Difficulty: beginner
Estimated Time: 8 minutes

Vault logo

Vault 1.5 introduced resource quotas to protect your Vault environment's stability and network, as well as storage resource consumption from runaway application behavior and distributed denial of service (DDoS) attack.

The Vault operators can control how applications request resources from Vault, and Vault's storage and network infrastructure by setting the following:

  • Rate Limit Quotas: Limit maximum amount of requests per second (RPS) to a system or mount to protect network bandwidth
  • Lease Count Quotas (Vault Enterprise only): Cap number of leases generated in a system or mount to protect system stability and storage performance at scale

Important Note: Without a valid license, Vault Enterprise server will be sealed after 30 minutes. In other words, you have 30 free minutes to explorer the Enterprise features. To explore Vault Enterprise further, you can sign up for a free 30-day trial.

In this tutorial, you learned the basic commands to set resource quotas to protect your Vault environment. To leverage this feature, you need Vault 1.5 or later.

Rate limit quotas allow Vault operators to set inbound request rate limits which can be set on the root level or a specific path. This is available in both Vault OSS and Vault Enterprise.

Lease count quotas require Vault Enterprise Platform and allow operators to set the maximum number of tokens and leases to be persisted at any given time. This can prevent Vault from exhausting the resource on the storage backend.

You also learned that audit logging can be enabled to trace the number of requests that were rejected due to the rate limit quota.

Resource Quotas

Step 1 of 5

Configure rate limit resource quotas

Rate Limit Quotas is available to all Vault versions, and Lease Count Quotas requires Vault Enterprise Platform.

Important Note: Without a valid license, Vault Enterprise server will be sealed after 30 minutes. To explore Vault Enterprise further, you can sign up for a free 30-day trial.


Let's begin! First, login with root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root


Configure rate limit resource quotas

By default, the requests rejected due to rate limit quota violations are not written to the audit log. Therefore, if you wish to log the rejected requests for traceability, you must set the enable_rate_limit_audit_logging to true. The requests rejected due to reaching the lease count quotas are always logged that you do not need to set any parameter.

Enable file audit device.

vault audit enable file file_path="/var/log/vault-audit.log"

You can set the target file_path to your desired location.

To enable the audit logging for rate limit quotas, execute the following command.

vault write sys/quotas/config enable_rate_limit_audit_logging=true

Read the quota configuration to verify.

vault read sys/quotas/config