What API endpoint is used to manage secrets engines in Vault?

HashiCorp HCVA0-003 Question Answer

/secret-engines/

/sys/mounts

/sys/capabilities

/sys/kv

Explanation:

Comprehensive and Detailed in Depth Explanation:

Vault’s API provides endpoints for managing its components, including secrets engines, which generate and manage secrets (e.g., AWS, KV, Transit). Managing secrets engines involves enabling, disabling, tuning, or listing them. Let’s evaluate:

Option A: /secret-engines/This is not a valid Vault API endpoint. Vault uses /sys/ for system-level operations, and no endpoint named /secret-engines/ exists in the official API documentation. It’s a fabricated path, possibly a misunderstanding of secrets engine management. Incorrect.

Option B: /sys/mountsThis is the correct endpoint. The /sys/mounts endpoint allows operators to list all mounted secrets engines (GET), enable a new one (POST to /sys/mounts/), or tune existing ones (POST to /sys/mounts//tune). For example, enabling the AWS secrets engine at aws/ uses POST /v1/sys/mounts/aws with a payload specifying the type (aws). This endpoint is the central hub for secrets engine management. Correct.

Option C: /sys/capabilitiesThe /sys/capabilities endpoint checks permissions for a token on specific paths (e.g., what capabilities like read or write are allowed). It’s unrelated to managing secrets engines—it’sfor policy auditing, not mount operations. Incorrect.

Option D: /sys/kvThere’s no /sys/kv endpoint. The KV secrets engine, when enabled, lives at a user-defined path (e.g., kv/), not under /sys/. System endpoints under /sys/ handle configuration, not specific secrets engine instances. Incorrect.

Detailed Mechanics:

The /sys/mounts endpoint interacts with Vault’s mount table, a registry of all enabled backends (auth methods and secrets engines). A GET request to /v1/sys/mounts returns a JSON list of mounts, e.g., {"kv/": {"type": "kv", "options": {"version": "2"}}}. A POST request to /v1/sys/mounts/my-mount with {"type": "kv"} mounts a new KV engine. Tuning (e.g., setting TTLs) uses /sys/mounts//tune. This endpoint’s versatility makes it the go-to for secrets engine management.

Real-World Example:

To enable the Transit engine: curl -X POST -H "X-Vault-Token: " -d '{"type":"transit"}' http://127.0.0.1:8200/v1/sys/mounts/transit. To list mounts: curl -X GET -H "X-Vault-Token: " http://127.0.0.1:8200/v1/sys/mounts.

Overall Explanation from Vault Docs:

“The /sys/mounts endpoint is used to manage secrets engines in Vault… List, enable, or tune mounts via this system endpoint.”

[Reference:https://developer.hashicorp.com/vault/api-docs/system/mounts, ]

HashiCorp HCVA0-003 View All Questions