HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

Delete static LDAP roles

Vault does not rotate passwords when you delete a static role. We recommend manually rotating the mapped credentials before deleting the role or revoking access to the static role.

Assumptions

  • You have set up an ldap plugin.
  • You have permission to update roles in Vault.
  • You have permission to make POST calls to the ldap plugin.

  1. Even for delete requests, the plugin expects all required parameters. You can use the existing configuration file (if you created one) or create a minimal version for the delete request.

    {
  "role_name":       "<vault_role_name>",
  "username":        "<existing_ldap_username>"
  "rotation_period": "<credential_rotation_frequency>"
}

    For example:

    {
  "role_name":       "hashicorp",
  "username":        "vault"
  "rotation_period": "24h"
}

  2. Update the role.

    Use vault write with the /{mount_path}/static-role path and your static role configuration, ldap-role.json, to create a new static role:

    $ vault write <mount_path>/static-role @ldap-role.json

    For example:

    $ vault write devcreds/static-role @ldap-role.json

  3. Confirm the role deletion by requesting credentials from the plugin:

    Use vault read with the /{mount_path}/static-cred/{role_name} path to fetch the credential information for the given role:

    $ vault read <mount_path>/static-role/<role_name>

    For example:

    $ vault read devcreds/static-role/hashicorp
Edit this page on GitHub