Vault
/sys/namespaces
Enterprise
Appropriate Vault Enterprise license required
The /sys/namespaces endpoint is used manage namespaces in Vault.
List namespaces
This endpoints lists all the namespaces.
| Method | Path |
|---|---|
LIST | /sys/namespaces |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
-X LIST \
http://127.0.0.1:8200/v1/sys/namespaces
Sample response
{
"data": {
"key_info": {
"bar/": {
"custom_metadata": {},
"id": "HWmNL",
"path": "bar/"
},
"foo/": {
"custom_metadata": {},
"id": "5q39x",
"path": "foo/"
}
},
"keys": [
"bar/",
"foo/"
]
}
}
Create namespace
This endpoint creates a namespace at the given path.
| Method | Path |
|---|---|
POST | /sys/namespaces/:path |
Parameters
path(string: <required>)– Specifies the path where the namespace will be created.custom_metadata(map<string|string>: nil)- A map of arbitrary string to string valued user-provided metadata meant to describe the namespace.
Sample payload
{
"custom_metadata": {
"foo": "abc",
"bar": "123"
}
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Patch namespace
This endpoint patches an existing namespace at the specified path.
| Method | Path |
|---|---|
PATCH | /sys/namespaces/:path |
Parameters
path(string: <required>)– Specifies the path of the existing namespace.custom_metadata(map<string|string>: nil)- A map of arbitrary string to string valued user-provided metadata meant to describe the namespace.
Sample payload
{
"custom_metadata": {
"foo": "abc",
"bar": "123"
}
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--header "Content-Type: application/merge-patch+json"
--request PATCH \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Delete namespace
This endpoint deletes a namespace at the specified path.
| Method | Path |
|---|---|
DELETE | /sys/namespaces/:path |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Read namespace information
This endpoint gets the metadata for the given namespace path.
| Method | Path |
|---|---|
GET | /sys/namespaces/:path |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/namespaces/ns1
Sample response
{
"id": "gsudj",
"path": "ns1/",
"custom_metadata": {
"foo": "abc",
"bar": "123"
}
}
Lock namespace
This endpoint locks the API for the current namespace path or optional subpath. The behavior when interacting with Vault from a locked namespace is described in API Locked Response.
| Method | Path |
|---|---|
POST | /sys/namespaces/api-lock/lock/:subpath |
Sample request - current namespace
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock
Sample response - current namespace
{
"unlock_key": "<unlock key for current/ns/path>"
}
Sample request - X-Vault-Namespace
$ curl \
--header "X-Vault-Token: ..." \
--header "X-Vault-Namespace: some/path
--request POST \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock
Sample response - X-Vault-Namespace
{
"unlock_key": "<unlock key for some/path>"
}
Sample request - descendant of current namespace
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock/some/descendant/subpath
Sample response - descendant of current namespace
{
"unlock_key": "<unlock key for current/ns/path/some/descendant/subpath>"
}
Unlock namespace
This endpoint unlocks the api for the current namespace path or optional subpath.
| Method | Path |
|---|---|
POST | /sys/namespaces/api-lock/unlock/:subpath |
Sample payload - current namespace Non-Root
{
"unlock_key": "<unlock key for current/ns/path>"
}
Sample request - current namespace Non-Root
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock
Sample request - current namespace root
$ curl \
--header "X-Vault-Token: <some root token>" \
--request POST \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock
Sample payload - descendant namespace Non-Root
{
"unlock_key": "<unlock key for current/ns/path/some/descendant/subpath>"
}
Sample request - descendant namespace Non-Root
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock/some/descendant/path