From f3a8ab433b56a0f000a4b35755588ddc9981d20e Mon Sep 17 00:00:00 2001
From: Dwight Hodge <ghodge@yugabyte.com>
Date: Sun, 1 Sep 2024 23:05:13 -0400
Subject: [PATCH 1/4] KMS and expiring tokens

---
 .../create-kms-config/hashicorp-kms.md        | 26 ++++++++++++++-----
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md b/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
index aec1b632a53d..8de48eba7d12 100644
--- a/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
+++ b/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
@@ -188,19 +188,31 @@ You can create a new KMS configuration that uses HashiCorp Vault as follows:
 
 1. Optionally, to confirm that the information is correct, click **Show details**. Note that sensitive configuration values are displayed partially masked.
 
-## Modify a KMS configuration
+## Replace an expiring token
 
-You can modify an existing KMS configuration as follows:
+If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy.
 
-1. Navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.
+To replace a token, you create a new token for the existing policy in Vault, and add it to your KMS configuration in YugabyteDB Anywhere as follows:
+
+1. In Hashicorp Vault, create a token for your existing policy. For example:
+
+    ```shell
+    vault token create -no-default-policy -policy=trx
+    ```
+
+    If you want to change the policy, see the steps in [Configure Hashicorp Vault](#configure-hashicorp-vault).
+
+1. In YugabyteDB Anywhere, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.
+
+1. Find the KMS configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
 
-1. Find the configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
+1. Set **Authentication Type** to **Token** and enter the token you obtained from the vault.
 
-1. Provide new values for the **Vault Address** and **Secret Token** fields.
+    If you changed the policy, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.
 
 1. Click **Save**.
 
-1. Optionally, to confirm that the information is correct, click **Show details** or **Actions > Details**.
+To confirm that the information is correct, click **Show details** or **Actions > Details**.
 
 ## Delete a KMS configuration
 
@@ -208,4 +220,4 @@ You can modify an existing KMS configuration as follows:
 Without a KMS configuration, you would longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.
 {{</note>}}
 
-To delete a KMS configuration, click its corresponding **Actions > Delete Configuration**.
+To delete a KMS configuration, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations and click its corresponding **Actions > Delete Configuration**.

From 642116c14e1924c06b2681f0b6ad3917515ee512 Mon Sep 17 00:00:00 2001
From: Dwight Hodge <ghodge@yugabyte.com>
Date: Fri, 6 Sep 2024 01:03:40 -0400
Subject: [PATCH 2/4] review comment

---
 .../security/create-kms-config/hashicorp-kms.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md b/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
index 8de48eba7d12..85c866f1c456 100644
--- a/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
+++ b/docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
@@ -190,7 +190,7 @@ You can create a new KMS configuration that uses HashiCorp Vault as follows:
 
 ## Replace an expiring token
 
-If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy.
+If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy, or switch to using an AppRole.
 
 To replace a token, you create a new token for the existing policy in Vault, and add it to your KMS configuration in YugabyteDB Anywhere as follows:
 
@@ -208,7 +208,7 @@ To replace a token, you create a new token for the existing policy in Vault, and
 
 1. Set **Authentication Type** to **Token** and enter the token you obtained from the vault.
 
-    If you changed the policy, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.
+    To switch to using an AppRole, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.
 
 1. Click **Save**.
 

From f5d15ffd7beed3e0e8312a7f70e3cfd95a498a05 Mon Sep 17 00:00:00 2001
From: Dwight Hodge <ghodge@yugabyte.com>
Date: Fri, 6 Sep 2024 12:48:18 -0400
Subject: [PATCH 3/4] backport

---
 .../create-kms-config/hashicorp-kms.md        | 28 ++++++++++++-----
 .../create-kms-config/hashicorp-kms.md        | 30 +++++++++++++------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/docs/content/stable/yugabyte-platform/security/create-kms-config/hashicorp-kms.md b/docs/content/stable/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
index ba6d89c02179..7f2a49828cad 100644
--- a/docs/content/stable/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
+++ b/docs/content/stable/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
@@ -125,7 +125,7 @@ You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywher
 
     - `period` — If specified, the token can be infinitely renewed.
 
