bool `json:"allowed_domains_template,omitempty"`

	// If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).
	AllowedOtherSans []string `json:"allowed_other_sans,omitempty"`

	// If set, an array of allowed serial numbers to put in Subject. These values support globbing.
	AllowedSerialNumbers []string `json:"allowed_serial_numbers,omitempty"`

	// If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.
	AllowedUriSans []string `json:"allowed_uri_sans,omitempty"`

	// If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted.
	AllowedUriSansTemplate bool `json:"allowed_uri_sans_template,omitempty"`

	// If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1
	AllowedUserIds []string `json:"allowed_user_ids,omitempty"`

	// Backend Type
	Backend string `json:"backend,omitempty"`

	// Mark Basic Constraints valid when issuing non-CA certificates.
	BasicConstraintsValidForNonCa bool `json:"basic_constraints_valid_for_non_ca,omitempty"`

	// If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ClientFlag bool `json:"client_flag,omitempty"`

	// List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.
	CnValidations []string `json:"cn_validations,omitempty"`

	// If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	CodeSigningFlag bool `json:"code_signing_flag,omitempty"`

	// If set, Country will be set to this value in certificates issued by this role.
	Country []string `json:"country,omitempty"`

	// If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	EmailProtectionFlag bool `json:"email_protection_flag,omitempty"`

	// If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true.
	EnforceHostnames bool `json:"enforce_hostnames,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke <lease_id>\" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.
	GenerateLease bool `json:"generate_lease,omitempty"`

	// Reference to the issuer used to sign requests serviced by this role.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.
	KeyUsage []string `json:"key_usage,omitempty"`

	// If set, Locality will be set to this value in certificates issued by this role.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.
	MaxTtl string `json:"max_ttl,omitempty"`

	// If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".
	NoStore bool `json:"no_store,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ.
	NotAfter string `json:"not_after,omitempty"`

	// The duration before now which the certificate needs to be backdated by.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value in certificates issued by this role.
	Organization []string `json:"organization,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.
	Ou []string `json:"ou,omitempty"`

	// A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].
	PolicyIdentifiers []string `json:"policy_identifiers,omitempty"`

	// If set, Postal Code will be set to this value in certificates issued by this role.
	PostalCode []string `json:"postal_code,omitempty"`

	// If set, Province will be set to this value in certificates issued by this role.
	Province []string `json:"province,omitempty"`

	// If set to false, makes the 'common_name' field optional while generating a certificate.
	RequireCn bool `json:"require_cn,omitempty"`

	// If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ServerFlag bool `json:"server_flag,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value in certificates issued by this role.
	StreetAddress []string `json:"street_address,omitempty"`

	// The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.
	Ttl string `json:"ttl,omitempty"`

	// If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true.
	UseCsrCommonName bool `json:"use_csr_common_name,omitempty"`

	// If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true.
	UseCsrSans bool `json:"use_csr_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiWriteRoleRequest struct for PkiWriteRoleRequest

type PkiWriteRoleResponse ¶ added in v0.3.0 

type PkiWriteRoleResponse struct {
	// If set, clients can request certificates for any domain, regardless of allowed_domains restrictions. See the documentation for more information.
	AllowAnyName bool `json:"allow_any_name,omitempty"`

	// If set, clients can request certificates for the base domains themselves, e.g. \"example.com\" of domains listed in allowed_domains. This is a separate option as in some cases this can be considered a security threat. See the documentation for more information.
	AllowBareDomains bool `json:"allow_bare_domains,omitempty"`

	// If set, domains specified in allowed_domains can include shell-style glob patterns, e.g. \"ftp*.example.com\". See the documentation for more information.
	AllowGlobDomains bool `json:"allow_glob_domains,omitempty"`

	// If set, IP Subject Alternative Names are allowed. Any valid IP is accepted and No authorization checking is performed.
	AllowIpSans bool `json:"allow_ip_sans,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowLocalhost bool `json:"allow_localhost,omitempty"`

	// If set, clients can request certificates for subdomains of domains listed in allowed_domains, including wildcard subdomains. See the documentation for more information.
	AllowSubdomains bool `json:"allow_subdomains,omitempty"`

	// Whether to allow \"localhost\" and \"localdomain\" as a valid common name in a request, independent of allowed_domains value.
	AllowTokenDisplayname bool `json:"allow_token_displayname,omitempty"`

	// If set, allows certificates with wildcards in the common name to be issued, conforming to RFC 6125's Section 6.4.3; e.g., \"*.example.net\" or \"b*z.example.net\". See the documentation for more information.
	AllowWildcardCertificates bool `json:"allow_wildcard_certificates,omitempty"`

	// Specifies the domains this role is allowed to issue certificates for. This is used with the allow_bare_domains, allow_subdomains, and allow_glob_domains to determine matches for the common name, DNS-typed SAN entries, and Email-typed SAN entries of certificates. See the documentation for more information. This parameter accepts a comma-separated string or list of domains.
	AllowedDomains []string `json:"allowed_domains,omitempty"`

	// If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.
	AllowedDomainsTemplate bool `json:"allowed_domains_template,omitempty"`

	// If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only \"utf8\" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single \"*\" which allows any OID and any value (but type must still be utf8).
	AllowedOtherSans []string `json:"allowed_other_sans,omitempty"`

	// If set, an array of allowed serial numbers to put in Subject. These values support globbing.
	AllowedSerialNumbers []string `json:"allowed_serial_numbers,omitempty"`

	// If set, an array of allowed URIs for URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.
	AllowedUriSans []string `json:"allowed_uri_sans,omitempty"`

	// If set, Allowed URI SANs can be specified using identity template policies. Non-templated URI SANs are also permitted.
	AllowedUriSansTemplate bool `json:"allowed_uri_sans_template,omitempty"`

	// If set, an array of allowed user-ids to put in user system login name specified here: https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1
	AllowedUserIds []string `json:"allowed_user_ids,omitempty"`

	// Mark Basic Constraints valid when issuing non-CA certificates.
	BasicConstraintsValidForNonCa bool `json:"basic_constraints_valid_for_non_ca,omitempty"`

	// If set, certificates are flagged for client auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ClientFlag bool `json:"client_flag,omitempty"`

	// List of allowed validations to run against the Common Name field. Values can include 'email' to validate the CN is a email address, 'hostname' to validate the CN is a valid hostname (potentially including wildcards). When multiple validations are specified, these take OR semantics (either email OR hostname are allowed). The special value 'disabled' allows disabling all CN name validations, allowing for arbitrary non-Hostname, non-Email address CNs.
	CnValidations []string `json:"cn_validations,omitempty"`

	// If set, certificates are flagged for code signing use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	CodeSigningFlag bool `json:"code_signing_flag,omitempty"`

	// If set, Country will be set to this value in certificates issued by this role.
	Country []string `json:"country,omitempty"`

	// If set, certificates are flagged for email protection use. Defaults to false. See also RFC 5280 Section 4.2.1.12.
	EmailProtectionFlag bool `json:"email_protection_flag,omitempty"`

	// If set, only valid host names are allowed for CN and DNS SANs, and the host part of email addresses. Defaults to true.
	EnforceHostnames bool `json:"enforce_hostnames,omitempty"`

	// A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the \"ExtKeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.12.
	ExtKeyUsage []string `json:"ext_key_usage,omitempty"`

	// A comma-separated string or list of extended key usage oids.
	ExtKeyUsageOids []string `json:"ext_key_usage_oids,omitempty"`

	// If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to \"false\". Certificates can be added to the CRL by \"vault revoke <lease_id>\" when certificates are associated with leases. It can also be done using the \"pki/revoke\" endpoint. However, when lease generation is disabled, invoking \"pki/revoke\" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.
	GenerateLease bool `json:"generate_lease,omitempty"`

	// Reference to the issuer used to sign requests serviced by this role.
	IssuerRef string `json:"issuer_ref,omitempty"`

	// The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, or 4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.
	KeyBits int32 `json:"key_bits,omitempty"`

	// The type of key to use; defaults to RSA. \"rsa\" \"ec\", \"ed25519\" and \"any\" are the only valid values.
	KeyType string `json:"key_type,omitempty"`

	// A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. To remove all key usages from being set, set this value to an empty list. See also RFC 5280 Section 4.2.1.3.
	KeyUsage []string `json:"key_usage,omitempty"`

	// If set, Locality will be set to this value in certificates issued by this role.
	Locality []string `json:"locality,omitempty"`

	// The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.
	MaxTtl int64 `json:"max_ttl,omitempty"`

	// If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of \"false\" for \"generate_lease\".
	NoStore bool `json:"no_store,omitempty"`

	// Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ.
	NotAfter string `json:"not_after,omitempty"`

	// The duration in seconds before now which the certificate needs to be backdated by.
	NotBeforeDuration int64 `json:"not_before_duration,omitempty"`

	// If set, O (Organization) will be set to this value in certificates issued by this role.
	Organization []string `json:"organization,omitempty"`

	// If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.
	Ou []string `json:"ou,omitempty"`

	// A comma-separated string or list of policy OIDs, or a JSON list of qualified policy information, which must include an oid, and may include a notice and/or cps url, using the form [{\"oid\"=\"1.3.6.1.4.1.7.8\",\"notice\"=\"I am a user Notice\"}, {\"oid\"=\"1.3.6.1.4.1.44947.1.2.4 \",\"cps\"=\"https://example.com\"}].
	PolicyIdentifiers []string `json:"policy_identifiers,omitempty"`

	// If set, Postal Code will be set to this value in certificates issued by this role.
	PostalCode []string `json:"postal_code,omitempty"`

	// If set, Province will be set to this value in certificates issued by this role.
	Province []string `json:"province,omitempty"`

	// If set to false, makes the 'common_name' field optional while generating a certificate.
	RequireCn bool `json:"require_cn,omitempty"`

	// If set, certificates are flagged for server auth use. Defaults to true. See also RFC 5280 Section 4.2.1.12.
	ServerFlag bool `json:"server_flag,omitempty"`

	// The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
	SignatureBits int32 `json:"signature_bits,omitempty"`

	// If set, Street Address will be set to this value in certificates issued by this role.
	StreetAddress []string `json:"street_address,omitempty"`

	// The lease duration (validity period of the certificate) if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the system default value or the value of max_ttl, whichever is shorter.
	Ttl int64 `json:"ttl,omitempty"`

	// If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names; use use_csr_sans for that. Defaults to true.
	UseCsrCommonName bool `json:"use_csr_common_name,omitempty"`

	// If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn); use use_csr_common_name for that. Defaults to true.
	UseCsrSans bool `json:"use_csr_sans,omitempty"`

	// Whether or not to use PSS signatures when using a RSA key-type issuer. Defaults to false.
	UsePss bool `json:"use_pss,omitempty"`
}

