add example for secret tuning (hashicorp#12503)

jartek · Sep 11, 2021 · 2663fa2 · 2663fa2
1 parent 4bb3626
commit 2663fa2
Showing 1 changed file with 29 additions and 7 deletions.
diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx
@@ -2,29 +2,51 @@
 layout: docs
 page_title: secrets tune - Command
 description: |-
-  The "secrets tune" command tunes the configuration options for the secrets
-  engine at the given PATH. The argument corresponds to the PATH where the
-  secrets engine is enabled, not the TYPE!
+  The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. 
 ---
 
 # secrets tune
 
 The `secrets tune` command tunes the configuration options for the secrets
 engine at the given PATH. The argument corresponds to the PATH where the secrets
-engine is enabled, not the TYPE!
+engine is enabled, not the type.
 
 ## Examples
 
-Tune the default lease for the PKI secrets engine:
+Before tuning the secret mount, view the current configuration of the
+mount enabled at "pki/":
 
 ```shell-session
-$ vault secrets tune -default-lease-ttl=72h pki/
+$ vault read sys/mounts/pki/tune
+Key                             Value
+---                             -----
+default_lease_ttl               12h
+description                     Example PKI mount
+force_no_cache                  false
+max_lease_ttl                   24h
+```
+
+Tune the default lease, exclude `common_name` and `serial_number` from being HMAC'd in the audit log for the PKI secrets engine:
+
+```shell-session
+$ vault secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/
+Success! Tuned the secrets engine at: pki/
+
+$ vault read sys/mounts/pki/tune
+Key                             Value
+---                             -----
+audit_non_hmac_request_keys     [common_name]
+audit_non_hmac_response_keys    [serial_number]
+default_lease_ttl               18h
+description                     Example PKI mount
+force_no_cache                  false
+max_lease_ttl                   24h
 ```
 
 Specify multiple audit non-hmac request keys:
 
 ```shell-session
-$ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-keys=value2 pki/
+$ vault secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
 ```
 
 ## Usage