/sys/policies/rotation/

Enterprise

Appropriate Vault Enterprise license required

Use the /sys/policies/rotation/ endpoints to manage rotation policies in Vault. Not all plugins use rotation policies. Check the plugin documentation to determine compatibility with rotation policies.

See the automated credential rotation documentation for more general information on how Vault uses rotation policies to manage automated credential rotation.

Create/Update rotation policy

Add or update a rotation policy. You may not see policy updates reflected immediately on all associated rotation entries. Refer to the rotation policy usage docs for more details.

Method	Path
`POST`	`/sys/policies/rotation/:name`

Path parameters

name (string: <required>) – Specifies the name of the rotation policy to create.

Request parameters

max_retries_per_cycle (int:<required>) - The maximum number of times Vault Enterprise should apply backoff for rotation entries after a rotation failure.
max_retry_cycles (int:<required>) - The maximum number of times Vault Enterprise should requeue rotation entries after reaching the max_retries_per_cycle limit. Vault Enterprise requeues rotation entries to their next scheduled rotation.

Sample payload

{
  "max_retry_cycles": 3,
  "max_retries_per_cycle": 3
}

Sample request

$ vault write sys/policies/rotation/my-policy \
  max_retry_cycles=3 \
  max_retries_per_cycle=3

$ curl                                       \
    --header "X-Vault-Token: ${VAULT_TOKEN}$ \
    --request POST                           \
    --data @payload.json                     \
    ${VAULT_ADDR}$/v1/sys/policies/rotation/my-policy

Read rotation policy

Retrieve information about the named rotation policy.

Method	Path
`GET`	`/sys/policies/rotation/:name`

Path parameters

name (string: <required>) – Specifies the name of the rotation policy to retrieve.

Sample request

$ curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    ${VAULT_ADDR}/v1/sys/policies/rotation/my-policy

Sample response

{
    "max_retries_per_cycle": 3,
    "max_retry_cycles": 3
}

Delete rotation policy

Delete the named rotation policy. Be aware that Vault deletes policies without confirm if a plugin currently uses it. Revert plugins to their default behavior or move them to a different policy before deleting the target policy.

Method	Path
`DELETE`	`/sys/policies/rotation/:name`

Path parameters

name (string: <required>) – Specifies the name of the rotation policy to delete.

Sample request

$ curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    --request DELETE
    ${VAULT_ADDR}/v1/sys/policies/rotation/my-policy