PkiWriteRoleResponse struct for PkiWriteRoleResponse

type PkiWriteRolesRoleAcmeAccountKidRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeAccountKidRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeAccountKidRequest struct for PkiWriteRolesRoleAcmeAccountKidRequest

type PkiWriteRolesRoleAcmeAuthorizationAuthIdRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeAuthorizationAuthIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeAuthorizationAuthIdRequest struct for PkiWriteRolesRoleAcmeAuthorizationAuthIdRequest

type PkiWriteRolesRoleAcmeChallengeAuthIdChallengeTypeRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeChallengeAuthIdChallengeTypeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeChallengeAuthIdChallengeTypeRequest struct for PkiWriteRolesRoleAcmeChallengeAuthIdChallengeTypeRequest

type PkiWriteRolesRoleAcmeNewAccountRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeNewAccountRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeNewAccountRequest struct for PkiWriteRolesRoleAcmeNewAccountRequest

type PkiWriteRolesRoleAcmeNewOrderRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeNewOrderRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeNewOrderRequest struct for PkiWriteRolesRoleAcmeNewOrderRequest

type PkiWriteRolesRoleAcmeOrderOrderIdCertRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeOrderOrderIdCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeOrderOrderIdCertRequest struct for PkiWriteRolesRoleAcmeOrderOrderIdCertRequest

type PkiWriteRolesRoleAcmeOrderOrderIdFinalizeRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeOrderOrderIdFinalizeRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeOrderOrderIdFinalizeRequest struct for PkiWriteRolesRoleAcmeOrderOrderIdFinalizeRequest

type PkiWriteRolesRoleAcmeOrderOrderIdRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeOrderOrderIdRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeOrderOrderIdRequest struct for PkiWriteRolesRoleAcmeOrderOrderIdRequest

type PkiWriteRolesRoleAcmeOrdersRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeOrdersRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeOrdersRequest struct for PkiWriteRolesRoleAcmeOrdersRequest

type PkiWriteRolesRoleAcmeRevokeCertRequest ¶ added in v0.4.0 

type PkiWriteRolesRoleAcmeRevokeCertRequest struct {
	// ACME request 'payload' value
	Payload string `json:"payload,omitempty"`

	// ACME request 'protected' value
	Protected string `json:"protected,omitempty"`

	// ACME request 'signature' value
	Signature string `json:"signature,omitempty"`
}

PkiWriteRolesRoleAcmeRevokeCertRequest struct for PkiWriteRolesRoleAcmeRevokeCertRequest

type PluginsCatalogListPluginsResponse ¶ added in v0.3.0 

type PluginsCatalogListPluginsResponse struct {
	Detailed map[string]interface{} `json:"detailed,omitempty"`
}

PluginsCatalogListPluginsResponse struct for PluginsCatalogListPluginsResponse

type PluginsCatalogListPluginsWithTypeResponse ¶ added in v0.3.0 

type PluginsCatalogListPluginsWithTypeResponse struct {
	// List of plugin names in the catalog
	Keys []string `json:"keys,omitempty"`
}

PluginsCatalogListPluginsWithTypeResponse struct for PluginsCatalogListPluginsWithTypeResponse

type PluginsCatalogReadPluginConfigurationResponse ¶ added in v0.3.0 

type PluginsCatalogReadPluginConfigurationResponse struct {
	// The args passed to plugin command.
	Args []string `json:"args,omitempty"`

	Builtin bool `json:"builtin,omitempty"`

	// The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
	Command string `json:"command,omitempty"`

	DeprecationStatus string `json:"deprecation_status,omitempty"`

	// The name of the plugin
	Name string `json:"name,omitempty"`

	// The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine.
	OciImage string `json:"oci_image,omitempty"`

	// The SHA256 sum of the executable or container to be run. This should be HEX encoded.
	Sha256 string `json:"sha256,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	Version string `json:"version,omitempty"`
}

PluginsCatalogReadPluginConfigurationResponse struct for PluginsCatalogReadPluginConfigurationResponse

type PluginsCatalogReadPluginConfigurationWithTypeResponse ¶ added in v0.3.0 

type PluginsCatalogReadPluginConfigurationWithTypeResponse struct {
	// The args passed to plugin command.
	Args []string `json:"args,omitempty"`

	Builtin bool `json:"builtin,omitempty"`

	// The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
	Command string `json:"command,omitempty"`

	DeprecationStatus string `json:"deprecation_status,omitempty"`

	// The name of the plugin
	Name string `json:"name,omitempty"`

	// The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine.
	OciImage string `json:"oci_image,omitempty"`

	// The SHA256 sum of the executable or container to be run. This should be HEX encoded.
	Sha256 string `json:"sha256,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	Version string `json:"version,omitempty"`
}

PluginsCatalogReadPluginConfigurationWithTypeResponse struct for PluginsCatalogReadPluginConfigurationWithTypeResponse

type PluginsCatalogRegisterPluginRequest ¶ added in v0.3.0 

type PluginsCatalogRegisterPluginRequest struct {
	// The args passed to plugin command.
	Args []string `json:"args,omitempty"`

	// The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
	Command string `json:"command,omitempty"`

	// The environment variables passed to plugin command. Each entry is of the form \"key=value\".
	Env []string `json:"env,omitempty"`

	// The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine.
	OciImage string `json:"oci_image,omitempty"`

	// The SHA256 sum of the executable or container to be run. This should be HEX encoded.
	Sha256 string `json:"sha256,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	Version string `json:"version,omitempty"`
}

PluginsCatalogRegisterPluginRequest struct for PluginsCatalogRegisterPluginRequest

type PluginsCatalogRegisterPluginWithTypeRequest ¶ added in v0.3.0 

type PluginsCatalogRegisterPluginWithTypeRequest struct {
	// The args passed to plugin command.
	Args []string `json:"args,omitempty"`

	// The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
	Command string `json:"command,omitempty"`

	// The environment variables passed to plugin command. Each entry is of the form \"key=value\".
	Env []string `json:"env,omitempty"`

	// The name of the OCI image to be run, without the tag or SHA256. Must already be present on the machine.
	OciImage string `json:"oci_image,omitempty"`

	// The SHA256 sum of the executable or container to be run. This should be HEX encoded.
	Sha256 string `json:"sha256,omitempty"`

	// The semantic version of the plugin to use, or image tag if oci_image is provided.
	Version string `json:"version,omitempty"`
}

PluginsCatalogRegisterPluginWithTypeRequest struct for PluginsCatalogRegisterPluginWithTypeRequest

type PluginsReloadBackendsRequest ¶ added in v0.3.0 

type PluginsReloadBackendsRequest struct {
	// The mount paths of the plugin backends to reload.
	Mounts []string `json:"mounts,omitempty"`

	// The name of the plugin to reload, as registered in the plugin catalog.
	Plugin string `json:"plugin,omitempty"`

	Scope string `json:"scope,omitempty"`
}

PluginsReloadBackendsRequest struct for PluginsReloadBackendsRequest

type PluginsReloadBackendsResponse ¶ added in v0.3.0 

type PluginsReloadBackendsResponse struct {
	ReloadId string `json:"reload_id,omitempty"`
}

PluginsReloadBackendsResponse struct for PluginsReloadBackendsResponse

type PluginsRuntimesCatalogListPluginsRuntimesResponse ¶ added in v0.4.0 

type PluginsRuntimesCatalogListPluginsRuntimesResponse struct {
	// List of all plugin runtimes in the catalog
	Runtimes []map[string]interface{} `json:"runtimes,omitempty"`
}

PluginsRuntimesCatalogListPluginsRuntimesResponse struct for PluginsRuntimesCatalogListPluginsRuntimesResponse

type PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse ¶ added in v0.4.0 

type PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse struct {
	// Optional parent cgroup for the container
	CgroupParent string `json:"cgroup_parent,omitempty"`

	// The limit of runtime CPU in nanos
	CpuNanos int64 `json:"cpu_nanos,omitempty"`

	// The limit of runtime memory in bytes
	MemoryBytes int64 `json:"memory_bytes,omitempty"`

	// The name of the plugin runtime
	Name string `json:"name,omitempty"`

	// The OCI-compatible runtime (default \"runsc\")
	OciRuntime string `json:"oci_runtime,omitempty"`

	// The type of the plugin runtime
	Type string `json:"type,omitempty"`
}

PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse struct for PluginsRuntimesCatalogReadPluginRuntimeConfigurationResponse

type PluginsRuntimesCatalogRegisterPluginRuntimeRequest ¶ added in v0.4.0 

type PluginsRuntimesCatalogRegisterPluginRuntimeRequest struct {
	// Optional parent cgroup for the container
	CgroupParent string `json:"cgroup_parent,omitempty"`

	// The limit of runtime CPU in nanos
	CpuNanos int64 `json:"cpu_nanos,omitempty"`

	// The limit of runtime memory in bytes
	MemoryBytes int64 `json:"memory_bytes,omitempty"`

	// The OCI-compatible runtime (default \"runsc\")
	OciRuntime string `json:"oci_runtime,omitempty"`
}

PluginsRuntimesCatalogRegisterPluginRuntimeRequest struct for PluginsRuntimesCatalogRegisterPluginRuntimeRequest

type PoliciesGeneratePasswordFromPasswordPolicyResponse ¶ added in v0.3.0 

type PoliciesGeneratePasswordFromPasswordPolicyResponse struct {
	Password string `json:"password,omitempty"`
}

PoliciesGeneratePasswordFromPasswordPolicyResponse struct for PoliciesGeneratePasswordFromPasswordPolicyResponse

type PoliciesListAclPoliciesResponse ¶ added in v0.3.0 

type PoliciesListAclPoliciesResponse struct {
	Keys []string `json:"keys,omitempty"`

	Policies []string `json:"policies,omitempty"`
}

PoliciesListAclPoliciesResponse struct for PoliciesListAclPoliciesResponse

type PoliciesReadAclPolicyResponse ¶ added in v0.3.0 

type PoliciesReadAclPolicyResponse struct {
	Name string `json:"name,omitempty"`

	Policy string `json:"policy,omitempty"`

	Rules string `json:"rules,omitempty"`
}

PoliciesReadAclPolicyResponse struct for PoliciesReadAclPolicyResponse

type PoliciesReadPasswordPolicyResponse ¶ added in v0.3.0 

type PoliciesReadPasswordPolicyResponse struct {
	Policy string `json:"policy,omitempty"`
}

PoliciesReadPasswordPolicyResponse struct for PoliciesReadPasswordPolicyResponse

type PoliciesWriteAclPolicyRequest ¶ added in v0.3.0 

type PoliciesWriteAclPolicyRequest struct {
	// The rules of the policy.
	Policy string `json:"policy,omitempty"`
}

