Vaultx.Sys.Mounts (Vaultx v0.7.0)
View SourceComprehensive HashiCorp Vault secrets engine mount management.
This module provides enterprise-grade mount management capabilities for Vault secrets engines, supporting all mount operations including creation, configuration, tuning, and removal of secrets engines with comprehensive enterprise features.
Mount Management Features
Core Operations
- List Mounts: Retrieve all mounted secrets engines
- Enable Mount: Create new secrets engine mounts
- Disable Mount: Remove existing secrets engine mounts
- Get Mount: Retrieve specific mount configuration
- Tune Mount: Modify mount configuration parameters
Configuration Management
- TTL Configuration: Default and maximum lease TTL settings
- Caching Control: Force no-cache and performance tuning
- Audit Configuration: HMAC key management for audit devices
- Plugin Management: Plugin version and runtime configuration
- Security Settings: Seal wrap and entropy access control
Enterprise Features
- Namespace Support: Multi-tenant mount management
- Local Mounts: Replication-aware mount configuration
- Managed Keys: Enterprise key management integration
- Delegated Auth: Authentication delegation configuration
API Compliance
Fully implements HashiCorp Vault Mounts API:
Usage Examples
List All Mounts
{:ok, mounts} = Vaultx.Sys.Mounts.list()
mounts["secret/"].type #=> "kv"
mounts["secret/"].config.max_lease_ttl #=> 0Enable New Secrets Engine
{:ok, _} = Vaultx.Sys.Mounts.enable("my-kv", %{
type: "kv",
description: "My KV store",
config: %{
default_lease_ttl: "1h",
max_lease_ttl: "24h"
},
options: %{
version: "2"
}
})Get Mount Configuration
{:ok, mount} = Vaultx.Sys.Mounts.get("secret")
mount.type #=> "kv"
mount.config.max_lease_ttl #=> 0Tune Mount Configuration
{:ok, _} = Vaultx.Sys.Mounts.tune("secret", %{
default_lease_ttl: 3600,
max_lease_ttl: 7200,
description: "Updated description"
})Disable Secrets Engine
{:ok, _} = Vaultx.Sys.Mounts.disable("my-kv")Security Considerations
- Mount operations require appropriate Vault policies
- Disabling mounts revokes all associated secrets and leases
- Use force disable only in recovery situations
- Monitor mount changes through audit logs
- Consider replication implications for local mounts
Summary
Functions
Disables the secrets engine at the specified path.
Enables a new secrets engine at the specified path.
Gets the configuration of a specific secrets engine.
Lists all mounted secrets engines.
Moves an existing mount to a new path.
Tunes configuration parameters for a mounted secrets engine.
Types
@type mount_config() :: %{ optional(:default_lease_ttl) => String.t() | non_neg_integer(), optional(:max_lease_ttl) => String.t() | non_neg_integer(), optional(:force_no_cache) => boolean(), optional(:audit_non_hmac_request_keys) => [String.t()], optional(:audit_non_hmac_response_keys) => [String.t()], optional(:listing_visibility) => String.t(), optional(:passthrough_request_headers) => [String.t()], optional(:allowed_response_headers) => [String.t()], optional(:plugin_version) => String.t(), optional(:allowed_managed_keys) => [String.t()], optional(:delegated_auth_accessors) => [String.t()], optional(:identity_token_key) => String.t() }
Mount configuration options.
@type mount_enable_opts() :: %{ :type => String.t(), optional(:description) => String.t(), optional(:config) => mount_config(), optional(:options) => map(), optional(:local) => boolean(), optional(:seal_wrap) => boolean(), optional(:external_entropy_access) => boolean() }
Mount enable options.
@type mount_info() :: %{ :accessor => String.t(), :config => map(), :description => String.t(), :external_entropy_access => boolean(), :local => boolean(), :options => map() | nil, :plugin_version => String.t(), :running_plugin_version => String.t(), :running_sha256 => String.t(), :seal_wrap => boolean(), :type => String.t(), :uuid => String.t(), optional(:deprecation_status) => String.t() }
Mount information structure.
Functions
@spec disable(String.t(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Disables the secrets engine at the specified path.
Parameters
path- The mount path to disable
Examples
{:ok, _} = Vaultx.Sys.Mounts.disable("my-kv")@spec enable(String.t(), mount_enable_opts(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Enables a new secrets engine at the specified path.
Parameters
path- The mount path for the secrets enginemount_opts- Mount configuration options
Examples
{:ok, _} = Vaultx.Sys.Mounts.enable("my-kv", %{
type: "kv",
description: "My KV store",
options: %{version: "2"}
})@spec get(String.t(), Vaultx.Types.options()) :: {:ok, mount_info()} | {:error, Vaultx.Base.Error.t()}
Gets the configuration of a specific secrets engine.
Parameters
path- The mount path to retrieve
Examples
{:ok, mount} = Vaultx.Sys.Mounts.get("secret")
mount.type #=> "kv"@spec list(Vaultx.Types.options()) :: {:ok, %{required(String.t()) => mount_info()}} | {:error, Vaultx.Base.Error.t()}
Lists all mounted secrets engines.
Returns a map of mount paths to their configuration details.
Examples
{:ok, mounts} = Vaultx.Sys.Mounts.list()
mounts["secret/"].type #=> "kv"@spec remount(String.t(), String.t(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Moves an existing mount to a new path.
This operation is also known as "remount" and allows moving a secrets engine from one path to another. All secrets and leases are preserved during the move.
Parameters
from_path- The current mount pathto_path- The new mount path
Examples
{:ok, _} = Vaultx.Sys.Mounts.remount("old-path", "new-path")@spec tune(String.t(), mount_config(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Tunes configuration parameters for a mounted secrets engine.
Parameters
path- The mount path to tunetune_opts- Tuning configuration options
Examples
{:ok, _} = Vaultx.Sys.Mounts.tune("secret", %{
default_lease_ttl: 3600,
max_lease_ttl: 7200,
description: "Updated description"
})