Vault
/sys/quotas/rate-limit
Restricted endpoint
The API path can only be called from the root or administrative namespace.The /sys/quotas/rate-limit
endpoint is used to create, edit and delete rate limit quotas.
Create or update a rate limit quota
This endpoint is used to create a rate limit quota with an identifier, name
.
A rate limit quota must include a rate
value with an optional path
that can
either be a namespace or mount, and can optionally include a path suffix following
the mount to restrict more specific API paths.
Method | Path |
---|---|
POST | /sys/quotas/rate-limit/:name |
Parameters
name
(string: "")
- The name of the quota.path
(string: "")
- Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For examplenamespace1/
adds a quota to a full namespace,namespace1/auth/userpass
adds a quota touserpass
innamespace1
, andnamespace1/kv-v2/data/foo/bar
adds a quota to a specific secret on a KV v2 mount innamespace1
. A trailing glob (*
) can also be added as part of the path after the mount to match paths that share the same prefix prior to the glob.namespace1/kv-v2/data/foo/*
would match bothnamespace1/kv-v2/data/foo/bar
andnamespace1/kv-v2/data/foo/baz
. Updating this field on an existing quota can have "moving" effects. For example, updatingnamespace1
tonamespace1/auth/userpass
moves this quota from being a namespace quota to a namespace specific mount quota. Non-global quotas are not inherited by child namespaces. Quotas cannot be created or modified in parent or sibling namespaces. Note, namespaces are supported in Enterprise only.rate
(float: 0.0)
- The maximum number of requests in a given interval to be allowed by the quota rule. Therate
must be positive.interval
(string: "")
- The duration to enforce rate limiting for (default"1s"
).block_interval
(string: "")
- If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.role
(string: "")
- If set on a quota wherepath
is set to an auth mount with a concept of roles (such as/auth/approle/
), this will make the quota restrict login requests to that mount that are made with the specified role. The request will fail if the auth mount does not have a concept of roles, orpath
is not an auth mount.inheritable
(bool: false)
- If set totrue
on a quota wherepath
is set to a namespace, the same quota will be cumulatively applied to all child namespace. Theinheritable
parameter cannot be set totrue
if thepath
does not specify a namespace. Only quotas associated with the root namespace quotas are inheritable by default.
Sample payload
{
"path": "",
"rate": 897.3,
"interval": "2m",
"block_interval": "5m"
}
Sample request
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Delete a rate limit quota
A rate limit quota can be deleted by name
.
Quotas that exist in a parent or a sibling namespace cannot be deleted.
Method | Path |
---|---|
DELETE | /sys/quotas/rate-limit/:name |
Sample request
$ curl \
--request DELETE \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Get a rate limit quota
A rate limit quota can be retrieved by name
.
A quota can be read from any namespace. This behavior differs
from modifying and deleting quotas which is not allowed within parent
or sibling namespaces.
Method | Path |
---|---|
GET | /sys/quotas/rate-limit/:name |
Sample request
$ curl \
--request GET \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Sample response
{
"request_id": "d0870811-455d-3dfd-459f-aee016e6fb68",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"block_interval": 300,
"interval": 2,
"name": "global-rate-limiter",
"path": "",
"rate": 897.3,
"role": "",
"type": "rate-limit"
},
"warnings": null
}
List rate limit quotas
This endpoint returns a list of all the rate limit quotas across all namespaces. Note that this level of access differs from creating, updating, and deleting quotas which restricts access to parent and sibling namespaces.
Method | Path |
---|---|
LIST | /sys/quotas/rate-limit |
Sample request
$ curl \
--request LIST \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit
Sample response
{
"auth": null,
"data": {
"keys": ["global-rate-limiter", "kv-rate-limiter"]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28",
"warnings": null,
"wrap_info": null
}