vault

31 commands

31 shown

Login with token Authenticate to Vault using a token vault login <token> #vault Login with AppRole Authenticate via AppRole auth method vault write auth/approle/login role_id=<role> secret_id=<secret> #vault KV get secret Read a KV v2 secret; add -format=json for scripting vault kv get -mount=secret path/to/secret #vault#secrets KV put secret Write or update a KV v2 secret vault kv put -mount=secret path/to/secret key=value #vault#secrets KV list secrets List all keys under a KV path vault kv list -mount=secret path/to/ #vault#secrets KV delete secret Soft-delete the latest version of a KV secret vault kv delete -mount=secret path/to/secret #vault#secrets KV metadata — secret history See all versions, creation dates, deletion status vault kv metadata get -mount=secret path/to/secret #vault#secrets Create token with policy Issue a short-lived token limited to a specific policy vault token create -policy=read-only -ttl=1h #vault List auth methods Show all enabled auth backends in Vault vault auth list #vault Enable Kubernetes auth Enable and configure Kubernetes auth method vault auth enable kubernetes && vault write auth/kubernetes/config kubernetes_host=https://$KUBERNETES_PORT_443_TCP_ADDR:443 #vault#config Create Kubernetes role Bind a k8s ServiceAccount to a Vault policy vault write auth/kubernetes/role/my-role bound_service_account_names=<sa> bound_service_account_namespaces=<ns> policies=<policy> ttl=1h #vault#config Write policy Upload an HCL policy file to Vault vault policy write my-policy policy.hcl #vault#config List policies List all policies in Vault vault policy list #vault Enable secrets engine Mount a new secrets engine at a given path vault secrets enable -path=myapp kv-v2 #vault#config Transit encrypt Encrypt data using Vault's transit encryption engine vault write transit/encrypt/my-key plaintext=$(echo -n 'secret' | base64) #vault#secrets Transit decrypt Decrypt a ciphertext with transit engine vault write transit/decrypt/my-key ciphertext=vault:v1:... | base64 -d #vault#secrets Token lookup self Show TTL, policies, and capabilities of current token vault token lookup #vault Renew token Extend the current token's TTL vault token renew #vault Vault status Show seal status, HA mode, cluster info vault status #vault#debug Enable KV v2 secrets engine Mount a KV version 2 secrets engine at 'secret/' vault secrets enable -path=secret kv-v2 #vault#security Write a secret Store multiple key-value pairs at a path vault kv put secret/myapp/config db_password=s3cr3t api_key=abc123 #vault#security Read a secret Read a KV v2 secret and extract the data payload vault kv get -format=json secret/myapp/config | jq '.data.data' #vault#security List secrets at path List all keys under a KV v2 prefix vault kv list secret/myapp/ #vault#security Create periodic token Issue a renewable token with a 24h TTL for CI vault token create -policy=read-only -period=24h -display-name=ci-pipeline #vault#security#ci Enable Kubernetes auth method Allow pods to authenticate with Vault via ServiceAccount JWT vault auth enable kubernetes && vault write auth/kubernetes/config kubernetes_host=https://kubernetes.default.svc #vault#security#kubectl Generate dynamic DB credentials Obtain short-lived Postgres credentials from the database secrets engine vault read database/creds/readonly-role #vault#security#postgres Seal / unseal Vault Manually seal or unseal Vault with an unseal key shard vault operator seal vault operator unseal $UNSEAL_KEY #vault#security Patch one KV field Update one field without rewriting the whole secret; note: kv patch needs KV-v2 vault kv patch -mount=secret app api_key=<id> #vault#secrets#troubleshooting Response wrapping handoff Pass a secret as a single-use wrapping token; note: any reuse trips a security alarm T=$(vault kv get -wrap-ttl=60s -field=wrapping_token -mount=secret app); vault unwrap $T #vault#secrets#security#troubleshooting Check token path capabilities Show effective ACL verbs the current token has on a path; fast policy debugging vault token capabilities database/creds/readonly #vault#security#troubleshooting#observability Revoke a dynamic lease Revoke all leases under a prefix to kill leaked dynamic DB creds instantly vault lease revoke -prefix database/creds/readonly #vault#security#troubleshooting#secrets
no commands match