vault
Securely access secrets and protect sensitive data
TLDR
Connect to a Vault server and initialize a new encrypted data store
Unseal (unlock) the vault, by providing one of the key shares needed to access the encrypted data store
Authenticate the CLI client against the Vault server, using an authentication token
Store a new secret in the vault, using the generic back-end called "secret"
Read a value from the vault, using the generic back-end called "secret"
Read a specific field from the value
Seal (lock) the Vault server, by removing the encryption key of the data store from memory
SYNOPSIS
vault command [ options ] [ args ]
PARAMETERS
auth
Authenticate with Vault.
kv
Interact with the Key/Value secrets engine.
read
Read a secret from Vault.
write
Write a secret to Vault.
delete
Delete a secret from Vault.
secrets
Manage secret engines.
policy
Manage Vault policies.
token
Manage Vault tokens.
namespace
Manage Vault namespaces.
-address
Address of the Vault server.
-namespace
Vault namespace to operate in. If not specified, the default namespace is used.
-token
Vault token to use for authentication.
-ca-cert
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate.
DESCRIPTION
The `vault` command-line interface (CLI) is the primary tool for interacting with HashiCorp Vault, a secrets management tool. Vault provides a secure and centralized way to store and manage sensitive information like passwords, API keys, certificates, and encryption keys. The `vault` CLI allows users to authenticate, read secrets, write secrets, and manage Vault's configuration. It provides a consistent interface for various Vault operations, abstracting away the underlying API calls. Common uses include retrieving application secrets during deployment, storing database credentials securely, and managing SSH access. It offers a significant improvement over storing secrets in configuration files or environment variables because it provides encryption, access control, and audit logging. Think of it as a Swiss Army knife for handling anything sensitive in your infrastructure or application.
The `vault` CLI can be used to configure Vault's authentication methods, policies, and secret engines, as well as for troubleshooting and diagnosing issues. It offers commands for managing namespaces, tokens, and other core Vault resources.
CAVEATS
Requires a properly configured and running Vault server. Proper authentication configuration is crucial for secure operation.
AUTHENTICATION METHODS
Vault supports numerous authentication methods, including token-based, AppRole, LDAP, Kubernetes, AWS IAM, and more. Each method requires specific configuration within Vault and with the external system. The `vault auth enable` command is used to enable these methods.
SECRET ENGINES
Vault provides various secret engines, such as Key/Value (kv), database, AWS, and others. These engines allow Vault to generate and manage secrets for different types of systems. For example, the database secret engine can dynamically generate database credentials on demand. The `vault secrets enable` command is used to enable secret engines.
VAULT AGENT
The `vault agent` command can be used to run Vault Agent, a client application that handles authentication with Vault and retrieving secrets for applications. It can also automatically renew tokens and secrets, reducing the operational burden of managing secrets.
VAULT UI
While `vault` is a command-line tool, Vault also provides a web UI for managing Vault. The UI is particularly helpful for exploring secrets, policies, and audit logs. However, the CLI provides more flexibility for automation and scripting.
HISTORY
The `vault` command was developed by HashiCorp as the primary interface for interacting with their Vault secrets management tool. Vault itself was first released in 2015 and has since become a widely adopted solution for secrets management in cloud and on-premise environments. The CLI has evolved alongside Vault, adding features to support new functionalities and improve usability. It is designed for developers, operations teams, and security professionals.