From 48358978d388878eefcdeebfaeff79062f06a7f3 Mon Sep 17 00:00:00 2001 From: Mia Epner Date: Fri, 29 Aug 2025 12:50:09 +0200 Subject: [PATCH 1/2] update docs for database recovers --- .../api-docs/secret/databases/index.mdx | 46 +++++++++++++++++++ .../snapshots/restore-secret-support.mdx | 10 ++-- 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx index 3e3800c233..965fc03e87 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx @@ -643,6 +643,7 @@ This endpoint queries the static role definition. - `name` `(string: )` – Specifies the name of the static role to read. This is specified as part of the URL. +- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path. ### Sample request @@ -652,6 +653,14 @@ $ curl \ http://127.0.0.1:8200/v1/database/static-roles/my-static-role ``` +To read the role from a loaded snapshot with ID 2403d301-94f2-46a1-a39d-02be83e2831a: + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + http://127.0.0.1:8200/v1/database/static-roles/my-static-role?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a +``` + ### Sample response with rotation period ```json @@ -696,6 +705,10 @@ returned, not any values. | :----- | :----------------------- | | `LIST` | `/database/static-roles` | +### Parameters + +- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path. + ### Sample request ```shell-session @@ -704,7 +717,13 @@ $ curl \ --request LIST \ http://127.0.0.1:8200/v1/database/static-roles ``` +To list the roles from a loaded snapshot with ID 2403d301-94f2-46a1-a39d-02be83e2831a: +$ curl \ + --header "X-Vault-Token: ..." \ + --request LIST \ + https://127.0.0.1:8200/v1/database/static-roles?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a +``` ### Sample response ```json @@ -716,6 +735,33 @@ $ curl \ } ``` +## Recover static role + +[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a role at the specified location from the given loaded snapshot. + +~> The static role can only be recovered if the role doesn't already exist in the live cluster. A static role cannot be updated via a recover operation. + +| Method | Path | +|:-------|:-------------------------------| +| `POST` | `/database/static-roles/:name` | + +### Query parameters + +- `name` `(string: )` – Specifies the name of the static role to read. +This is specified as part of the URL. +- `recover_snapshot_id` `(string: )` - The ID of a snapshot previously loaded into Vault that contains the role at the provided path. +- `recover_source_path` `(string: )` - The source path in the snapshot to recover from. If not provided, defaults to the request path. + +### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + --request POST \ + --get --data-urlencode "recover_source_path=database/static-roles/my-old-role" \ + https://127.0.0.1:8200/v1/database/static-roles/my-role?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a +``` + ## Delete static role This endpoint deletes the static role definition. The user, having been defined externally, diff --git a/content/vault/v1.21.x (rc)/content/partials/sysadmin/snapshots/restore-secret-support.mdx b/content/vault/v1.21.x (rc)/content/partials/sysadmin/snapshots/restore-secret-support.mdx index 3197cff564..a15afddbb4 100644 --- a/content/vault/v1.21.x (rc)/content/partials/sysadmin/snapshots/restore-secret-support.mdx +++ b/content/vault/v1.21.x (rc)/content/partials/sysadmin/snapshots/restore-secret-support.mdx @@ -1,4 +1,6 @@ -Plugin | Path | Supported snapshot operations | Vault version ---------- | --------------- | ----------------------------- | -------------- -cubbyhole | `/:secret_name` | `recover`, `read`, `list` | 1.20.0 -kv (v1) | `/:secret_name` | `recover`, `read`, `list` | 1.20.0 \ No newline at end of file +| Plugin | Path | Supported snapshot operations | Vault version | +|-----------|----------------------------|-------------------------------|---------------| +| cubbyhole | `/:secret_name` | `recover`, `read`, `list` | 1.20.0 | +| kv (v1) | `/:secret_name` | `recover`, `read`, `list` | 1.20.0 | +| databases | `/static-roles/:role_name` | `recover`, `read`, `list` | 1.20.4 | +| databases | `/static-creds/:role_name` | `read` | 1.20.4 | \ No newline at end of file From 6416720b5d23ef0a5a98fa832250550aa1c6347a Mon Sep 17 00:00:00 2001 From: Mia Epner Date: Fri, 29 Aug 2025 12:53:23 +0200 Subject: [PATCH 2/2] add static cred read --- .../content/api-docs/secret/databases/index.mdx | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx index 965fc03e87..3620ded4fd 100644 --- a/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx +++ b/content/vault/v1.21.x (rc)/content/api-docs/secret/databases/index.mdx @@ -643,7 +643,7 @@ This endpoint queries the static role definition. - `name` `(string: )` – Specifies the name of the static role to read. This is specified as part of the URL. -- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path. +- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains the role at the provided path. ### Sample request @@ -658,7 +658,7 @@ To read the role from a loaded snapshot with ID 2403d301-94f2-46a1-a39d-02be83e2 ```shell-session $ curl \ --header "X-Vault-Token: ..." \ - http://127.0.0.1:8200/v1/database/static-roles/my-static-role?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a + http://127.0.0.1:8200/v1/database/static-roles/my-static-role?read_s ``` ### Sample response with rotation period @@ -707,7 +707,7 @@ returned, not any values. ### Parameters -- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path. +- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains the roles at the provided path. ### Sample request @@ -797,6 +797,7 @@ This endpoint returns the current credentials based on the named static role. - `name` `(string: )` – Specifies the name of the static role to get credentials for. This is specified as part of the URL. +- `read_snapshot_id` `(string: )` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains credentials at the provided path. ### Sample request @@ -806,6 +807,14 @@ $ curl \ http://127.0.0.1:8200/v1/database/static-creds/my-static-role ``` +To read the credentials from a loaded snapshot with ID 2403d301-94f2-46a1-a39d-02be83e2831a: + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + http://127.0.0.1:8200/v1/database/static-creds/my-static-role?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a +``` + ### Sample response with rotation period ```json