/sys/quotas/rate-limit
The /sys/quotas/rate-limit
endpoint is used to create, edit and delete rate limit quotas.
Create or update a rate limit quota
This endpoint is used to create a rate limit quota with an identifier, name
.
A rate limit quota must include a rate
value with an optional path
that can
either be a namespace or mount, and can optionally include a path suffix following
the mount to restrict more specific API paths.
Method | Path |
---|---|
POST | /sys/quotas/rate-limit/:name |
Parameters
name
(string: "")
- The name of the quota.path
(string: "")
- Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For examplenamespace1/
adds a quota to a full namespace,namespace1/auth/userpass
adds a quota touserpass
innamespace1
, andnamespace1/kv-v2/data/foo/bar
adds a quota to a specific secret on a K/V v2 mount innamespace1
. A trailing glob (*
) can also be added as part of the path after the mount to match paths that share the same prefix prior to the glob.namespace1/kv-v2/data/foo/*
would match bothnamespace1/kv-v2/data/foo/bar
andnamespace1/kv-v2/data/foo/baz
. Updating this field on an existing quota can have "moving" effects. For example, updatingnamespace1
tonamespace1/auth/userpass
moves this quota from being a namespace quota to a namespace specific mount quota. Non-global quotas are not inherited by child namespaces. Note, namespaces are supported in Enterprise only.rate
(float: 0.0)
- The maximum number of requests in a given interval to be allowed by the quota rule. Therate
must be positive.interval
(string: "")
- The duration to enforce rate limiting for (default"1s"
).block_interval
(string: "")
- If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.role
(string: "")
- If set on a quota wherepath
is set to an auth mount with a concept of roles (such as/auth/approle/
), this will make the quota restrict login requests to that mount that are made with the specified role. The request will fail if the auth mount does not have a concept of roles, orpath
is not an auth mount.
Sample payload
{ "path": "", "rate": 897.3, "interval": "2m", "block_interval": "5m"}
Sample request
$ curl \ --request POST \ --header "X-Vault-Token: ..." \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Delete a rate limit quota
A rate limit quota can be deleted by name
.
Method | Path |
---|---|
DELETE | /sys/quotas/rate-limit/:name |
Sample request
$ curl \ --request DELETE \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Get a rate limit quota
A rate limit quota can be retrieved by name
.
Method | Path |
---|---|
GET | /sys/quotas/rate-limit/:name |
Sample request
$ curl \ --request GET \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
Sample response
{ "request_id": "d0870811-455d-3dfd-459f-aee016e6fb68", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "block_interval": 300, "interval": 2, "name": "global-rate-limiter", "path": "", "rate": 897.3, "role": "", "type": "rate-limit" }, "warnings": null}
List rate limit quotas
This endpoint returns a list of all the rate limit quotas.
Method | Path |
---|---|
LIST | /sys/quotas/rate-limit |
Sample request
$ curl \ --request LIST \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit
Sample response
{ "auth": null, "data": { "keys": ["global-rate-limiter", "kv-rate-limiter"] }, "lease_duration": 0, "lease_id": "", "renewable": false, "request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28", "warnings": null, "wrap_info": null}