-    YBA automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours.
+    YugabyteDB Anywhere automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours.
 
     For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation.
 
@@ -188,19 +188,31 @@ You can create a new KMS configuration that uses HashiCorp Vault as follows:
 
 1. Optionally, to confirm that the information is correct, click **Show details**. Note that sensitive configuration values are displayed partially masked.
 
-## Modify a KMS configuration
+## Replace an expiring token
 
-You can modify an existing KMS configuration as follows:
+If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy, or switch to using an AppRole.
 
-1. Navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.
+To replace a token, you create a new token for the existing policy in Vault, and add it to your KMS configuration in YugabyteDB Anywhere as follows:
+
+1. In Hashicorp Vault, create a token for your existing policy. For example:
+
+    ```shell
+    vault token create -no-default-policy -policy=trx
+    ```
+
+    If you want to change the policy, see the steps in [Configure Hashicorp Vault](#configure-hashicorp-vault).
+
+1. In YugabyteDB Anywhere, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.
+
+1. Find the KMS configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
 
-1. Find the configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
+1. Set **Authentication Type** to **Token** and enter the token you obtained from the vault.
 
-1. Provide new values for the **Vault Address** and **Secret Token** fields.
+    To switch to using an AppRole, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.
 
 1. Click **Save**.
 
-1. Optionally, to confirm that the information is correct, click **Show details** or **Actions > Details**.
+To confirm that the information is correct, click **Show details** or **Actions > Details**.
 
 ## Delete a KMS configuration
 
@@ -208,4 +220,4 @@ You can modify an existing KMS configuration as follows:
 Without a KMS configuration, you would longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.
 {{</note>}}
 
-To delete a KMS configuration, click its corresponding **Actions > Delete Configuration**.
+To delete a KMS configuration, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations and click its corresponding **Actions > Delete Configuration**.
diff --git a/docs/content/v2.20/yugabyte-platform/security/create-kms-config/hashicorp-kms.md b/docs/content/v2.20/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
index c9f707af3535..f662cf5720c6 100644
--- a/docs/content/v2.20/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
+++ b/docs/content/v2.20/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
@@ -125,7 +125,7 @@ You need to configure HashiCorp Vault in order to use it with YugabyteDB Anywher
 
     - `period` — If specified, the token can be infinitely renewed.
 
-    YBA automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours.
+    YugabyteDB Anywhere automatically tries to renew the token every 12 hours after it has passed 70% of its expiry window; as a result, you should set the TTL or period to be greater than 12 hours.
 
     For more information, refer to [Tokens](https://developer.hashicorp.com/vault/tutorials/tokens/tokens) in the Hashicorp documentation.
 
@@ -188,24 +188,36 @@ You can create a new KMS configuration that uses HashiCorp Vault as follows:
 
 1. Optionally, to confirm that the information is correct, click **Show details**. Note that sensitive configuration values are displayed partially masked.
 
-## Modify a KMS configuration
+## Replace an expiring token
 
-You can modify an existing KMS configuration as follows:
+If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy, or switch to using an AppRole.
 
-1. Navigate to **Configs > Security > Encryption At Rest** to open a list of existing configurations.
+To replace a token, you create a new token for the existing policy in Vault, and add it to your KMS configuration in YugabyteDB Anywhere as follows:
+
+1. In Hashicorp Vault, create a token for your existing policy. For example:
+
+    ```shell
+    vault token create -no-default-policy -policy=trx
+    ```
+
+    If you want to change the policy, see the steps in [Configure Hashicorp Vault](#configure-hashicorp-vault).
+
+1. In YugabyteDB Anywhere, navigate to **Configs > Security > Encryption At Rest** to open a list of existing configurations.
+
+1. Find the KMS configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
 
-1. Find the configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
+1. Set **Authentication Type** to **Token** and enter the token you obtained from the vault.
 
