• Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.11.x (latest)
    • v1.10.x
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
      • Overview
      • K/V Version 1
      • K/V Version 2
    • KMIP ENTERPRISE
    • Kubernetes
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
      • Overview
      • Setup and Usage
      • Quick Start - Root CA Setup
      • Quick Start - Intermediate CA Setup
      • Considerations
      • Rotation Primitives
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Configuration
      • Upgrading
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.11.x
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.11.0
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Automated Upgrades
    • Redundancy Zones
    • Lease Count Quotas
    • Entropy Augmentation
      • Overview
      • FIPS 140-2 Inside Vault
      • Seal Wrap for FIPS 140-2
    • Seal Wrap
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault

The Vault website is being redesigned to help you find what you are looking for more effectively.

Type '/' to Search

»Properties

Vault injects a rich set of data into the running Sentinel environment, allowing for very fine-grained controls. The set of available properties are enumerated on this page.

The following properties are available for use in Sentinel policies.

»Namespace Properties

The namespace (Sentinel) namespace gives access to information about the namespace in which the request is running. (This may or may not match the client's chosen namespace, if a request reaches into a child namespace).

NameTypeDescription
idstringThe namespace ID
pathstringThe root path of the namespace

»Request Properties

The following properties are available in the request namespace.

NameTypeDescription
connection.remote_addrstringTCP/IP source address of the client
datamap (string -> any)Raw request data
operationstringOperation type, e.g. "read" or "update"
pathstringPath, with any leading / trimmed
policy_overridebooltrue if a soft-mandatory policy override was requested
unauthenticatedbooltrue if the requested path is an unauthenticated path
wrapping.ttldurationThe requested response-wrapping TTL in nanoseconds, suitable for use with the time import
wrapping.ttl_secondsintThe requested response-wrapping TTL in seconds

»Replication Properties

The following properties exists at the replication.mode namespace.

NameTypeDescription
drstringThe state of DR replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary"
replicationstringThe state of performance replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary"

»Token Properties

The following properties, if available, are in the token namespace. The namespace will not exist if there is no token information attached to a request, e.g. when logging in.

NameTypeDescription
creation_timestringThe timestamp of the token's creation, in RFC3339 format
creation_time_unixintThe timestamp of the token's creation, in seconds since Unix epoch UTC
creation_ttldurationThe TTL the token was first created with in nanoseconds, suitable for use with the time import
creation_ttl_secondsintThe TTL the token was first created with in seconds
display_namestringThe display name set on the token, if any
entity_idstringThe Identity entity ID attached to the token, if any
explicit_max_ttldurationIf the token has an explicit max TTL, the duration of the explicit max TTL in nanoseconds, suitable for use with the time import
explicit_max_ttl_secondsintIf the token has an explicit max TTL, the duration of the explicit max TTL in seconds
metadatamap (string -> string)Metadata set on the token
num_usesintThe number of uses remaining on a use-count-limited token; 0 if the token has no use-count limit
pathstringThe request path that resulted in creation of this token
perioddurationIf the token has a period, the duration of the period in nanoseconds, suitable for use with the time import
period_secondsintIf the token has a period, the duration of the period in seconds
policieslist (string)Policies directly attached to the token
rolestringIf created via a token role, the role that created the token
typestringThe type of token, currently will be either batch or service

»Token Namespace Properties

The following properties, if available, are in the token.namespace namespace. The (Sentinel) namespace will not exist if there is no token information attached to a request, e.g. when logging in.

NameTypeDescription
idstringThe namespace ID
pathstringThe root path of the namespace

»Identity Properties

The following properties, if available, are in the identity namespace. The namespace may not exist if there is no token information attached to the request; however, at login time the user's request data will be used to attempt to find any existing Identity information, or create some information to pass to MFA functions.

»Entity Properties

These exist at the identity.entity namespace.

NameTypeDescription
creation_timestringThe entity's creation time in RFC3339 format
idstringThe entity's ID
last_update_timestringThe entity's last update (modify) time in RFC3339 format
metadatamap (string -> string)Metadata associated with the entity
namestringThe entity's name
merged_entity_idslist (string)A list of IDs of entities that have been merged into this one
aliaseslist (alias)List of aliases associated with this entity
policieslist (string)List of the policies set on this entity

»Alias Properties

These can be retrieved from identity.entity.aliases.

NameTypeDescription
creation_timestringThe alias's creation time in RFC3339 format
idstringThe alias's ID
last_update_timestringThe alias's last update (modify) time in RFC3339 format
metadatamap (string -> string)Metadata associated with the alias
custom_metadatamap (string -> string)Custom metadata associated with the alias
merged_from_entity_idslist (string)If this alias was attached to the current entity via one or more merges, the original entity/entities will be in this list
mount_accessorstringThe immutable accessor of the mount that created this alias
mount_pathstringThe path of the mount that created this alias; unlike the accessor, there is no guarantee that the current path represents the original mount
mount_typestringThe type of the mount that created this alias
namestringThe alias's name

»Groups Properties

These exist at the identity.groups namespace.

NameTypeDescription
by_idmap (string -> group)A map of group ID to group information
by_namemap (string -> group)A map of group name to group information; unlike the group ID, there is no guarantee that the current name will always represent the same group

»Group Properties

These can be retrieved from the identity.groups maps.

NameTypeDescription
creation_timestringThe group's creation time in RFC3339 format
idstringThe group's ID
last_update_timestringThe group's last update (modify) time in RFC3339 format
metadatamap (string -> string)Metadata associated with the group
namestringThe group's name
member_entity_idslist (string)A list of IDs of entities that are directly assigned to this group
parent_group_idslist (string)A list of IDs of groups that are parents of this group
policieslist (string)List of the policies set on this group

»MFA Properties

These properties exist at the mfa namespace.

NameTypeDescription
methodsmap (string -> method)A map of method name to method properties

»MFA Method Properties

These properties can be accessed via the mfa.methods selector.

NameTypeDescription
validboolWhether the method has successfully been validated; if validation has not been attempted, this will trigger the validation attempt. The result of the validation attempt will be used for this method for all policies for the given request.

»Control Group Properties

These properties exist at the controlgroup namespace.

NameTypeDescription
time, request_timestringThe original request time in RFC3339 format
authorizationslist (authorization)List of control group authorizations

»Control Group Authorization

These properties can be accessed via the controlgroup.authorizations selector.

NameTypeDescription
timestringThe authorization time in RFC3339 format
entityidentity.entityThe identity entity for the authorizer.
groupsidentity.groupsThe map of identity groups associated with the authorizer.
github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager