{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/hashicorp-vault/latest.json", "title": "vault configuration", "description": "A JSON schema for Vault's configuration file.\n", "x-lintel": { "source": "https://www.schemastore.org/vault.json", "sourceSha256": "477708be4c735f7559225876fb237d38c80e80485a3f4012eca4551da773b841", "fileMatch": [ "vault.json", "vault.config.json" ], "parsers": [ "json" ] }, "type": "object", "properties": { "api_addr": { "type": "string", "description": "Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This can also be provided via the environment variable VAULT_API_ADDR." }, "cache_size": { "type": "string", "description": "Specifies the size of the read cache used by the physical storage subsystem. The value is in number of entries, so the total cache size depends on the size of stored entries.", "default": "131072" }, "cluster_addr": { "type": "string", "description": "Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This can also be provided via the environment variable VAULT_CLUSTER_ADDR." }, "cluster_name": { "type": "string", "description": "Specifies a human-readable identifier for the Vault cluster. If omitted, Vault will generate a value." }, "default_lease_ttl": { "type": "string", "description": "Specifies the default lease duration for tokens and secrets. This is specified using a label suffix like '30s' or '1h'.", "default": "768h" }, "default_max_request_duration": { "type": "string", "description": "Specifies the default maximum request duration allowed before Vault cancels the request.", "default": "90s" }, "detect_deadlocks": { "type": "string", "description": "A comma separated string that specifies the internal mutex locks that should be monitored for potential deadlocks." }, "disable_cache": { "type": "boolean", "description": "Disables all caches within Vault, including the read cache used by the physical storage subsystem.", "default": false }, "disable_clustering": { "type": "boolean", "description": "Specifies whether clustering features such as request forwarding are enabled.", "default": false }, "disable_mlock": { "type": "boolean", "description": "Stops Vault from executing the mlock syscall, which prevents memory from being swapped to disk. This can also be provided via the environment variable VAULT_DISABLE_MLOCK." }, "ha_storage": { "$ref": "#/$defs/storageBackend" }, "introspection_endpoint": { "type": "boolean", "description": "Enables the sys/internal/inspect endpoint which allows users with a root token or sudo privileges to inspect certain subsystems inside Vault.", "default": false }, "listener": { "type": "array", "items": { "type": "object", "oneOf": [ { "title": "tcp listener", "type": "object", "properties": { "tcp": { "type": "object", "properties": { "address": { "type": "string", "description": "Specifies the address to bind to for listening. Can be a go-sockaddr template.", "default": "127.0.0.1:8200" }, "cluster_address": { "type": "string", "description": "Specifies the address to bind to for cluster server-to-server requests. Defaults to one port higher than address.", "default": "127.0.0.1:8201" }, "max_request_duration": { "type": "string", "description": "Maximum request duration before Vault cancels the request.", "default": "90s" }, "max_request_size": { "type": "integer", "description": "Maximum allowed request size in bytes.", "default": 33554432 }, "tls_disable": { "type": "boolean", "description": "Specifies if TLS will be disabled.", "default": false }, "tls_cert_file": { "type": "string", "description": "Path to the PEM-encoded certificate file for TLS." }, "tls_key_file": { "type": "string", "description": "Path to the PEM-encoded private key file for TLS." }, "tls_min_version": { "description": "Minimum supported version of TLS", "default": "tls12", "oneOf": [ { "const": "tls10", "description": "Use TLS 1.0." }, { "const": "tls11", "description": "Use TLS 1.1." }, { "const": "tls12", "description": "Use TLS 1.2." }, { "const": "tls13", "description": "Use TLS 1.3." } ] }, "tls_max_version": { "description": "Maximum supported version of TLS", "default": "tls13", "oneOf": [ { "const": "tls10", "description": "Use TLS 1.0." }, { "const": "tls11", "description": "Use TLS 1.1." }, { "const": "tls12", "description": "Use TLS 1.2." }, { "const": "tls13", "description": "Use TLS 1.3." } ] }, "tls_client_ca_file": { "type": "string", "description": "PEM-encoded Certificate Authority file for client authentication." }, "telemetry": { "type": "object", "properties": { "unauthenticated_metrics_access": { "type": "boolean", "description": "Allows unauthenticated access to the /v1/sys/metrics endpoint.", "default": false } } } }, "required": [ "address" ] } }, "required": [ "tcp" ] }, { "title": "unix socket listener", "type": "object", "properties": { "unix": { "type": "object", "properties": { "address": { "type": "string", "description": "Specifies the path to bind the Unix socket.", "default": "/run/vault.sock" }, "socket_mode": { "type": "string", "description": "Access permissions for the Unix socket." }, "socket_user": { "type": "string", "description": "User owner of the Unix socket." }, "socket_group": { "type": "string", "description": "Group owner of the Unix socket." } }, "required": [ "address" ] } }, "required": [ "unix" ] } ] } }, "log_level": { "description": "Specifies the log verbosity level", "default": "info", "oneOf": [ { "const": "trace", "description": "Show trace-level logs." }, { "const": "debug", "description": "Show debug-level logs." }, { "const": "info", "description": "Show info-level logs." }, { "const": "warn", "description": "Show warning-level logs." }, { "const": "error", "description": "Show error-level logs." } ] }, "max_lease_ttl": { "type": "string", "description": "Specifies the maximum possible lease duration for tokens and secrets.", "default": "768h" }, "pid_file": { "type": "string", "description": "Path to the file in which the Vault server's Process ID (PID) should be stored." }, "plugin_directory": { "type": "string", "description": "A directory from which plugins are allowed to be loaded." }, "raw_storage_endpoint": { "type": "boolean", "description": "Enables the sys/raw endpoint which allows the decryption/encryption of raw data into and out of the security barrier.", "default": false }, "seal": { "type": "array", "items": { "type": "object", "oneOf": [ { "title": "aws kms seal", "type": "object", "properties": { "awskms": { "type": "object", "properties": { "region": { "type": "string", "description": "The AWS region." }, "kms_key_id": { "type": "string", "description": "The KMS key ID to use." } } } } }, { "title": "azure key vault seal", "type": "object", "properties": { "azurekeyvault": { "type": "object", "properties": { "tenant_id": { "type": "string", "description": "The Azure tenant ID." }, "client_id": { "type": "string", "description": "The Azure client ID." }, "client_secret": { "type": "string", "description": "The Azure client secret." }, "vault_name": { "type": "string", "description": "The Key Vault name." }, "key_name": { "type": "string", "description": "The key name to use." } } } } }, { "title": "gcp ckms seal", "type": "object", "properties": { "gcpckms": { "type": "object", "properties": { "project": { "type": "string", "description": "The GCP project ID." }, "region": { "type": "string", "description": "The GCP region." }, "key_ring": { "type": "string", "description": "The KMS key ring." }, "crypto_key": { "type": "string", "description": "The KMS crypto key." } } } } }, { "title": "pkcs11 seal", "type": "object", "properties": { "pkcs11": { "type": "object", "properties": { "lib": { "type": "string", "description": "The path to the PKCS#11 library." }, "slot": { "type": "string", "description": "The slot number to use." }, "pin": { "type": "string", "description": "The user PIN." } }, "required": [ "lib", "slot", "pin" ] } } } ] } }, "storage": { "$ref": "#/$defs/storageBackend" }, "telemetry": { "type": "object", "properties": { "prometheus_retention_time": { "type": "string", "description": "Specifies the retention time for Prometheus metrics.", "default": "0" }, "disable_hostname": { "type": "boolean", "description": "If true, the hostname will not be prefixed to metrics.", "default": false }, "dogstatsd_addr": { "type": "string", "description": "The address of a DogStatsD agent." } } }, "ui": { "type": "boolean", "description": "Enables the built-in web UI.", "default": false } }, "required": [ "storage", "listener", "disable_mlock" ], "$defs": { "storageBackend": { "type": "object", "oneOf": [ { "title": "in-memory storage", "type": "object", "properties": { "inmemory": { "type": "object", "description": "The In-Memory storage backend is used for storing all Vault data in-memory on the Vault node. It requires no other configuration." } }, "required": [ "inmemory" ] }, { "title": "file storage backend", "type": "object", "properties": { "file": { "type": "object", "properties": { "path": { "type": "string", "description": "The absolute path on disk to the directory where the data will be stored. If the directory does not exist, Vault will create it." } }, "required": [ "path" ] } }, "required": [ "file" ] }, { "title": "raft storage backend", "type": "object", "properties": { "raft": { "type": "object", "properties": { "path": { "type": "string", "description": "The file system path where all the Vault data gets stored. This value can be overridden by setting the VAULT_RAFT_PATH environment variable." }, "node_id": { "type": "string", "description": "The identifier for the node in the Raft cluster. You can override node_id with the VAULT_RAFT_NODE_ID environment variable. When VAULT_RAFT_NODE_ID is unset, Vault assigns a random GUID during initialization and writes the value to data/node-id in the directory specified by the path parameter." }, "performance_multiplier": { "type": "integer", "description": "An integer multiplier used by servers to scale key Raft timing parameters. 1 = 1-2s delay, 3 = 3-6s delay. Default is 5. Max 10.", "default": 5 }, "trailing_logs": { "type": "integer", "description": "This controls how many log entries are left in the log store on disk after a snapshot is made. Default is 10000.", "default": 10000 }, "snapshot_threshold": { "type": "integer", "description": "This controls the minimum number of Raft commit entries between snapshots that are saved to disk. Default is 8192.", "default": 8192 }, "snapshot_interval": { "type": "string", "description": "The snapshot interval controls how often Raft checks whether a snapshot operation is required. Default is '120s'", "default": "120s" }, "max_entry_size": { "type": "integer", "description": "This configures the maximum number of bytes for a Raft entry. Default is 1048576.", "default": 1048576 } }, "required": [ "path" ] } }, "required": [ "raft" ] }, { "title": "consul storage backend", "type": "object", "properties": { "consul": { "type": "object", "properties": { "address": { "type": "string", "description": "Specifies the address of the Consul agent to communicate with. Default is '127.0.0.1:8500'", "default": "127.0.0.1:8500" }, "path": { "type": "string", "description": "Specifies the path in Consul's key-value store where Vault data will be stored. Default is 'vault/'", "default": "vault/" }, "check_timeout": { "type": "string", "description": "Specifies the check interval used to send health check information back to Consul. Default is '5s'", "default": "5s" }, "consistency_mode": { "description": "Specifies the Consul consistency mode", "default": "default", "oneOf": [ { "const": "default", "description": "Use Consul's default consistency mode." }, { "const": "strong", "description": "Use Consul's strong consistency mode." } ] }, "disable_registration": { "type": "boolean", "description": "Specifies whether Vault should register itself with Consul. Default is false", "default": false }, "max_parallel": { "type": "string", "description": "Specifies the maximum number of concurrent requests to Consul. Default is '128'", "default": "128" }, "scheme": { "description": "Specifies the scheme to use when communicating with Consul", "default": "http", "oneOf": [ { "const": "http", "description": "Use the HTTP scheme." }, { "const": "https", "description": "Use the HTTPS scheme." } ] }, "service": { "type": "string", "description": "Specifies the name of the service to register in Consul. Default is 'vault'", "default": "vault" }, "service_tags": { "type": "string", "description": "A comma-separated list of tags to attach to the service registration in Consul." }, "service_address": { "type": "string", "description": "Specifies a service-specific address to set on the service registration in Consul." }, "token": { "type": "string", "description": "Specifies the Consul ACL token with permission to read and write from the path in Consul's key-value store." }, "session_ttl": { "type": "string", "description": "Specifies the minimum allowed session TTL. Default is '15s'", "default": "15s" }, "lock_wait_time": { "type": "string", "description": "Specifies the wait time before a lock acquisition is made. Default is '15s'", "default": "15s" }, "tls_ca_file": { "type": "string", "description": "Specifies the path to the CA certificate used for Consul communication." }, "tls_cert_file": { "type": "string", "description": "Specifies the path to the certificate for Consul communication." }, "tls_key_file": { "type": "string", "description": "Specifies the path to the private key for Consul communication." }, "tls_min_version": { "description": "Specifies the minimum TLS version to use", "default": "tls12", "oneOf": [ { "const": "tls10", "description": "Use TLS 1.0." }, { "const": "tls11", "description": "Use TLS 1.1." }, { "const": "tls12", "description": "Use TLS 1.2." }, { "const": "tls13", "description": "Use TLS 1.3." } ] }, "tls_skip_verify": { "type": "boolean", "description": "Disable verification of TLS certificates. Default is false.", "default": false } } } }, "required": [ "consul" ] }, { "title": "s3 storage backend", "type": "object", "properties": { "s3": { "type": "object", "properties": { "bucket": { "type": "string", "description": "Specifies the name of the S3 bucket." }, "endpoint": { "type": "string", "description": "Specifies an alternative, AWS compatible, S3 endpoint." }, "region": { "type": "string", "description": "Specifies the AWS region. Default is 'us-east-1'.", "default": "us-east-1" }, "access_key": { "type": "string", "description": "Specifies the AWS access key." }, "secret_key": { "type": "string", "description": "Specifies the AWS secret key." }, "session_token": { "type": "string", "description": "Specifies the AWS session token." }, "max_parallel": { "type": "string", "description": "Specifies the maximum number of concurrent requests to S3. Default is '128'", "default": "128" }, "s3_force_path_style": { "type": "boolean", "description": "Specifies whether to use host bucket style domains with the configured endpoint. Default is false.", "default": false }, "disable_ssl": { "type": "boolean", "description": "Specifies if SSL should be used for the endpoint connection. Default is false.", "default": false }, "kms_key_id": { "type": "string", "description": "Specifies the ID or Alias of the KMS key used to encrypt data in the S3 backend." }, "path": { "type": "string", "description": "Specifies the path in the S3 Bucket where Vault data will be stored." } }, "required": [ "bucket" ] } }, "required": [ "s3" ] } ] } } }