Docs Menu
Docs Home
/ /

Create One Key Vault Configuration

Creates one key vault configuration that Ops Manager uses to read credentials from HashiCorp Vault.

Requires that the API Key calling this endpoint have the Global Owner role.

Base URL: https://{OPSMANAGER-HOST}:{PORT}/api/public/v1.0/admin

POST /keyVault

This endpoint doesn't use HTTP request path parameters.

The following query parameters are optional:

Name
Type
Necessity
Description
Default

pretty

boolean

Optional

Flag indicating whether the response body is in a prettyprint format.

false

envelope

boolean

Optional

Flag that indicates whether to wrap the response in an envelope.

Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query.

For endpoints that return one result, the response body includes:

  • status: HTTP response code

  • content: Expected response body

false

Name
Type
Necessity
Description

friendlyName

string

Required

Human-readable label that identifies this key vault configuration. Ops Manager displays this value in the Key Vault list and in the Vault Name field.

type

string

Required

Key vault provider type. Ops Manager accepts only HASHI_CORP, which represents HashiCorp Vault.

url

string

Required

Address of the HashiCorp Vault server that Ops Manager connects to, such as https://localhost:8200/.

auth

object

Required

Authentication details that Ops Manager uses to connect to HashiCorp Vault.

auth.mechanism

string

Required

Authentication method that Ops Manager uses to connect to HashiCorp Vault. Ops Manager accepts the following values:

  • TOKEN

  • JWT

auth.secret

string

Required

Credential that Ops Manager uses to authenticate to HashiCorp Vault.

When auth.mechanism is TOKEN, set this value to the Vault token. When auth.mechanism is JWT, set this value to the PEM-formatted RSA private key that signs the JWT.

Ops Manager encrypts this value at rest and redacts it in API responses.

auth.jwtClaims

object

Conditional

Claims that Ops Manager sends when it requests a JWT login from HashiCorp Vault. Required when auth.mechanism is JWT. Include the user and role claims.

customCertificates

array

Optional

List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server.

customCertificates[n].filename

string

Conditional

Name that identifies the Certificate Authority PEM file. Required for each entry in customCertificates.

customCertificates[n].certString

string

Conditional

Contents of the Certificate Authority PEM file. Required for each entry in customCertificates. Ops Manager redacts this value in API responses.

Name
Type
Description

id

string

Unique identifier that Ops Manager generates for this key vault configuration. Use this value as the vaultId when you configure an S3-compatible storage snapshot store to use this key vault.

friendlyName

string

Human-readable label that identifies this key vault configuration.

type

string

Key vault provider type. Ops Manager returns HASHI_CORP, which represents HashiCorp Vault.

url

string

Address of the HashiCorp Vault server that Ops Manager connects to.

auth

object

Authentication details that Ops Manager uses to connect to HashiCorp Vault.

auth.mechanism

string

Authentication method that Ops Manager uses to connect to HashiCorp Vault. Ops Manager returns one of the following values:

  • TOKEN

  • JWT

auth.secret

string

Credential that Ops Manager uses to authenticate to HashiCorp Vault. Ops Manager encrypts this value at rest and returns [REDACTED] instead of the stored value.

auth.jwtClaims

object

Claims that Ops Manager sends when it requests a JWT login from HashiCorp Vault. Ops Manager returns this object only when auth.mechanism is JWT.

customCertificates

array

List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server.

customCertificates[n].filename

string

Name that identifies the Certificate Authority PEM file.

customCertificates[n].certString

string

Contents of the Certificate Authority PEM file. Ops Manager returns [REDACTED] instead of the stored value.

links

object array

One or more links to sub-resources or related resources. All links arrays in responses include at least one link called self. The relationships between URLs are explained in the Web Linking Specification.

curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--include \
--request POST 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault?pretty=true' \
--data '{
"friendlyName": "myVault",
"type": "HASHI_CORP",
"url": "https://localhost:8200/",
"auth": {
"mechanism": "TOKEN",
"secret": "<vault-token>"
}
}'
curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--include \
--request POST 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault?pretty=true' \
--data '{
"friendlyName": "myVault",
"type": "HASHI_CORP",
"url": "https://localhost:8200/",
"auth": {
"mechanism": "JWT",
"secret": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----",
"jwtClaims": {
"user": "ops-manager",
"role": "ops-manager-role"
}
}
}'
HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: {dateInUnixFormat}
WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false
Content-Length: {requestLengthInBytes}
Connection: keep-alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
{
"id": "{KEY-VAULT-ID}",
"friendlyName": "myVault",
"type": "HASHI_CORP",
"url": "https://localhost:8200/",
"auth": {
"mechanism": "TOKEN",
"secret": "[REDACTED]"
},
"links": [
{
"href": "https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault/{KEY-VAULT-ID}",
"rel": "self"
}
]
}

Back

Get All

On this page