PoliciesWriteAclPolicyRequest struct for PoliciesWriteAclPolicyRequest

type PoliciesWritePasswordPolicyRequest ¶ added in v0.3.0 

type PoliciesWritePasswordPolicyRequest struct {
	// The password policy
	Policy string `json:"policy,omitempty"`
}

PoliciesWritePasswordPolicyRequest struct for PoliciesWritePasswordPolicyRequest

type QueryTokenAccessorCapabilitiesRequest ¶ added in v0.3.0 

type QueryTokenAccessorCapabilitiesRequest struct {
	// Accessor of the token for which capabilities are being queried.
	Accessor string `json:"accessor,omitempty"`

	// Use 'paths' instead.
	// Deprecated
	Path []string `json:"path,omitempty"`

	// Paths on which capabilities are being queried.
	Paths []string `json:"paths,omitempty"`
}

QueryTokenAccessorCapabilitiesRequest struct for QueryTokenAccessorCapabilitiesRequest

type QueryTokenCapabilitiesRequest ¶ added in v0.3.0 

type QueryTokenCapabilitiesRequest struct {
	// Use 'paths' instead.
	// Deprecated
	Path []string `json:"path,omitempty"`

	// Paths on which capabilities are being queried.
	Paths []string `json:"paths,omitempty"`

	// Token for which capabilities are being queried.
	Token string `json:"token,omitempty"`
}

QueryTokenCapabilitiesRequest struct for QueryTokenCapabilitiesRequest

type QueryTokenSelfCapabilitiesRequest ¶ added in v0.3.0 

type QueryTokenSelfCapabilitiesRequest struct {
	// Use 'paths' instead.
	// Deprecated
	Path []string `json:"path,omitempty"`

	// Paths on which capabilities are being queried.
	Paths []string `json:"paths,omitempty"`

	// Token for which capabilities are being queried.
	Token string `json:"token,omitempty"`
}

QueryTokenSelfCapabilitiesRequest struct for QueryTokenSelfCapabilitiesRequest

type RabbitMqConfigureConnectionRequest ¶ added in v0.3.0 

type RabbitMqConfigureConnectionRequest struct {
	// RabbitMQ Management URI
	ConnectionUri string `json:"connection_uri,omitempty"`

	// Password of the provided RabbitMQ management user
	Password string `json:"password,omitempty"`

	// Name of the password policy to use to generate passwords for dynamic credentials.
	PasswordPolicy string `json:"password_policy,omitempty"`

	// Username of a RabbitMQ management administrator
	Username string `json:"username,omitempty"`

	// Template describing how dynamic usernames are generated.
	UsernameTemplate string `json:"username_template,omitempty"`

	// If set, connection_uri is verified by actually connecting to the RabbitMQ management API
	VerifyConnection bool `json:"verify_connection,omitempty"`
}

RabbitMqConfigureConnectionRequest struct for RabbitMqConfigureConnectionRequest

type RabbitMqConfigureLeaseRequest ¶ added in v0.3.0 

type RabbitMqConfigureLeaseRequest struct {
	// Duration after which the issued credentials should not be allowed to be renewed
	MaxTtl string `json:"max_ttl,omitempty"`

	// Duration before which the issued credentials needs renewal
	Ttl string `json:"ttl,omitempty"`
}

RabbitMqConfigureLeaseRequest struct for RabbitMqConfigureLeaseRequest

type RabbitMqWriteRoleRequest ¶ added in v0.3.0 

type RabbitMqWriteRoleRequest struct {
	// Comma-separated list of tags for this role.
	Tags string `json:"tags,omitempty"`

	// A nested map of virtual hosts and exchanges to topic permissions.
	VhostTopics string `json:"vhost_topics,omitempty"`

	// A map of virtual hosts to permissions.
	Vhosts string `json:"vhosts,omitempty"`
}

RabbitMqWriteRoleRequest struct for RabbitMqWriteRoleRequest

type RadiusConfigureRequest ¶ added in v0.3.0 

type RadiusConfigureRequest struct {
	// Number of seconds before connect times out (default: 10)
	DialTimeout string `json:"dial_timeout,omitempty"`

	// RADIUS server host
	Host string `json:"host,omitempty"`

	// RADIUS NAS Identifier field (optional)
	NasIdentifier string `json:"nas_identifier,omitempty"`

	// RADIUS NAS port field (default: 10)
	NasPort int32 `json:"nas_port,omitempty"`

	// RADIUS server port (default: 1812)
	Port int32 `json:"port,omitempty"`

	// Number of seconds before response times out (default: 10)
	ReadTimeout string `json:"read_timeout,omitempty"`

	// Secret shared with the RADIUS server
	Secret string `json:"secret,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users.
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Comma-separated list of policies to grant upon successful RADIUS authentication of an unregistered user (default: empty)
	UnregisteredUserPolicies string `json:"unregistered_user_policies,omitempty"`
}

RadiusConfigureRequest struct for RadiusConfigureRequest

type RadiusLoginRequest ¶ 

type RadiusLoginRequest struct {
	// Password for this user.
	Password string `json:"password,omitempty"`

	// Username to be used for login. (POST request body)
	Username string `json:"username,omitempty"`
}

RadiusLoginRequest struct for RadiusLoginRequest

type RadiusLoginWithUsernameRequest ¶ 

type RadiusLoginWithUsernameRequest struct {
	// Password for this user.
	Password string `json:"password,omitempty"`

	// Username to be used for login. (POST request body)
	Username string `json:"username,omitempty"`
}

RadiusLoginWithUsernameRequest struct for RadiusLoginWithUsernameRequest

type RadiusWriteUserRequest ¶ 

type RadiusWriteUserRequest struct {
	// Comma-separated list of policies associated to the user.
	Policies []string `json:"policies,omitempty"`
}

RadiusWriteUserRequest struct for RadiusWriteUserRequest

type RateLimitQuotasConfigureRequest ¶ added in v0.3.0 

type RateLimitQuotasConfigureRequest struct {
	// If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
	EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging,omitempty"`

	// If set, additional rate limit quota HTTP headers will be added to responses.
	EnableRateLimitResponseHeaders bool `json:"enable_rate_limit_response_headers,omitempty"`

	// Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
	RateLimitExemptPaths []string `json:"rate_limit_exempt_paths,omitempty"`
}

RateLimitQuotasConfigureRequest struct for RateLimitQuotasConfigureRequest

type RateLimitQuotasReadConfigurationResponse ¶ added in v0.3.0 

type RateLimitQuotasReadConfigurationResponse struct {
	EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging,omitempty"`

	EnableRateLimitResponseHeaders bool `json:"enable_rate_limit_response_headers,omitempty"`

	RateLimitExemptPaths []string `json:"rate_limit_exempt_paths,omitempty"`
}

RateLimitQuotasReadConfigurationResponse struct for RateLimitQuotasReadConfigurationResponse

type RateLimitQuotasReadResponse ¶ added in v0.3.0 

type RateLimitQuotasReadResponse struct {
	BlockInterval int32 `json:"block_interval,omitempty"`

	Inheritable bool `json:"inheritable,omitempty"`

	Interval int32 `json:"interval,omitempty"`

	Name string `json:"name,omitempty"`

	Path string `json:"path,omitempty"`

	Rate float32 `json:"rate,omitempty"`

	Role string `json:"role,omitempty"`

	Type string `json:"type,omitempty"`
}

RateLimitQuotasReadResponse struct for RateLimitQuotasReadResponse

type RateLimitQuotasWriteRequest ¶ added in v0.3.0 

type RateLimitQuotasWriteRequest struct {
	// If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
	BlockInterval string `json:"block_interval,omitempty"`

	// Whether all child namespaces can inherit this namespace quota.
	Inheritable bool `json:"inheritable,omitempty"`

	// The duration to enforce rate limiting for (default '1s').
	Interval string `json:"interval,omitempty"`

	// Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
	Path string `json:"path,omitempty"`

	// The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
	Rate float32 `json:"rate,omitempty"`

	// Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
	Role string `json:"role,omitempty"`

	// Type of the quota rule.
	Type string `json:"type,omitempty"`
}

RateLimitQuotasWriteRequest struct for RateLimitQuotasWriteRequest

type RawReadResponse ¶ added in v0.4.0 

type RawReadResponse struct {
	Value string `json:"value,omitempty"`
}

RawReadResponse struct for RawReadResponse

type RawWriteRequest ¶ added in v0.4.0 

type RawWriteRequest struct {
	Compressed bool `json:"compressed,omitempty"`

	CompressionType string `json:"compression_type,omitempty"`

	Encoding string `json:"encoding,omitempty"`

	Value string `json:"value,omitempty"`
}

RawWriteRequest struct for RawWriteRequest

type ReadWrappingPropertiesRequest ¶ added in v0.3.0 

type ReadWrappingPropertiesRequest struct {
	Token string `json:"token,omitempty"`
}

ReadWrappingPropertiesRequest struct for ReadWrappingPropertiesRequest

type ReadWrappingPropertiesResponse ¶ added in v0.3.0 

type ReadWrappingPropertiesResponse struct {
	CreationPath string `json:"creation_path,omitempty"`

	CreationTime time.Time `json:"creation_time,omitempty"`

	CreationTtl string `json:"creation_ttl,omitempty"`
}

ReadWrappingPropertiesResponse struct for ReadWrappingPropertiesResponse

type RekeyAttemptInitializeRequest ¶ added in v0.3.0 

type RekeyAttemptInitializeRequest struct {
	// Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
	Backup bool `json:"backup,omitempty"`

	// Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
	PgpKeys []string `json:"pgp_keys,omitempty"`

	// Turns on verification functionality
	RequireVerification bool `json:"require_verification,omitempty"`

	// Specifies the number of shares to split the unseal key into.
	SecretShares int32 `json:"secret_shares,omitempty"`

	// Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
	SecretThreshold int32 `json:"secret_threshold,omitempty"`
}

RekeyAttemptInitializeRequest struct for RekeyAttemptInitializeRequest

type RekeyAttemptInitializeResponse ¶ added in v0.3.0 

type RekeyAttemptInitializeResponse struct {
	Backup bool `json:"backup,omitempty"`

	N int32 `json:"n,omitempty"`

	Nounce string `json:"nounce,omitempty"`

	PgpFingerprints []string `json:"pgp_fingerprints,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started string `json:"started,omitempty"`

	T int32 `json:"t,omitempty"`

	VerificationNonce string `json:"verification_nonce,omitempty"`

	VerificationRequired bool `json:"verification_required,omitempty"`
}

RekeyAttemptInitializeResponse struct for RekeyAttemptInitializeResponse

type RekeyAttemptReadProgressResponse ¶ added in v0.3.0 

type RekeyAttemptReadProgressResponse struct {
	Backup bool `json:"backup,omitempty"`

