Vault
/sys/quotas/rate-limit
Restricted endpoint
The API path can only be called from the root namespace.The /sys/quotas/rate-limit endpoint is used to create, edit and delete rate limit quotas.
Create or update a rate limit quota
This endpoint is used to create a rate limit quota with an identifier, name.
A rate limit quota must include a rate value with an optional path that can
either be a namespace or mount, and can optionally include a path suffix following
the mount to restrict more specific API paths.
| Method | Path |
|---|---|
POST | /sys/quotas/rate-limit/:name |
Parameters
name(string: "")- The name of the quota.path(string: "")- Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For examplenamespace1/adds a quota to a full namespace,namespace1/auth/userpassadds a quota touserpassinnamespace1, andnamespace1/kv-v2/data/foo/baradds a quota to a specific secret on a K/V v2 mount innamespace1. A trailing glob (*) can also be added as part of the path after the mount to match paths that share the same prefix prior to the glob.namespace1/kv-v2/data/foo/*would match bothnamespace1/kv-v2/data/foo/barandnamespace1/kv-v2/data/foo/baz. Updating this field on an existing quota can have "moving" effects. For example, updatingnamespace1tonamespace1/auth/userpassmoves this quota from being a namespace quota to a namespace specific mount quota. Non-global quotas are not inherited by child namespaces. Note, namespaces are supported in Enterprise only.rate(float: 0.0)- The maximum number of requests in a given interval to be allowed by the quota rule. Theratemust be positive.interval(string: "")- The duration to enforce rate limiting for (default"1s").block_interval(string: "")- If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.role(string: "")- If set on a quota wherepathis set to an auth mount with a concept of roles (such as/auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. The request will fail if the auth mount does not have a concept of roles, orpathis not an auth mount.
Sample payload
{
"path": "",
"rate": 897.3,
"interval": "2m",
"block_interval": "5m"
}
Sample request
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Delete a rate limit quota
A rate limit quota can be deleted by name.
| Method | Path |
|---|---|
DELETE | /sys/quotas/rate-limit/:name |
Sample request
$ curl \
--request DELETE \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Get a rate limit quota
A rate limit quota can be retrieved by name.
| Method | Path |
|---|---|
GET | /sys/quotas/rate-limit/:name |
Sample request
$ curl \
--request GET \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Sample response
{
"request_id": "d0870811-455d-3dfd-459f-aee016e6fb68",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"block_interval": 300,
"interval": 2,
"name": "global-rate-limiter",
"path": "",
"rate": 897.3,
"role": "",
"type": "rate-limit"
},
"warnings": null
}
List rate limit quotas
This endpoint returns a list of all the rate limit quotas.
| Method | Path |
|---|---|
LIST | /sys/quotas/rate-limit |
Sample request
$ curl \
--request LIST \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit
Sample response
{
"auth": null,
"data": {
"keys": ["global-rate-limiter", "kv-rate-limiter"]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28",
"warnings": null,
"wrap_info": null
}