Check in a service account

Return a service account previously checked out from a previously configured LDAP library.

Assumptions

You have set up an ldap plugin.
You have created an LDAP account library.

Returing a service account to the library tells Vault to rotate the associated password.

Use vault write with the service account name and {mount_path}/library/{set_name}/check-out path to request a service account:

$ vault write <mount_path>/library/<set_name>/check-in \
  service_account_names=[<account_list>]

For example:

$ vault write -f devcreds/library/accounting-team/check-in \
  service_account_names=["fizz@example.com"]

Tip

If the caller only has one account checked out, you can omit the account list and use the -f flag to call the endpoint without explicit parameters.

Make a POST call to {mount_path}/library/{set_name}/check-out to request a service account:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/<mount_path>/library/<set_name>/checkout

For example:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/devcreds/library/accounting-team/checkout

Tip

If the caller only has one account checked out, you can omit the account list and make an empty POST call to the endpoint.