	N int32 `json:"n,omitempty"`

	Nounce string `json:"nounce,omitempty"`

	PgpFingerprints []string `json:"pgp_fingerprints,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started string `json:"started,omitempty"`

	T int32 `json:"t,omitempty"`

	VerificationNonce string `json:"verification_nonce,omitempty"`

	VerificationRequired bool `json:"verification_required,omitempty"`
}

RekeyAttemptReadProgressResponse struct for RekeyAttemptReadProgressResponse

type RekeyAttemptUpdateRequest ¶ added in v0.3.0 

type RekeyAttemptUpdateRequest struct {
	// Specifies a single unseal key share.
	Key string `json:"key,omitempty"`

	// Specifies the nonce of the rekey attempt.
	Nonce string `json:"nonce,omitempty"`
}

RekeyAttemptUpdateRequest struct for RekeyAttemptUpdateRequest

type RekeyAttemptUpdateResponse ¶ added in v0.3.0 

type RekeyAttemptUpdateResponse struct {
	Backup bool `json:"backup,omitempty"`

	Complete bool `json:"complete,omitempty"`

	Keys []string `json:"keys,omitempty"`

	KeysBase64 []string `json:"keys_base64,omitempty"`

	N int32 `json:"n,omitempty"`

	Nounce string `json:"nounce,omitempty"`

	PgpFingerprints []string `json:"pgp_fingerprints,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started string `json:"started,omitempty"`

	T int32 `json:"t,omitempty"`

	VerificationNonce string `json:"verification_nonce,omitempty"`

	VerificationRequired bool `json:"verification_required,omitempty"`
}

RekeyAttemptUpdateResponse struct for RekeyAttemptUpdateResponse

type RekeyReadBackupKeyResponse ¶ added in v0.3.0 

type RekeyReadBackupKeyResponse struct {
	Keys map[string]interface{} `json:"keys,omitempty"`

	KeysBase64 map[string]interface{} `json:"keys_base64,omitempty"`

	Nonce string `json:"nonce,omitempty"`
}

RekeyReadBackupKeyResponse struct for RekeyReadBackupKeyResponse

type RekeyReadBackupRecoveryKeyResponse ¶ added in v0.3.0 

type RekeyReadBackupRecoveryKeyResponse struct {
	Keys map[string]interface{} `json:"keys,omitempty"`

	KeysBase64 map[string]interface{} `json:"keys_base64,omitempty"`

	Nonce string `json:"nonce,omitempty"`
}

RekeyReadBackupRecoveryKeyResponse struct for RekeyReadBackupRecoveryKeyResponse

type RekeyVerificationCancelResponse ¶ added in v0.3.0 

type RekeyVerificationCancelResponse struct {
	N int32 `json:"n,omitempty"`

	Nounce string `json:"nounce,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Started string `json:"started,omitempty"`

	T int32 `json:"t,omitempty"`
}

RekeyVerificationCancelResponse struct for RekeyVerificationCancelResponse

type RekeyVerificationReadProgressResponse ¶ added in v0.3.0 

type RekeyVerificationReadProgressResponse struct {
	N int32 `json:"n,omitempty"`

	Nounce string `json:"nounce,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Started string `json:"started,omitempty"`

	T int32 `json:"t,omitempty"`
}

RekeyVerificationReadProgressResponse struct for RekeyVerificationReadProgressResponse

type RekeyVerificationUpdateRequest ¶ added in v0.3.0 

type RekeyVerificationUpdateRequest struct {
	// Specifies a single unseal share key from the new set of shares.
	Key string `json:"key,omitempty"`

	// Specifies the nonce of the rekey verification operation.
	Nonce string `json:"nonce,omitempty"`
}

RekeyVerificationUpdateRequest struct for RekeyVerificationUpdateRequest

type RekeyVerificationUpdateResponse ¶ added in v0.3.0 

type RekeyVerificationUpdateResponse struct {
	Complete bool `json:"complete,omitempty"`

	Nounce string `json:"nounce,omitempty"`
}

RekeyVerificationUpdateResponse struct for RekeyVerificationUpdateResponse

type RemountRequest ¶ 

type RemountRequest struct {
	// The previous mount point.
	From string `json:"from,omitempty"`

	// The new mount point.
	To string `json:"to,omitempty"`
}

RemountRequest struct for RemountRequest

type RemountResponse ¶ added in v0.3.0 

type RemountResponse struct {
	MigrationId string `json:"migration_id,omitempty"`
}

RemountResponse struct for RemountResponse

type RemountStatusResponse ¶ added in v0.3.0 

type RemountStatusResponse struct {
	MigrationId string `json:"migration_id,omitempty"`

	MigrationInfo map[string]interface{} `json:"migration_info,omitempty"`
}

RemountStatusResponse struct for RemountStatusResponse

type RewrapRequest ¶ added in v0.3.0 

type RewrapRequest struct {
	Token string `json:"token,omitempty"`
}

RewrapRequest struct for RewrapRequest

type RootTokenGenerationInitializeRequest ¶ added in v0.3.0 

type RootTokenGenerationInitializeRequest struct {
	// Specifies a base64-encoded PGP public key.
	PgpKey string `json:"pgp_key,omitempty"`
}

RootTokenGenerationInitializeRequest struct for RootTokenGenerationInitializeRequest

type RootTokenGenerationInitializeResponse ¶ added in v0.3.0 

type RootTokenGenerationInitializeResponse struct {
	Complete bool `json:"complete,omitempty"`

	EncodedRootToken string `json:"encoded_root_token,omitempty"`

	EncodedToken string `json:"encoded_token,omitempty"`

	Nonce string `json:"nonce,omitempty"`

	Otp string `json:"otp,omitempty"`

	OtpLength int32 `json:"otp_length,omitempty"`

	PgpFingerprint string `json:"pgp_fingerprint,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started bool `json:"started,omitempty"`
}

RootTokenGenerationInitializeResponse struct for RootTokenGenerationInitializeResponse

type RootTokenGenerationReadProgressResponse ¶ added in v0.3.0 

type RootTokenGenerationReadProgressResponse struct {
	Complete bool `json:"complete,omitempty"`

	EncodedRootToken string `json:"encoded_root_token,omitempty"`

	EncodedToken string `json:"encoded_token,omitempty"`

	Nonce string `json:"nonce,omitempty"`

	Otp string `json:"otp,omitempty"`

	OtpLength int32 `json:"otp_length,omitempty"`

	PgpFingerprint string `json:"pgp_fingerprint,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started bool `json:"started,omitempty"`
}

RootTokenGenerationReadProgressResponse struct for RootTokenGenerationReadProgressResponse

type RootTokenGenerationUpdateRequest ¶ added in v0.3.0 

type RootTokenGenerationUpdateRequest struct {
	// Specifies a single unseal key share.
	Key string `json:"key,omitempty"`

	// Specifies the nonce of the attempt.
	Nonce string `json:"nonce,omitempty"`
}

RootTokenGenerationUpdateRequest struct for RootTokenGenerationUpdateRequest

type RootTokenGenerationUpdateResponse ¶ added in v0.3.0 

type RootTokenGenerationUpdateResponse struct {
	Complete bool `json:"complete,omitempty"`

	EncodedRootToken string `json:"encoded_root_token,omitempty"`

	EncodedToken string `json:"encoded_token,omitempty"`

	Nonce string `json:"nonce,omitempty"`

	Otp string `json:"otp,omitempty"`

	OtpLength int32 `json:"otp_length,omitempty"`

	PgpFingerprint string `json:"pgp_fingerprint,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	Required int32 `json:"required,omitempty"`

	Started bool `json:"started,omitempty"`
}

RootTokenGenerationUpdateResponse struct for RootTokenGenerationUpdateResponse

type SealStatusResponse ¶ added in v0.3.0 

type SealStatusResponse struct {
	BuildDate string `json:"build_date,omitempty"`

	ClusterId string `json:"cluster_id,omitempty"`

	ClusterName string `json:"cluster_name,omitempty"`

	HcpLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`

	HcpLinkStatus string `json:"hcp_link_status,omitempty"`

	Initialized bool `json:"initialized,omitempty"`

	Migration bool `json:"migration,omitempty"`

	N int32 `json:"n,omitempty"`

	Nonce string `json:"nonce,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	RecoverySeal bool `json:"recovery_seal,omitempty"`

	Sealed bool `json:"sealed,omitempty"`

	StorageType string `json:"storage_type,omitempty"`

	T int32 `json:"t,omitempty"`

	Type string `json:"type,omitempty"`

	Version string `json:"version,omitempty"`
}

SealStatusResponse struct for SealStatusResponse

type SshConfigureCaRequest ¶ added in v0.3.0 

type SshConfigureCaRequest struct {
	// Generate SSH key pair internally rather than use the private_key and public_key fields.
	GenerateSigningKey bool `json:"generate_signing_key,omitempty"`

	// Specifies the desired key bits when generating variable-length keys (such as when key_type=\"ssh-rsa\") or which NIST P-curve to use when key_type=\"ec\" (256, 384, or 521).
	KeyBits int32 `json:"key_bits,omitempty"`

	// Specifies the desired key type when generating; could be a OpenSSH key type identifier (ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, or ssh-ed25519) or an algorithm (rsa, ec, ed25519).
	KeyType string `json:"key_type,omitempty"`

	// Private half of the SSH key that will be used to sign certificates.
	PrivateKey string `json:"private_key,omitempty"`

	// Public half of the SSH key that will be used to sign certificates.
	PublicKey string `json:"public_key,omitempty"`
}

SshConfigureCaRequest struct for SshConfigureCaRequest

type SshConfigureZeroAddressRequest ¶ added in v0.3.0 

type SshConfigureZeroAddressRequest struct {
	// [Required] Comma separated list of role names which allows credentials to be requested for any IP address. CIDR blocks previously registered under these roles will be ignored.
	Roles []string `json:"roles,omitempty"`
}

SshConfigureZeroAddressRequest struct for SshConfigureZeroAddressRequest

type SshGenerateCredentialsRequest ¶ added in v0.3.0 

type SshGenerateCredentialsRequest struct {
	// [Required] IP of the remote host
	Ip string `json:"ip,omitempty"`

	// [Optional] Username in remote host
	Username string `json:"username,omitempty"`
}

SshGenerateCredentialsRequest struct for SshGenerateCredentialsRequest

type SshIssueCertificateRequest ¶ added in v0.3.0 

type SshIssueCertificateRequest struct {
	// Type of certificate to be created; either \"user\" or \"host\".
	CertType string `json:"cert_type,omitempty"`

	// Critical options that the certificate should be signed for.
	CriticalOptions map[string]interface{} `json:"critical_options,omitempty"`

