New Vault OSS Now Includes Multi-factor Authentication! Learn more
  • Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.10.x (latest)
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • Overview
  • Client Libraries
  • Related Tools

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Cassandra
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • Influxdb
      • HanaDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
    • KMIP ENTERPRISE
      • Overview
      • K/V Version 1
      • K/V Version 2
      • Overview
      • Entity
      • Entity Alias
      • Group
      • Group Alias
      • Identity Tokens
      • Lookup
      • OIDC Provider
        • Overview
        • Duo
        • Okta
        • PingID
        • TOTP
        • Login Enforcement
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
    • PKI
    • RabbitMQ
    • SSH
    • Terraform Cloud
    • TOTP
    • Transform ENTERPRISE
    • Transit
    • Overview
    • AliCloud
    • AppRole
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
    • JWT/OIDC
    • Kerberos
    • Kubernetes
    • LDAP
    • OCI
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password
    • App ID DEPRECATED
    • Overview
    • /sys/audit
    • /sys/audit-hash
    • /sys/auth
    • /sys/capabilities
    • /sys/capabilities-accessor
    • /sys/capabilities-self
    • /sys/config/auditing
    • /sys/config/control-group
    • /sys/config/cors
    • /sys/config/reload
    • /sys/config/state
    • /sys/config/ui
    • /sys/control-group
    • /sys/generate-recovery-token
    • /sys/generate-root
    • /sys/health
    • /sys/host-info
    • /sys/in-flight-req
    • /sys/init
    • /sys/internal/counters
    • /sys/internal/specs/openapi
    • /sys/internal/ui/feature-flags
    • /sys/internal/ui/mounts
    • /sys/internal/ui/namespaces
    • /sys/internal/ui/resultant-acl
    • /sys/key-status
    • /sys/ha-status
    • /sys/leader
    • /sys/leases
    • /sys/license
    • /sys/managed-keys ENT
    • /sys/metrics
      • Overview
      • /sys/mfa/method/duo
      • /sys/mfa/method/okta
      • /sys/mfa/method/pingid
      • /sys/mfa/method/totp
      • /sys/mfa/validate
    • /sys/monitor
    • /sys/mounts
    • /sys/namespaces
    • /sys/plugins/reload/backend
    • /sys/plugins/catalog
    • /sys/policy
    • /sys/policies
    • /sys/policies/password
    • /sys/pprof
    • /sys/quotas/config
    • /sys/quotas/rate-limit
    • /sys/quotas/lease-count
    • /sys/raw
    • /sys/rekey
    • /sys/rekey-recovery-key
    • /sys/remount
      • Overview
      • /sys/replication/performance
      • /sys/replication/dr
    • /sys/rotate
    • /sys/rotate/config
    • /sys/seal
    • /sys/seal-status
    • /sys/sealwrap/rewrap
    • /sys/step-down
      • Overview
      • /sys/storage/raft
      • /sys/storage/raft/autopilot
      • /sys/storage/raft/snapshot-auto
    • /sys/tools
    • /sys/unseal
    • /sys/version-history
    • /sys/wrapping/lookup
    • /sys/wrapping/rewrap
    • /sys/wrapping/unwrap
    • /sys/wrapping/wrap
Type '/' to Search

»Create a login enforcement

This endpoint creates or updates a login enforcement that specifies which MFA methods should be used when logging into Vault. If there are multiple login enforcements, each one needs to be satisfied before a login attempt succeeds.

MethodPath
POST/identity/mfa/login-enforcement/:name

»Parameters

  • name (string: <required>) - Name for this login enforcement configuration.

  • mfa_method_ids ([]string: <required>) - Array of MFA method UUIDs to use. These will be ORed together, meaning if several IDs are specified, any one of them is sufficient to login.

  • auth_method_accessors ([]string: []) - Array of auth mount accessor IDs. If present, only auth methods corresponding to the given accessors are checked during login.

  • auth_method_types ([]string: []) - Array of auth method types. If present, only auth methods corresponding to the given types are checked during login.

  • identity_group_ids ([]string: []) - Array of identity group IDs. If present, only entities belonging to one of the given groups are checked during login. Note that these IDs can be from the current namespace or a child namespace.

  • identity_entity_ids ([]string: []) - Array of identity entity IDs. If present, only entities with the given IDs are checked during login. Note that these IDs can be from the current namespace or a child namespace.

Note that while none of auth_method_accessors, auth_method_types, identity_group_ids, or identity_entity_ids is individually required, at least one of those four fields must be present to create a login enforcement.

»Sample Payload

{
  "mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
  "auth_method_accessors": ["auth_userpass_337fdb6a"]
}
{
  "mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
  "auth_method_accessors": ["auth_userpass_337fdb6a"]
}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

»Read Login Enforcement

This endpoint reads the login enforcement configuration for a given name.

MethodPath
GET/identity/mfa/login-enforcement/:name

»Parameters

  • name (string: <required>) – Name of the login enforcement.

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

»Sample Response

{
  "data": {
    "auth_method_accessors": [
      "auth_userpass_337fdb6a"
    ],
    "auth_method_types": [],
    "id": "24167a6c-759a-c596-6d48-391c89c4befc",
    "identity_entity_ids": [],
    "identity_group_ids": [],
    "mfa_method_ids": [
      "c1372abf-bf64-1f26-c2a4-cbcfa135b775"
    ],
    "name": "foo",
    "namespace_id": "root"
  }
}
{
  "data": {
    "auth_method_accessors": [
      "auth_userpass_337fdb6a"
    ],
    "auth_method_types": [],
    "id": "24167a6c-759a-c596-6d48-391c89c4befc",
    "identity_entity_ids": [],
    "identity_group_ids": [],
    "mfa_method_ids": [
      "c1372abf-bf64-1f26-c2a4-cbcfa135b775"
    ],
    "name": "foo",
    "namespace_id": "root"
  }
}

»Delete Login Enforcement

This endpoint deletes a login enforcement configuration by the given name.

MethodPath
DELETE/identity/mfa/login-enforcement/:name

»Parameters

  • name (string: <required>) - Name of the login enforcement.

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

»List Login Enforcements

This endpoint lists login enforcements that are visible in the current namespace or in parent namespaces.

MethodPath
LIST/identity/mfa/login-enforcement

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement

»Sample Response

{
  "data": {
    "keys": [
      "foo"
    ]
  }
}
{
  "data": {
    "keys": [
      "foo"
    ]
  }
}
github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager