diff --git a/website/content/docs/sync/index.mdx b/website/content/docs/sync/index.mdx index 1ea2273d37b6..88b87889fbd0 100644 --- a/website/content/docs/sync/index.mdx +++ b/website/content/docs/sync/index.mdx @@ -88,8 +88,8 @@ association object returned by the endpoint and, upon failure, includes an error ## Name template By default, the name of synced secrets follows this format: `vault//`. The casing and delimiters -may change according to the valid character set of each destination type. This pattern was chosen to prevent accidental -name collisions and to clearly identify where the secret is coming from. +may change as they are normalized according to the valid character set of each destination type. This pattern was chosen to +prevent accidental name collisions and to clearly identify where the secret is coming from. Every destination allows you to customize this name pattern by configuring a `secret_name_template` field to best suit individual use cases. The templates use a subset of the go-template syntax for extra flexibility. @@ -142,6 +142,12 @@ Name templates can be updated. The new template is only effective for new secret not affect the secrets synced with the previous template. It is possible to update an association to force a recreate operation. The secret synced with the old template will be deleted and a new secret using the new template version will be synced. +## Custom tags + +A destination can also have custom tags so that every secret associated to it that is synced will share that same set of tags. +Additionally, a default tag value of `hashicorp:vault` is used to denote any secret that is synced via Vault Enterprise. Similar +to secret names, tag keys and values are normalized according to the valid character set of each destination type. + ## Granularity Vault KV-v2 secrets are multi-value and their data is represented in JSON. Multi-value secrets are useful to bundle closely