	// Extensions that the certificate should be signed for.
	Extensions map[string]interface{} `json:"extensions,omitempty"`

	// Specifies the number of bits to use for the generated keys.
	KeyBits int32 `json:"key_bits,omitempty"`

	// Key id that the created certificate should have. If not specified, the display name of the token will be used.
	KeyId string `json:"key_id,omitempty"`

	// Specifies the desired key type; must be `rsa`, `ed25519` or `ec`
	KeyType string `json:"key_type,omitempty"`

	// The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// Valid principals, either usernames or hostnames, that the certificate should be signed for.
	ValidPrincipals string `json:"valid_principals,omitempty"`
}

SshIssueCertificateRequest struct for SshIssueCertificateRequest

type SshListRolesByIpRequest ¶ added in v0.3.0 

type SshListRolesByIpRequest struct {
	// [Required] IP address of remote host
	Ip string `json:"ip,omitempty"`
}

SshListRolesByIpRequest struct for SshListRolesByIpRequest

type SshSignCertificateRequest ¶ added in v0.3.0 

type SshSignCertificateRequest struct {
	// Type of certificate to be created; either \"user\" or \"host\".
	CertType string `json:"cert_type,omitempty"`

	// Critical options that the certificate should be signed for.
	CriticalOptions map[string]interface{} `json:"critical_options,omitempty"`

	// Extensions that the certificate should be signed for.
	Extensions map[string]interface{} `json:"extensions,omitempty"`

	// Key id that the created certificate should have. If not specified, the display name of the token will be used.
	KeyId string `json:"key_id,omitempty"`

	// SSH public key that should be signed.
	PublicKey string `json:"public_key,omitempty"`

	// The requested Time To Live for the SSH certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL.
	Ttl string `json:"ttl,omitempty"`

	// Valid principals, either usernames or hostnames, that the certificate should be signed for.
	ValidPrincipals string `json:"valid_principals,omitempty"`
}

SshSignCertificateRequest struct for SshSignCertificateRequest

type SshVerifyOtpRequest ¶ added in v0.3.0 

type SshVerifyOtpRequest struct {
	// [Required] One-Time-Key that needs to be validated
	Otp string `json:"otp,omitempty"`
}

SshVerifyOtpRequest struct for SshVerifyOtpRequest

type SshWriteRoleRequest ¶ added in v0.3.0 

type SshWriteRoleRequest struct {
	// [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512, default, or the empty string.
	AlgorithmSigner string `json:"algorithm_signer,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use the base domains listed in \"allowed_domains\", e.g. \"example.com\". This is a separate option as in some cases this can be considered a security threat.
	AllowBareDomains bool `json:"allow_bare_domains,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'.
	AllowHostCertificates bool `json:"allow_host_certificates,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, host certificates that are requested are allowed to use subdomains of those listed in \"allowed_domains\".
	AllowSubdomains bool `json:"allow_subdomains,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'.
	AllowUserCertificates bool `json:"allow_user_certificates,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If true, users can override the key ID for a signed certificate with the \"key_id\" field. When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing.
	AllowUserKeyIds bool `json:"allow_user_key_ids,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string.
	AllowedCriticalOptions string `json:"allowed_critical_options,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If this option is not specified, client can request for a signed certificate for any valid host. If only certain domains are allowed, then this list enforces it.
	AllowedDomains string `json:"allowed_domains,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted.
	AllowedDomainsTemplate bool `json:"allowed_domains_template,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] A comma-separated list of extensions that certificates can have when signed. An empty list means that no extension overrides are allowed by an end-user; explicitly specify '*' to allow any extensions to be set.
	AllowedExtensions string `json:"allowed_extensions,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, allows the enforcement of key types and minimum key sizes to be signed.
	AllowedUserKeyLengths map[string]interface{} `json:"allowed_user_key_lengths,omitempty"`

	// [Optional for all types] [Works differently for CA type] If this option is not specified, or is '*', client can request a credential for any valid user at the remote host, including the admin user. If only certain usernames are to be allowed, then this list enforces it. If this field is set, then credentials can only be created for default_user and usernames present in this list. Setting this option will enable all the users with access to this role to fetch credentials for all other usernames in this list. Use with caution. N.B.: with the CA type, an empty list means that no users are allowed; explicitly specify '*' to allow any user.
	AllowedUsers string `json:"allowed_users,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, Allowed users can be specified using identity template policies. Non-templated users are also permitted.
	AllowedUsersTemplate bool `json:"allowed_users_template,omitempty"`

	// [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.
	CidrList string `json:"cidr_list,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] Critical options certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by \"allowed_critical_options\". Defaults to none.
	DefaultCriticalOptions map[string]interface{} `json:"default_critical_options,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] Extensions certificates should have if none are provided when signing. This field takes in key value pairs in JSON format. Note that these are not restricted by \"allowed_extensions\". Defaults to none.
	DefaultExtensions map[string]interface{} `json:"default_extensions,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, Default extension values can be specified using identity template policies. Non-templated extension values are also permitted.
	DefaultExtensionsTemplate bool `json:"default_extensions_template,omitempty"`

	// [Required for OTP type] [Optional for CA type] Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.
	DefaultUser string `json:"default_user,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] If set, Default user can be specified using identity template policies. Non-templated users are also permitted.
	DefaultUserTemplate bool `json:"default_user_template,omitempty"`

	// [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.
	ExcludeCidrList string `json:"exclude_cidr_list,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] When supplied, this value specifies a custom format for the key id of a signed certificate. The following variables are available for use: '{{token_display_name}}' - The display name of the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
	KeyIdFormat string `json:"key_id_format,omitempty"`

	// [Required for all types] Type of key used to login to hosts. It can be either 'otp' or 'ca'. 'otp' type requires agent to be installed in remote hosts.
	KeyType string `json:"key_type,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration
	MaxTtl string `json:"max_ttl,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] The duration that the SSH certificate should be backdated by at issuance.
	NotBeforeDuration string `json:"not_before_duration,omitempty"`

	// [Optional for OTP type] [Not applicable for CA type] Port number for SSH connection. Default is '22'. Port number does not play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.
	Port int32 `json:"port,omitempty"`

	// [Not applicable for OTP type] [Optional for CA type] The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.
	Ttl string `json:"ttl,omitempty"`
}

SshWriteRoleRequest struct for SshWriteRoleRequest

type StandardListResponse ¶ added in v0.4.0 

type StandardListResponse struct {
	Keys []string `json:"keys,omitempty"`
}

StandardListResponse struct for StandardListResponse

type TerraformCloudConfigureRequest ¶ added in v0.3.0 

type TerraformCloudConfigureRequest struct {
	// The address to access Terraform Cloud or Enterprise. Default is \"https://app.terraform.io\".
	Address string `json:"address,omitempty"`

	// The base path for the Terraform Cloud or Enterprise API. Default is \"/api/v2/\".
	BasePath string `json:"base_path,omitempty"`

	// The token to access Terraform Cloud
	Token string `json:"token"`
}

TerraformCloudConfigureRequest struct for TerraformCloudConfigureRequest

type TerraformCloudWriteRoleRequest ¶ added in v0.3.0 

type TerraformCloudWriteRoleRequest struct {
	// Maximum time for role. If not set or set to 0, will use system default.
	MaxTtl string `json:"max_ttl,omitempty"`

	// Name of the Terraform Cloud or Enterprise organization
	Organization string `json:"organization,omitempty"`

	// ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)
	TeamId string `json:"team_id,omitempty"`

	// Default lease for generated credentials. If not set or set to 0, will use system default.
	Ttl string `json:"ttl,omitempty"`

	// ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)
	UserId string `json:"user_id,omitempty"`
}

TerraformCloudWriteRoleRequest struct for TerraformCloudWriteRoleRequest

type TokenCreateAgainstRoleRequest ¶ added in v0.3.0 

type TokenCreateAgainstRoleRequest struct {
	// Name to associate with this token
	DisplayName string `json:"display_name,omitempty"`

	// Name of the entity alias to associate with this token
	EntityAlias string `json:"entity_alias,omitempty"`

	// Explicit Max TTL of this token
	ExplicitMaxTtl string `json:"explicit_max_ttl,omitempty"`

	// Value for the token
	Id string `json:"id,omitempty"`

	// Use 'ttl' instead
	// Deprecated
	Lease string `json:"lease,omitempty"`

	// Arbitrary key=value metadata to associate with the token
	Meta map[string]interface{} `json:"meta,omitempty"`

	// Do not include default policy for this token
	NoDefaultPolicy bool `json:"no_default_policy,omitempty"`

	// Create the token with no parent
	NoParent bool `json:"no_parent,omitempty"`

	// Max number of uses for this token
	NumUses int32 `json:"num_uses,omitempty"`

	// Renew period
	Period string `json:"period,omitempty"`

	// List of policies for the token
	Policies []string `json:"policies,omitempty"`

	// Allow token to be renewed past its initial TTL up to system/mount maximum TTL
	Renewable bool `json:"renewable,omitempty"`

	// Time to live for this token
	Ttl string `json:"ttl,omitempty"`

	// Token type
	Type string `json:"type,omitempty"`
}

TokenCreateAgainstRoleRequest struct for TokenCreateAgainstRoleRequest

type TokenCreateOrphanRequest ¶ added in v0.3.0 

type TokenCreateOrphanRequest struct {
	// Name to associate with this token
	DisplayName string `json:"display_name,omitempty"`

	// Name of the entity alias to associate with this token
	EntityAlias string `json:"entity_alias,omitempty"`

	// Explicit Max TTL of this token
	ExplicitMaxTtl string `json:"explicit_max_ttl,omitempty"`

	// Value for the token
	Id string `json:"id,omitempty"`

	// Use 'ttl' instead
	// Deprecated
	Lease string `json:"lease,omitempty"`

	// Arbitrary key=value metadata to associate with the token
	Meta map[string]interface{} `json:"meta,omitempty"`

	// Do not include default policy for this token
	NoDefaultPolicy bool `json:"no_default_policy,omitempty"`

	// Create the token with no parent
	NoParent bool `json:"no_parent,omitempty"`

	// Max number of uses for this token
	NumUses int32 `json:"num_uses,omitempty"`

	// Renew period
	Period string `json:"period,omitempty"`

	// List of policies for the token
	Policies []string `json:"policies,omitempty"`

	// Allow token to be renewed past its initial TTL up to system/mount maximum TTL
	Renewable bool `json:"renewable,omitempty"`

	// Time to live for this token
	Ttl string `json:"ttl,omitempty"`

	// Token type
	Type string `json:"type,omitempty"`
}

TokenCreateOrphanRequest struct for TokenCreateOrphanRequest

type TokenCreateRequest ¶ added in v0.3.0 

type TokenCreateRequest struct {
	// Name to associate with this token
	DisplayName string `json:"display_name,omitempty"`

