Docs Menu
Docs Home
/ /

Update One Key Vault Configuration

Updates one key vault configuration. Ops Manager merges the fields that you send with the stored configuration and leaves the fields that you omit unchanged.

Requires that the API Key calling this endpoint have the Global Owner role.

Base URL: https://{OPSMANAGER-HOST}:{PORT}/api/public/v1.0/admin

PATCH /keyVault/{KEY-VAULT-ID}
Name
Type
Description

KEY-VAULT-ID

string

Unique identifier of the key vault configuration to update.

The following query parameters are optional:

Name
Type
Necessity
Description
Default

pretty

boolean

Optional

Flag indicating whether the response body is in a prettyprint format.

false

envelope

boolean

Optional

Flag that indicates whether to wrap the response in an envelope.

Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query.

For endpoints that return one result, the response body includes:

  • status: HTTP response code

  • content: Expected response body

false

Name
Type
Necessity
Description

friendlyName

string

Optional

Human-readable label that identifies this key vault configuration. Ops Manager displays this value in the Key Vault list and in the Vault Name field.

type

string

Optional

Key vault provider type. Ops Manager accepts only HASHI_CORP, which represents HashiCorp Vault.

url

string

Optional

Address of the HashiCorp Vault server that Ops Manager connects to, such as https://localhost:8200/.

auth

object

Optional

Authentication details that Ops Manager uses to connect to HashiCorp Vault.

auth.mechanism

string

Conditional

Authentication method that Ops Manager uses to connect to HashiCorp Vault. Required when you update the auth object. Ops Manager accepts the following values:

  • TOKEN

  • JWT

auth.secret

string

Optional

Credential that Ops Manager uses to authenticate to HashiCorp Vault.

When auth.mechanism is TOKEN, set this value to the Vault token. When auth.mechanism is JWT, set this value to the PEM-formatted RSA private key that signs the JWT.

To keep the stored credential, omit this field or send the redacted value that Ops Manager returns. Ops Manager encrypts this value at rest and redacts it in API responses.

auth.jwtClaims

object

Conditional

Claims that Ops Manager sends when it requests a JWT login from HashiCorp Vault. Required when auth.mechanism is JWT. Include the user and role claims.

customCertificates

array

Optional

List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server.

customCertificates[n].filename

string

Conditional

Name that identifies the Certificate Authority PEM file. Required for each entry in customCertificates.

customCertificates[n].certString

string

Conditional

Contents of the Certificate Authority PEM file. Required for each entry in customCertificates. To keep a stored certificate, send the redacted value that Ops Manager returns. Ops Manager redacts this value in API responses.

Name
Type
Description

id

string

Unique identifier that Ops Manager generates for this key vault configuration. Use this value as the vaultId when you configure an S3-compatible storage snapshot store to use this key vault.

friendlyName

string

Human-readable label that identifies this key vault configuration.

type

string

Key vault provider type. Ops Manager returns HASHI_CORP, which represents HashiCorp Vault.

url

string

Address of the HashiCorp Vault server that Ops Manager connects to.

auth

object

Authentication details that Ops Manager uses to connect to HashiCorp Vault.

auth.mechanism

string

Authentication method that Ops Manager uses to connect to HashiCorp Vault. Ops Manager returns one of the following values:

  • TOKEN

  • JWT

auth.secret

string

Credential that Ops Manager uses to authenticate to HashiCorp Vault. Ops Manager encrypts this value at rest and returns [REDACTED] instead of the stored value.

auth.jwtClaims

object

Claims that Ops Manager sends when it requests a JWT login from HashiCorp Vault. Ops Manager returns this object only when auth.mechanism is JWT.

customCertificates

array

List of custom Certificate Authority certificates that Ops Manager uses for TLS verification when it connects to the HashiCorp Vault server.

customCertificates[n].filename

string

Name that identifies the Certificate Authority PEM file.

customCertificates[n].certString

string

Contents of the Certificate Authority PEM file. Ops Manager returns [REDACTED] instead of the stored value.

links

object array

One or more links to sub-resources or related resources. All links arrays in responses include at least one link called self. The relationships between URLs are explained in the Web Linking Specification.

curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--include \
--request PATCH 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault/{KEY-VAULT-ID}?pretty=true' \
--data '{
"url": "https://vault.example.com:8200/"
}'
HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: {dateInUnixFormat}
WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false
Content-Length: {requestLengthInBytes}
Connection: keep-alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
{
"id": "{KEY-VAULT-ID}",
"friendlyName": "myVault",
"type": "HASHI_CORP",
"url": "https://vault.example.com:8200/",
"auth": {
"mechanism": "TOKEN",
"secret": "[REDACTED]"
},
"links": [
{
"href": "https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault/{KEY-VAULT-ID}",
"rel": "self"
}
]
}

Back

Create

On this page