Vault - Transit - Documentation.

[diesalbla]

Is your feature request related to a problem? Please describe.

This issue is related to some unclear language in the documentation of the transit secrets engine: the encrypt data section describes the differences in behaviour between the update or the create policies, but it does not state which policies are required to use the endpoint. The same happens for the decrypt data section.

Describe the solution you'd like
The solution would be to edit the documentation to :

• State clearly what policies are required to use the encrypt-data and decrypt-data endpoints.
• If this is a case of a general policy rule, hypothetically that all POST or PUT endpoints require either the create or update policies, to refer to that rule.

Describe alternatives you've considered

None. It is a request for changing the text.

Explain any additional use-cases

Other sections may benefit for such explicit statements, but I have none in mind.

Additional context

This is submitted as issue, not as a question on the forum, because this is requesting a change to the documentation, not clarifications or guidance for a specific doubt.

[aphorise]

I think the current documentation calls this out:

This endpoint encrypts the provided plaintext using the named key. This path supports the create and update policy capabilities as follows: if the user has the create capability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only has update capability and the key does not exist, an error will be returned.

Hey @diesalbla do you agree & ok to close?

[diesalbla]

@aphorise Yeah, thanks!