hashicorp · beagins · Sep 26, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 25, 2025
@@ -26,6 +26,9 @@ force_no_cache                  false
 max_lease_ttl                   24h
 ```
 
+<Tabs>
+<Tab heading="CLI" group="cli">
+
 Tune the default lease, exclude `common_name` and `serial_number` from being HMAC'd in the audit log for the PKI secrets engine:
 
 ```shell-session
@@ -49,6 +52,17 @@ Specify multiple audit non-hmac request keys:
 $ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
 ```
 
+</Tab>
+
+<Tab heading="GUI" group="gui">
+
+@include 'alerts/secret-engine-tune-gui-support.mdx'
+
+@include 'plugins/tune-keymgmt-steps.mdx'
+
+</Tab>
+</Tabs>
+
 ## Usage
 
 The following flags are available in addition to the [standard set of

@@ -14,12 +14,13 @@ of unauthorized attacks caused by leaked credentials or tokens. If you do not
 explicitly specify the time-to-live (TTL), Vault generates leases with TTL of 32
 days by default.
 
+
 For example, you enabled AppRole auth method at `approle`, and create a role
 named `read-only` with max lease TTL of **120 days**. 
 
-```shell-session 
+```shell-session
 $ vault write auth/approle/role/read-only token_policies="read-only" \
-    token_ttl=90d token_max_ttl=120d
+  token_ttl=90d token_max_ttl=120d
 ```
 
 The command returns a warning about the TTL exceeding the mount's max TTL value.
@@ -158,6 +159,9 @@ username           v-token-tester-6BtY903qOZBpzYa4yQs8-1724715513
 To set the desired TTL on the role, tune the max lease TTL on the `mongodb`
 mount.
 
+<Tabs>
+<Tab heading="CLI" group="cli">
+
 ```shell-session
 $ vault secrets tune -max-lease-ttl=120d mongodb
 ```
@@ -185,6 +189,16 @@ The following command lists all available parameters that you can tune.
 $ vault secrets tune -h
 ```
 
+</Tab>
+<Tab heading="GUI" group="gui">
+
+@include 'alerts/secret-engine-tune-gui-support.mdx'
+
+@include 'plugins/tune-keymgmt-steps.mdx'
+
+</Tab>
+</Tabs>
+
 When you introduce Vault into your existing system, the existing applications
 may not be able to handle short-lived leases. You can tune the default TTLs
 on each mount. 

@@ -0,0 +1,8 @@
+<Note title="Vault GUI plugin tuning support">
+
+Vault supports configuration updates (tune) on mounted plugins for the
+following:
+
+- `keymgmt`
+
+</Note>
@@ -0,0 +1,16 @@
+To tune a `keymgmt` mount:
+
+1. Navigate to **Secrets Engines** in the Vault GUI.
+
+1. Select a mounted `keymgmt` secrets engine.
+
+1. Click **Manage** in the top navigation bar and select **Configure**.
+
+1. Adjust the settings you want to tune:
+   - **Time-to-live (TTL)** - The default length of time a token or lease is valid for.
+   - **Maximum Time-to-live (TTL)** - The maximum allowed lifetime of tokens and leases.
+   - **Description** - A human-friendly description of the secrets engine mount.
+
+1. Click **Save changes**.
+
+![Tune Keymgmt Secret Engine](/img/ui-tune-keymgmt.png)