	// Name of the entity alias to associate with this token
	EntityAlias string `json:"entity_alias,omitempty"`

	// Explicit Max TTL of this token
	ExplicitMaxTtl string `json:"explicit_max_ttl,omitempty"`

	// Value for the token
	Id string `json:"id,omitempty"`

	// Use 'ttl' instead
	// Deprecated
	Lease string `json:"lease,omitempty"`

	// Arbitrary key=value metadata to associate with the token
	Meta map[string]interface{} `json:"meta,omitempty"`

	// Do not include default policy for this token
	NoDefaultPolicy bool `json:"no_default_policy,omitempty"`

	// Create the token with no parent
	NoParent bool `json:"no_parent,omitempty"`

	// Max number of uses for this token
	NumUses int32 `json:"num_uses,omitempty"`

	// Renew period
	Period string `json:"period,omitempty"`

	// List of policies for the token
	Policies []string `json:"policies,omitempty"`

	// Allow token to be renewed past its initial TTL up to system/mount maximum TTL
	Renewable bool `json:"renewable,omitempty"`

	// Time to live for this token
	Ttl string `json:"ttl,omitempty"`

	// Token type
	Type string `json:"type,omitempty"`
}

TokenCreateRequest struct for TokenCreateRequest

type TokenLookUpAccessorRequest ¶ added in v0.3.0 

type TokenLookUpAccessorRequest struct {
	// Accessor of the token to look up (request body)
	Accessor string `json:"accessor,omitempty"`
}

TokenLookUpAccessorRequest struct for TokenLookUpAccessorRequest

type TokenLookUpRequest ¶ added in v0.3.0 

type TokenLookUpRequest struct {
	// Token to lookup
	Token string `json:"token,omitempty"`
}

TokenLookUpRequest struct for TokenLookUpRequest

type TokenRenewAccessorRequest ¶ 

type TokenRenewAccessorRequest struct {
	// Accessor of the token to renew (request body)
	Accessor string `json:"accessor,omitempty"`

	// The desired increment in seconds to the token expiration
	Increment string `json:"increment,omitempty"`
}

TokenRenewAccessorRequest struct for TokenRenewAccessorRequest

type TokenRenewRequest ¶ 

type TokenRenewRequest struct {
	// The desired increment in seconds to the token expiration
	Increment string `json:"increment,omitempty"`

	// Token to renew (request body)
	Token string `json:"token,omitempty"`
}

TokenRenewRequest struct for TokenRenewRequest

type TokenRenewSelfRequest ¶ 

type TokenRenewSelfRequest struct {
	// The desired increment in seconds to the token expiration
	Increment string `json:"increment,omitempty"`

	// Token to renew (unused, does not need to be set)
	Token string `json:"token,omitempty"`
}

TokenRenewSelfRequest struct for TokenRenewSelfRequest

type TokenRevokeAccessorRequest ¶ 

type TokenRevokeAccessorRequest struct {
	// Accessor of the token (request body)
	Accessor string `json:"accessor,omitempty"`
}

TokenRevokeAccessorRequest struct for TokenRevokeAccessorRequest

type TokenRevokeOrphanRequest ¶ 

type TokenRevokeOrphanRequest struct {
	// Token to revoke (request body)
	Token string `json:"token,omitempty"`
}

TokenRevokeOrphanRequest struct for TokenRevokeOrphanRequest

type TokenRevokeRequest ¶ 

type TokenRevokeRequest struct {
	// Token to revoke (request body)
	Token string `json:"token,omitempty"`
}

TokenRevokeRequest struct for TokenRevokeRequest

type TokenWriteRoleRequest ¶ 

type TokenWriteRoleRequest struct {
	// String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing.
	AllowedEntityAliases []string `json:"allowed_entity_aliases,omitempty"`

	// If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names.
	AllowedPolicies []string `json:"allowed_policies,omitempty"`

	// If set, tokens can be created with any subset of glob matched policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy name globs.
	AllowedPoliciesGlob []string `json:"allowed_policies_glob,omitempty"`

	// Use 'token_bound_cidrs' instead.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names.
	DisallowedPolicies []string `json:"disallowed_policies,omitempty"`

	// If set, successful token creation via this role will require that no requested policies glob match any of policies in this list. The parameter is a comma-delimited string of policy name globs.
	DisallowedPoliciesGlob []string `json:"disallowed_policies_glob,omitempty"`

	// Use 'token_explicit_max_ttl' instead.
	// Deprecated
	ExplicitMaxTtl string `json:"explicit_max_ttl,omitempty"`

	// If true, tokens created via this role will be orphan tokens (have no parent)
	Orphan bool `json:"orphan,omitempty"`

	// If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w
	PathSuffix string `json:"path_suffix,omitempty"`

	// Use 'token_period' instead.
	// Deprecated
	Period string `json:"period,omitempty"`

	// Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".
	Renewable bool `json:"renewable,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`
}

TokenWriteRoleRequest struct for TokenWriteRoleRequest

type TotpCreateKeyRequest ¶ added in v0.3.0 

type TotpCreateKeyRequest struct {
	// The name of the account associated with the key. Required if generate is true.
	AccountName string `json:"account_name,omitempty"`

	// The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
	Algorithm string `json:"algorithm,omitempty"`

	// The number of digits in the generated TOTP token. This value can either be 6 or 8.
	Digits int32 `json:"digits,omitempty"`

	// Determines if a QR code and url are returned upon generating a key. Only used if generate is true.
	Exported bool `json:"exported,omitempty"`

	// Determines if a key should be generated by Vault or if a key is being passed from another service.
	Generate bool `json:"generate,omitempty"`

	// The name of the key's issuing organization. Required if generate is true.
	Issuer string `json:"issuer,omitempty"`

	// The shared master key used to generate a TOTP token. Only used if generate is false.
	Key string `json:"key,omitempty"`

	// Determines the size in bytes of the generated key. Only used if generate is true.
	KeySize int32 `json:"key_size,omitempty"`

	// The length of time used to generate a counter for the TOTP token calculation.
	Period string `json:"period,omitempty"`

	// The pixel size of the generated square QR code. Only used if generate is true and exported is true. If this value is 0, a QR code will not be returned.
	QrSize int32 `json:"qr_size,omitempty"`

	// The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. Only used if generate is true.
	Skew int32 `json:"skew,omitempty"`

	// A TOTP url string containing all of the parameters for key setup. Only used if generate is false.
	Url string `json:"url,omitempty"`
}

TotpCreateKeyRequest struct for TotpCreateKeyRequest

type TotpValidateCodeRequest ¶ added in v0.3.0 

type TotpValidateCodeRequest struct {
	// TOTP code to be validated.
	Code string `json:"code,omitempty"`
}

TotpValidateCodeRequest struct for TotpValidateCodeRequest

type TransitConfigureCacheRequest ¶ added in v0.3.0 

type TransitConfigureCacheRequest struct {
	// Size of cache, use 0 for an unlimited cache size, defaults to 0
	Size int32 `json:"size,omitempty"`
}

TransitConfigureCacheRequest struct for TransitConfigureCacheRequest

type TransitConfigureKeyRequest ¶ added in v0.3.0 

type TransitConfigureKeyRequest struct {
	// Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.
	AllowPlaintextBackup bool `json:"allow_plaintext_backup,omitempty"`

	// Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
	AutoRotatePeriod string `json:"auto_rotate_period,omitempty"`

	// Whether to allow deletion of the key
	DeletionAllowed bool `json:"deletion_allowed,omitempty"`

	// Enables export of the key. Once set, this cannot be disabled.
	Exportable bool `json:"exportable,omitempty"`

	// If set, the minimum version of the key allowed to be decrypted. For signing keys, the minimum version allowed to be used for verification.
	MinDecryptionVersion int32 `json:"min_decryption_version,omitempty"`

	// If set, the minimum version of the key allowed to be used for encryption; or for signing keys, to be used for signing. If set to zero, only the latest version of the key is allowed.
	MinEncryptionVersion int32 `json:"min_encryption_version,omitempty"`
}

TransitConfigureKeyRequest struct for TransitConfigureKeyRequest

type TransitConfigureKeysRequest ¶ added in v0.3.0 

type TransitConfigureKeysRequest struct {
	// Whether to allow automatic upserting (creation) of keys on the encrypt endpoint.
	DisableUpsert bool `json:"disable_upsert,omitempty"`
}

TransitConfigureKeysRequest struct for TransitConfigureKeysRequest

type TransitCreateKeyRequest ¶ added in v0.3.0 

type TransitCreateKeyRequest struct {
	// Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.
	AllowPlaintextBackup bool `json:"allow_plaintext_backup,omitempty"`

	// Amount of time the key should live before being automatically rotated. A value of 0 (default) disables automatic rotation for the key.
	AutoRotatePeriod string `json:"auto_rotate_period,omitempty"`

	// Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.
	Context string `json:"context,omitempty"`

	// Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.
	ConvergentEncryption bool `json:"convergent_encryption,omitempty"`

	// Enables key derivation mode. This allows for per-transaction unique keys for encryption operations.
	Derived bool `json:"derived,omitempty"`

	// Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.
	Exportable bool `json:"exportable,omitempty"`

	// The key size in bytes for the algorithm. Only applies to HMAC and must be no fewer than 32 bytes and no more than 512
	KeySize int32 `json:"key_size,omitempty"`

	// The UUID of the managed key to use for this transit key
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use for this transit key
	ManagedKeyName string `json:"managed_key_name,omitempty"`

	// The type of key to create. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-3072\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".
	Type string `json:"type,omitempty"`
}

TransitCreateKeyRequest struct for TransitCreateKeyRequest

type TransitDecryptRequest ¶ 

type TransitDecryptRequest struct {
	// When using an AEAD cipher mode, such as AES-GCM, this parameter allows passing associated data (AD/AAD) into the encryption function; this data must be passed on subsequent decryption requests but can be transited in plaintext. On successful decryption, both the ciphertext and the associated data are attested not to have been tampered with.
	AssociatedData string `json:"associated_data,omitempty"`

	// Specifies a list of items to be decrypted in a single batch. When this parameter is set, if the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// The ciphertext to decrypt, provided as returned by encrypt.
	Ciphertext string `json:"ciphertext,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled.
	Context string `json:"context,omitempty"`

	// Base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+.
	Nonce string `json:"nonce,omitempty"`

	// Ordinarily, if a batch item fails to decrypt due to a bad input, but other batch items succeed, the HTTP response code is 400 (Bad Request). Some applications may want to treat partial failures differently. Providing the parameter returns the given response code integer instead of a 400 in this case. If all values fail HTTP 400 is still returned.
	PartialFailureResponseCode int32 `json:"partial_failure_response_code,omitempty"`
}