-1. Provide new values for the **Vault Address** and **Secret Token** fields.
+    To switch to using an AppRole, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.
 
 1. Click **Save**.
 
-1. Optionally, to confirm that the information is correct, click **Show details** or **Actions > Details**.
+To confirm that the information is correct, click **Show details** or **Actions > Details**.
 
 ## Delete a KMS configuration
 
 {{<note title="Note">}}
-You can only delete a KMS configuration if it has never been used by any universes.
+Without a KMS configuration, you would longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.
 {{</note>}}
 
-To delete a KMS configuration, click its corresponding **Actions > Delete Configuration**.
+To delete a KMS configuration, navigate to **Configs > Security > Encryption At Rest** to open a list of existing configurations and click its corresponding **Actions > Delete Configuration**.

From 87e1f0b625b1e930fa7db798c74b3615603605b5 Mon Sep 17 00:00:00 2001
From: Dwight Hodge <ghodge@yugabyte.com>
Date: Fri, 6 Sep 2024 14:19:31 -0400
Subject: [PATCH 4/4] DOC-465

---
 .../yugabyte-platform/security/authorization-platform.md        | 2 ++
 .../stable/yugabyte-platform/security/authorization-platform.md | 2 ++
 .../v2.20/yugabyte-platform/security/authorization-platform.md  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/docs/content/preview/yugabyte-platform/security/authorization-platform.md b/docs/content/preview/yugabyte-platform/security/authorization-platform.md
index 84c0c7432b10..f087a1ef1ab7 100644
--- a/docs/content/preview/yugabyte-platform/security/authorization-platform.md
+++ b/docs/content/preview/yugabyte-platform/security/authorization-platform.md
@@ -33,6 +33,8 @@ Enter the password to use for the default database admin superuser (`yugabyte` f
 
 You can also enable and disable the endpoints and authorization after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**.
 
+Note that for universes deployed using YugabyteDB Anywhere, you can't exclusively [enable authentication using flags](../../../secure/enable-authentication/authentication-ysql/). You must enable and disable authentication using the YugabyteDB Anywhere UI.
+
 ## Default roles and users
 
 The YugabyteDB database on your universe includes a set of default users and roles in YSQL and YCQL.
diff --git a/docs/content/stable/yugabyte-platform/security/authorization-platform.md b/docs/content/stable/yugabyte-platform/security/authorization-platform.md
index e5e9f14a3c45..97d81146a0e1 100644
--- a/docs/content/stable/yugabyte-platform/security/authorization-platform.md
+++ b/docs/content/stable/yugabyte-platform/security/authorization-platform.md
@@ -33,6 +33,8 @@ Enter the password to use for the default database admin superuser (`yugabyte` f
 
 You can also enable and disable the endpoints and authorization after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**.
 
+Note that for universes deployed using YugabyteDB Anywhere, you can't exclusively [enable authentication using flags](../../../secure/enable-authentication/authentication-ysql/). You must enable and disable authentication using the YugabyteDB Anywhere UI.
+
 ## Default roles and users
 
 The YugabyteDB database on your universe includes a set of default users and roles in YSQL and YCQL.
diff --git a/docs/content/v2.20/yugabyte-platform/security/authorization-platform.md b/docs/content/v2.20/yugabyte-platform/security/authorization-platform.md
index 9f91d127139f..3d49c26078d6 100644
--- a/docs/content/v2.20/yugabyte-platform/security/authorization-platform.md
+++ b/docs/content/v2.20/yugabyte-platform/security/authorization-platform.md
@@ -33,6 +33,8 @@ Enter the password to use for the default database admin superuser (`yugabyte` f
 
 You can also enable and disable the endpoints and authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**.
 
+Note that for universes deployed using YugabyteDB Anywhere, you can't exclusively [enable authentication using flags](../../../secure/enable-authentication/authentication-ysql/). You must enable and disable authentication using the YugabyteDB Anywhere UI.
+
 ## Default roles and users
 
 The YugabyteDB database on your universe includes a set of default users and roles in YSQL and YCQL.