vhsm secrets tune
The vhsm secrets tune command modifies the configuration settings for a secrets engine at a specified path. This does not modify the secrets engine type but updates its configuration parameters.
Before tuning, check the current configuration using: vhsm read sys/mounts/<path>/tune
Usage
Examples
Example1: View current configuration for "pki/"
Output
Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs
Output
Example 3: Verify configuration after tuning
Output
Example 4: Specify multiple non-HMAC audit request keys
Available Options
-allowed-response-headers=<string>
Response header values the secrets engine can set. Multiple keys can be provided by using this option multiple times.
-audit-non-hmac-request-keys=<string>
Request data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.
-audit-non-hmac-response-keys=<string>
Response data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.
-default-lease-ttl=<duration>
Default lease TTL for this secrets engine. Uses duration format (e.g., 30m, 12h).
-description=<string>
Updates the human-readable description of the mount.
-listing-visibility=<string>
Controls mount visibility in the UI. Options: "unauth", "hidden". Empty value keeps the current setting.
-max-lease-ttl=<duration>
Maximum lease TTL for the secrets engine. Can override global vHSM settings.
-passthrough-request-headers=<string>
Headers forwarded to the secrets engine. Multiple keys can be specified separately.
-allowed-managed-keys=<string>
Specifies which managed key(s) the mount can access. Use a comma-separated list or multiple instances of the flag.
-plugin-version=<string>
Sets the plugin version for the mount. The mount must be reloaded for changes to take effect.
Last updated
Was this helpful?