TransitDecryptRequest struct for TransitDecryptRequest

type TransitEncryptRequest ¶ 

type TransitEncryptRequest struct {
	// When using an AEAD cipher mode, such as AES-GCM, this parameter allows passing associated data (AD/AAD) into the encryption function; this data must be passed on subsequent decryption requests but can be transited in plaintext. On successful decryption, both the ciphertext and the associated data are attested not to have been tampered with.
	AssociatedData string `json:"associated_data,omitempty"`

	// Specifies a list of items to be encrypted in a single batch. When this parameter is set, if the parameters 'plaintext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled
	Context string `json:"context,omitempty"`

	// This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's security.
	ConvergentEncryption bool `json:"convergent_encryption,omitempty"`

	// The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`

	// Base64 encoded nonce value. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is **never reused**.
	Nonce string `json:"nonce,omitempty"`

	// Ordinarily, if a batch item fails to encrypt due to a bad input, but other batch items succeed, the HTTP response code is 400 (Bad Request). Some applications may want to treat partial failures differently. Providing the parameter returns the given response code integer instead of a 400 in this case. If all values fail HTTP 400 is still returned.
	PartialFailureResponseCode int32 `json:"partial_failure_response_code,omitempty"`

	// Base64 encoded plaintext value to be encrypted
	Plaintext string `json:"plaintext,omitempty"`

	// This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create. Currently, \"aes128-gcm96\" (symmetric) and \"aes256-gcm96\" (symmetric) are the only types supported. Defaults to \"aes256-gcm96\".
	Type string `json:"type,omitempty"`
}

TransitEncryptRequest struct for TransitEncryptRequest

type TransitGenerateCsrForKeyRequest ¶ added in v0.4.0 

type TransitGenerateCsrForKeyRequest struct {
	// PEM encoded CSR template. The information attributes will be used as a basis for the CSR with the key in transit. If not set, an empty CSR is returned.
	Csr string `json:"csr,omitempty"`

	// Optional version of key, 'latest' if not set
	Version int32 `json:"version,omitempty"`
}

TransitGenerateCsrForKeyRequest struct for TransitGenerateCsrForKeyRequest

type TransitGenerateDataKeyRequest ¶ 

type TransitGenerateDataKeyRequest struct {
	// Number of bits for the key; currently 128, 256, and 512 bits are supported. Defaults to 256.
	Bits int32 `json:"bits,omitempty"`

	// Context for key derivation. Required for derived keys.
	Context string `json:"context,omitempty"`

	// The version of the Vault key to use for encryption of the data key. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`

	// Nonce for when convergent encryption v1 is used (only in Vault 0.6.1)
	Nonce string `json:"nonce,omitempty"`
}

TransitGenerateDataKeyRequest struct for TransitGenerateDataKeyRequest

type TransitGenerateHmacRequest ¶ added in v0.3.0 

type TransitGenerateHmacRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items to be processed in a single batch. When this parameter is set, if the parameter 'input' is also set, it will be ignored. Any batch output will preserve the order of the batch input.
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`

	// The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`
}

TransitGenerateHmacRequest struct for TransitGenerateHmacRequest

type TransitGenerateHmacWithAlgorithmRequest ¶ added in v0.3.0 

type TransitGenerateHmacWithAlgorithmRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items to be processed in a single batch. When this parameter is set, if the parameter 'input' is also set, it will be ignored. Any batch output will preserve the order of the batch input.
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`

	// The version of the key to use for generating the HMAC. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`
}

TransitGenerateHmacWithAlgorithmRequest struct for TransitGenerateHmacWithAlgorithmRequest

type TransitGenerateRandomRequest ¶ 

type TransitGenerateRandomRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

TransitGenerateRandomRequest struct for TransitGenerateRandomRequest

type TransitGenerateRandomWithBytesRequest ¶ added in v0.3.0 

type TransitGenerateRandomWithBytesRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

TransitGenerateRandomWithBytesRequest struct for TransitGenerateRandomWithBytesRequest

type TransitGenerateRandomWithSourceAndBytesRequest ¶ added in v0.3.0 

type TransitGenerateRandomWithSourceAndBytesRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

TransitGenerateRandomWithSourceAndBytesRequest struct for TransitGenerateRandomWithSourceAndBytesRequest

type TransitGenerateRandomWithSourceRequest ¶ added in v0.3.0 

type TransitGenerateRandomWithSourceRequest struct {
	// The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
	Bytes int32 `json:"bytes,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"base64\".
	Format string `json:"format,omitempty"`
}

TransitGenerateRandomWithSourceRequest struct for TransitGenerateRandomWithSourceRequest

type TransitHashRequest ¶ 

type TransitHashRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".
	Format string `json:"format,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`
}

TransitHashRequest struct for TransitHashRequest

type TransitHashWithAlgorithmRequest ¶ 

type TransitHashWithAlgorithmRequest struct {
	// Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 Defaults to \"sha2-256\".
	Algorithm string `json:"algorithm,omitempty"`

	// Encoding format to use. Can be \"hex\" or \"base64\". Defaults to \"hex\".
	Format string `json:"format,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`
}

TransitHashWithAlgorithmRequest struct for TransitHashWithAlgorithmRequest

type TransitImportKeyRequest ¶ 

type TransitImportKeyRequest struct {
	// Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.
	AllowPlaintextBackup bool `json:"allow_plaintext_backup,omitempty"`

	// True if the imported key may be rotated within Vault; false otherwise.
	AllowRotation bool `json:"allow_rotation,omitempty"`

	// Amount of time the key should live before being automatically rotated. A value of 0 (default) disables automatic rotation for the key.
	AutoRotatePeriod string `json:"auto_rotate_period,omitempty"`

	// The base64-encoded ciphertext of the keys. The AES key should be encrypted using OAEP with the wrapping key and then concatenated with the import key, wrapped by the AES key.
	Ciphertext string `json:"ciphertext,omitempty"`

	// Base64 encoded context for key derivation. When reading a key with key derivation enabled, if the key type supports public keys, this will return the public key for the given context.
	Context string `json:"context,omitempty"`

	// Enables key derivation mode. This allows for per-transaction unique keys for encryption operations.
	Derived bool `json:"derived,omitempty"`

	// Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported.
	Exportable bool `json:"exportable,omitempty"`

	// The hash function used as a random oracle in the OAEP wrapping of the user-generated, ephemeral AES key. Can be one of \"SHA1\", \"SHA224\", \"SHA256\" (default), \"SHA384\", or \"SHA512\"
	HashFunction string `json:"hash_function,omitempty"`

	// The plaintext PEM public key to be imported. If \"ciphertext\" is set, this field is ignored.
	PublicKey string `json:"public_key,omitempty"`

	// The type of key being imported. Currently, \"aes128-gcm96\" (symmetric), \"aes256-gcm96\" (symmetric), \"ecdsa-p256\" (asymmetric), \"ecdsa-p384\" (asymmetric), \"ecdsa-p521\" (asymmetric), \"ed25519\" (asymmetric), \"rsa-2048\" (asymmetric), \"rsa-3072\" (asymmetric), \"rsa-4096\" (asymmetric) are supported. Defaults to \"aes256-gcm96\".
	Type string `json:"type,omitempty"`
}

TransitImportKeyRequest struct for TransitImportKeyRequest

type TransitImportKeyVersionRequest ¶ 

type TransitImportKeyVersionRequest struct {
	// The base64-encoded ciphertext of the keys. The AES key should be encrypted using OAEP with the wrapping key and then concatenated with the import key, wrapped by the AES key.
	Ciphertext string `json:"ciphertext,omitempty"`

	// The hash function used as a random oracle in the OAEP wrapping of the user-generated, ephemeral AES key. Can be one of \"SHA1\", \"SHA224\", \"SHA256\" (default), \"SHA384\", or \"SHA512\"
	HashFunction string `json:"hash_function,omitempty"`

	// The plaintext public key to be imported. If \"ciphertext\" is set, this field is ignored.
	PublicKey string `json:"public_key,omitempty"`

	// Key version to be updated, if left empty, a new version will be created unless a private key is specified and the 'Latest' key is missing a private key.
	Version int32 `json:"version,omitempty"`
}

TransitImportKeyVersionRequest struct for TransitImportKeyVersionRequest

type TransitRestoreAndRenameKeyRequest ¶ added in v0.3.0 

type TransitRestoreAndRenameKeyRequest struct {
	// Backed up key data to be restored. This should be the output from the 'backup/' endpoint.
	Backup string `json:"backup,omitempty"`

	// If set and a key by the given name exists, force the restore operation and override the key.
	Force bool `json:"force,omitempty"`
}

TransitRestoreAndRenameKeyRequest struct for TransitRestoreAndRenameKeyRequest

type TransitRestoreKeyRequest ¶ 

type TransitRestoreKeyRequest struct {
	// Backed up key data to be restored. This should be the output from the 'backup/' endpoint.
	Backup string `json:"backup,omitempty"`

	// If set and a key by the given name exists, force the restore operation and override the key.
	Force bool `json:"force,omitempty"`
}

TransitRestoreKeyRequest struct for TransitRestoreKeyRequest

type TransitRewrapRequest ¶ 

type TransitRewrapRequest struct {
	// Specifies a list of items to be re-encrypted in a single batch. When this parameter is set, if the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Any batch output will preserve the order of the batch input.
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Ciphertext value to rewrap
	Ciphertext string `json:"ciphertext,omitempty"`

	// Base64 encoded context for key derivation. Required for derived keys.
	Context string `json:"context,omitempty"`

	// The version of the key to use for encryption. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`

	// Nonce for when convergent encryption is used
	Nonce string `json:"nonce,omitempty"`
}

TransitRewrapRequest struct for TransitRewrapRequest

type TransitRotateKeyRequest ¶ added in v0.3.0 

type TransitRotateKeyRequest struct {
	// The UUID of the managed key to use for the new version of this transit key
	ManagedKeyId string `json:"managed_key_id,omitempty"`

	// The name of the managed key to use for the new version of this transit key
	ManagedKeyName string `json:"managed_key_name,omitempty"`
}

TransitRotateKeyRequest struct for TransitRotateKeyRequest

type TransitSetCertificateForKeyRequest ¶ added in v0.4.0 

type TransitSetCertificateForKeyRequest struct {
	// PEM encoded certificate chain. It should be composed by one or more concatenated PEM blocks and ordered starting from the end-entity certificate.
	CertificateChain string `json:"certificate_chain"`

	// Optional version of key, 'latest' if not set
	Version int32 `json:"version,omitempty"`
}

TransitSetCertificateForKeyRequest struct for TransitSetCertificateForKeyRequest

type TransitSignRequest ¶ 

type TransitSignRequest struct {
	// Deprecated: use \"hash_algorithm\" instead.
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items for processing. When this parameter is set, any supplied 'input' or 'context' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.
	Context string `json:"context,omitempty"`

	// Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types, including ed25519. Using none requires setting prehashed=true and signature_algorithm=pkcs1v15, yielding a PKCSv1_5_NoOID instead of the usual PKCSv1_5_DERnull signature.
	HashAlgorithm string `json:"hash_algorithm,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`

	// The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`

	// The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\".
	MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`

	// Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.
	Prehashed bool `json:"prehashed,omitempty"`

	// The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.
	SaltLength string `json:"salt_length,omitempty"`

	// The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'
	SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
}

TransitSignRequest struct for TransitSignRequest

type TransitSignWithAlgorithmRequest ¶ 

type TransitSignWithAlgorithmRequest struct {
	// Deprecated: use \"hash_algorithm\" instead.
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items for processing. When this parameter is set, any supplied 'input' or 'context' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.
	Context string `json:"context,omitempty"`

	// Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types, including ed25519. Using none requires setting prehashed=true and signature_algorithm=pkcs1v15, yielding a PKCSv1_5_NoOID instead of the usual PKCSv1_5_DERnull signature.
	HashAlgorithm string `json:"hash_algorithm,omitempty"`

	// The base64-encoded input data
	Input string `json:"input,omitempty"`

	// The version of the key to use for signing. Must be 0 (for latest) or a value greater than or equal to the min_encryption_version configured on the key.
	KeyVersion int32 `json:"key_version,omitempty"`

	// The method by which to marshal the signature. The default is 'asn1' which is used by openssl and X.509. It can also be set to 'jws' which is used for JWT signatures; setting it to this will also cause the encoding of the signature to be url-safe base64 instead of using standard base64 encoding. Currently only valid for ECDSA P-256 key types\".
	MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`

	// Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.
	Prehashed bool `json:"prehashed,omitempty"`

	// The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.
	SaltLength string `json:"salt_length,omitempty"`

	// The signature algorithm to use for signing. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'
	SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
}

TransitSignWithAlgorithmRequest struct for TransitSignWithAlgorithmRequest

type TransitTrimKeyRequest ¶ 

type TransitTrimKeyRequest struct {
	// The minimum available version for the key ring. All versions before this version will be permanently deleted. This value can at most be equal to the lesser of 'min_decryption_version' and 'min_encryption_version'. This is not allowed to be set when either 'min_encryption_version' or 'min_decryption_version' is set to zero.
	MinAvailableVersion int32 `json:"min_available_version,omitempty"`
}

TransitTrimKeyRequest struct for TransitTrimKeyRequest

type TransitVerifyRequest ¶ 

type TransitVerifyRequest struct {
	// Deprecated: use \"hash_algorithm\" instead.
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items for processing. When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.
	Context string `json:"context,omitempty"`

	// Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types. See note about none on signing path.
	HashAlgorithm string `json:"hash_algorithm,omitempty"`

	// The HMAC, including vault header/key version
	Hmac string `json:"hmac,omitempty"`

	// The base64-encoded input data to verify
	Input string `json:"input,omitempty"`

	// The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\".
	MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`

	// Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.
	Prehashed bool `json:"prehashed,omitempty"`

	// The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.
	SaltLength string `json:"salt_length,omitempty"`

	// The signature, including vault header/key version
	Signature string `json:"signature,omitempty"`

	// The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'
	SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
}

TransitVerifyRequest struct for TransitVerifyRequest

type TransitVerifyWithAlgorithmRequest ¶ 

type TransitVerifyWithAlgorithmRequest struct {
	// Deprecated: use \"hash_algorithm\" instead.
	Algorithm string `json:"algorithm,omitempty"`

	// Specifies a list of items for processing. When this parameter is set, any supplied 'input', 'hmac' or 'signature' parameters will be ignored. Responses are returned in the 'batch_results' array component of the 'data' element of the response. Any batch output will preserve the order of the batch input
	BatchInput []map[string]interface{} `json:"batch_input,omitempty"`

	// Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.
	Context string `json:"context,omitempty"`

	// Hash algorithm to use (POST body parameter). Valid values are: * sha1 * sha2-224 * sha2-256 * sha2-384 * sha2-512 * sha3-224 * sha3-256 * sha3-384 * sha3-512 * none Defaults to \"sha2-256\". Not valid for all key types. See note about none on signing path.
	HashAlgorithm string `json:"hash_algorithm,omitempty"`

	// The HMAC, including vault header/key version
	Hmac string `json:"hmac,omitempty"`

	// The base64-encoded input data to verify
	Input string `json:"input,omitempty"`

	// The method by which to unmarshal the signature when verifying. The default is 'asn1' which is used by openssl and X.509; can also be set to 'jws' which is used for JWT signatures in which case the signature is also expected to be url-safe base64 encoding instead of standard base64 encoding. Currently only valid for ECDSA P-256 key types\".
	MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`

	// Set to 'true' when the input is already hashed. If the key type is 'rsa-2048', 'rsa-3072' or 'rsa-4096', then the algorithm used to hash the input should be indicated by the 'algorithm' parameter.
	Prehashed bool `json:"prehashed,omitempty"`

	// The salt length used to sign. Currently only applies to the RSA PSS signature scheme. Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), 'hash' (causes the salt length to equal the length of the hash used in the signature), or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. Defaults to 'auto'.
	SaltLength string `json:"salt_length,omitempty"`

	// The signature, including vault header/key version
	Signature string `json:"signature,omitempty"`

	// The signature algorithm to use for signature verification. Currently only applies to RSA key types. Options are 'pss' or 'pkcs1v15'. Defaults to 'pss'
	SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
}

TransitVerifyWithAlgorithmRequest struct for TransitVerifyWithAlgorithmRequest

type UiHeadersConfigureRequest ¶ added in v0.3.0 

type UiHeadersConfigureRequest struct {
	// Returns multiple values if true
	Multivalue bool `json:"multivalue,omitempty"`

	// The values to set the header.
	Values []string `json:"values,omitempty"`
}

UiHeadersConfigureRequest struct for UiHeadersConfigureRequest

type UiHeadersListResponse ¶ added in v0.3.0 

type UiHeadersListResponse struct {
	// Lists of configured UI headers. Omitted if list is empty
	Keys []string `json:"keys,omitempty"`
}

UiHeadersListResponse struct for UiHeadersListResponse

type UiHeadersReadConfigurationResponse ¶ added in v0.3.0 

type UiHeadersReadConfigurationResponse struct {
	// returns the first header value when `multivalue` request parameter is false
	Value string `json:"value,omitempty"`

	// returns all header values when `multivalue` request parameter is true
	Values []string `json:"values,omitempty"`
}

UiHeadersReadConfigurationResponse struct for UiHeadersReadConfigurationResponse

type UnsealRequest ¶ 

type UnsealRequest struct {
	// Specifies a single unseal key share. This is required unless reset is true.
	Key string `json:"key,omitempty"`

	// Specifies if previously-provided unseal keys are discarded and the unseal process is reset.
	Reset bool `json:"reset,omitempty"`
}

UnsealRequest struct for UnsealRequest

type UnsealResponse ¶ added in v0.3.0 

type UnsealResponse struct {
	BuildDate string `json:"build_date,omitempty"`

	ClusterId string `json:"cluster_id,omitempty"`

	ClusterName string `json:"cluster_name,omitempty"`

	HcpLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`

	HcpLinkStatus string `json:"hcp_link_status,omitempty"`

	Initialized bool `json:"initialized,omitempty"`

	Migration bool `json:"migration,omitempty"`

	N int32 `json:"n,omitempty"`

	Nonce string `json:"nonce,omitempty"`

	Progress int32 `json:"progress,omitempty"`

	RecoverySeal bool `json:"recovery_seal,omitempty"`

	Sealed bool `json:"sealed,omitempty"`

	StorageType string `json:"storage_type,omitempty"`

	T int32 `json:"t,omitempty"`

	Type string `json:"type,omitempty"`

	Version string `json:"version,omitempty"`
}

UnsealResponse struct for UnsealResponse

type UnwrapRequest ¶ added in v0.3.0 

type UnwrapRequest struct {
	Token string `json:"token,omitempty"`
}

UnwrapRequest struct for UnwrapRequest

type UserpassLoginRequest ¶ 

type UserpassLoginRequest struct {
	// Password for this user.
	Password string `json:"password,omitempty"`
}

UserpassLoginRequest struct for UserpassLoginRequest

type UserpassResetPasswordRequest ¶ added in v0.3.0 

type UserpassResetPasswordRequest struct {
	// Password for this user.
	Password string `json:"password,omitempty"`
}

UserpassResetPasswordRequest struct for UserpassResetPasswordRequest

type UserpassUpdatePoliciesRequest ¶ added in v0.3.0 

type UserpassUpdatePoliciesRequest struct {
	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`
}

UserpassUpdatePoliciesRequest struct for UserpassUpdatePoliciesRequest

type UserpassWriteUserRequest ¶ 

type UserpassWriteUserRequest struct {
	// Use \"token_bound_cidrs\" instead. If this and \"token_bound_cidrs\" are both specified, only \"token_bound_cidrs\" will be used.
	// Deprecated
	BoundCidrs []string `json:"bound_cidrs,omitempty"`

	// Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.
	// Deprecated
	MaxTtl string `json:"max_ttl,omitempty"`

	// Password for this user.
	Password string `json:"password,omitempty"`

	// Use \"token_policies\" instead. If this and \"token_policies\" are both specified, only \"token_policies\" will be used.
	// Deprecated
	Policies []string `json:"policies,omitempty"`

	// Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.
	TokenBoundCidrs []string `json:"token_bound_cidrs,omitempty"`

	// If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.
	TokenExplicitMaxTtl string `json:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime of the generated token
	TokenMaxTtl string `json:"token_max_ttl,omitempty"`

	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy bool `json:"token_no_default_policy,omitempty"`

	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses int32 `json:"token_num_uses,omitempty"`

	// If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").
	TokenPeriod string `json:"token_period,omitempty"`

	// Comma-separated list of policies
	TokenPolicies []string `json:"token_policies,omitempty"`

	// The initial ttl of the token to generate
	TokenTtl string `json:"token_ttl,omitempty"`

	// The type of token to generate, service or batch
	TokenType string `json:"token_type,omitempty"`

	// Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.
	// Deprecated
	Ttl string `json:"ttl,omitempty"`
}

UserpassWriteUserRequest struct for UserpassWriteUserRequest

type VersionHistoryResponse ¶ added in v0.3.0 

type VersionHistoryResponse struct {
	KeyInfo map[string]interface{} `json:"key_info,omitempty"`

	Keys []string `json:"keys,omitempty"`
}

VersionHistoryResponse struct for VersionHistoryResponse

Source Files ¶

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.