Creates one key vault configuration that Ops Manager uses to read credentials from HashiCorp Vault.
Required Roles
Requires that the API Key calling this endpoint have the
Global Owner role.
Base URL: https://{OPSMANAGER-HOST}:{PORT}/api/public/v1.0/admin
Resource
POST /keyVault
Request Path Parameters
This endpoint doesn't use HTTP request path parameters.
Request Query Parameters
The following query parameters are optional:
Name | Type | Necessity | Description | Default |
|---|---|---|---|---|
pretty | boolean | Optional | Flag indicating whether the response body is in a prettyprint format. |
|
envelope | boolean | Optional | Flag that indicates whether to wrap the response in an envelope. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. For endpoints that return one result, the response body includes:
|
|
Request Body Parameters
Name | Type | Necessity | Description |
|---|---|---|---|
friendlyName | string | Required | Human-readable label that identifies this key vault configuration. Ops Manager displays this value in the Key Vault list and in the Vault Name field. |
type | string | Required | Key vault provider type. Ops Manager accepts only |
url | string | Required | Address of the HashiCorp Vault server that Ops Manager connects
to, such as |
auth | object | Required | Authentication details that Ops Manager uses to connect to HashiCorp Vault. |
auth.mechanism | string | Required | Authentication method that Ops Manager uses to connect to HashiCorp Vault. Ops Manager accepts the following values:
|
auth.secret | string | Required | Credential that Ops Manager uses to authenticate to HashiCorp Vault. When Ops Manager encrypts this value at rest and redacts it in API responses. |
auth.jwtClaims | object | Conditional | Claims that Ops Manager sends when it requests a JWT login from
HashiCorp Vault. Required when |
customCertificates | array | Optional | List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server. |
customCertificates[n].filename | string | Conditional | Name that identifies the Certificate Authority PEM file. Required for
each entry in |
customCertificates[n].certString | string | Conditional | Contents of the Certificate Authority PEM file. Required for each entry
in |
Response
Name | Type | Description |
|---|---|---|
id | string | Unique identifier that Ops Manager generates for this key vault
configuration. Use this value as the |
friendlyName | string | Human-readable label that identifies this key vault configuration. |
type | string | Key vault provider type. Ops Manager returns |
url | string | Address of the HashiCorp Vault server that Ops Manager connects to. |
auth | object | Authentication details that Ops Manager uses to connect to HashiCorp Vault. |
auth.mechanism | string | Authentication method that Ops Manager uses to connect to HashiCorp Vault. Ops Manager returns one of the following values:
|
auth.secret | string | Credential that Ops Manager uses to authenticate to HashiCorp
Vault. Ops Manager encrypts this value at rest and returns
|
auth.jwtClaims | object | Claims that Ops Manager sends when it requests a JWT login from
HashiCorp Vault. Ops Manager returns this object only when
|
customCertificates | array | List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server. |
customCertificates[n].filename | string | Name that identifies the Certificate Authority PEM file. |
customCertificates[n].certString | string | Contents of the Certificate Authority PEM file. Ops Manager returns
|
links | object array | One or more links to sub-resources or related resources. All
|
Example Request
curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --include \ --request POST 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault?pretty=true' \ --data '{ "friendlyName": "myVault", "type": "HASHI_CORP", "url": "https://localhost:8200/", "auth": { "mechanism": "TOKEN", "secret": "<vault-token>" } }'
curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --include \ --request POST 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault?pretty=true' \ --data '{ "friendlyName": "myVault", "type": "HASHI_CORP", "url": "https://localhost:8200/", "auth": { "mechanism": "JWT", "secret": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----", "jwtClaims": { "user": "ops-manager", "role": "ops-manager-role" } } }'
Example Response
Response Header
401 Unauthorized Content-Type: application/json;charset=ISO-8859-1 Date: {dateInUnixFormat} WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false Content-Length: {requestLengthInBytes} Connection: keep-alive
200 OK Vary: Accept-Encoding Content-Type: application/json Strict-Transport-Security: max-age=300 Date: {dateInUnixFormat} Connection: keep-alive Content-Length: {requestLengthInBytes} X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
Response Body
{ "id": "{KEY-VAULT-ID}", "friendlyName": "myVault", "type": "HASHI_CORP", "url": "https://localhost:8200/", "auth": { "mechanism": "TOKEN", "secret": "[REDACTED]" }, "links": [ { "href": "https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault/{KEY-VAULT-ID}", "rel": "self" } ] }