vhsm secrets disable

Learn to disable secrets engine at a specified path.

This command disables a secrets engine at a specified PATH. The argument corresponds to the enabled PATH of the engine, not the TYPE.

Disabling a secrets engine results in:

  • Immediate revocation of all secrets created by the engine.

  • Removal of vHSM data associated with the engine.

Note: If the secrets engine has a large number of secrets, the revocation process can cause high system load.

Usage

vhsm secrets disable <path>

Example

Disable the secrets engine enabled at aws/

vhsm secrets disable aws/

Force Disable

If revocation errors occur, the secrets engine may not be disabled. Possible solutions:

  1. Identify the issue and attempt to disable the engine after fixing it.

  2. Increase the timeout if the failure is due to timeout errors.

  3. Force disable in extreme cases:

    • Perform a prefix force revoke on the mount prefix.

    • Run vhsm secrets disable <path> after the revoke completes.

    • This may lead to dangling credentials if secrets are not manually removed from the backing service.

Last updated

Was this helpful?