vault
31 commands
31 shown
Login with token
Authenticate to Vault using a token
vault login <token>
Login with AppRole
Authenticate via AppRole auth method
vault write auth/approle/login role_id=<role> secret_id=<secret>
KV get secret
Read a KV v2 secret; add -format=json for scripting
vault kv get -mount=secret path/to/secret
KV put secret
Write or update a KV v2 secret
vault kv put -mount=secret path/to/secret key=value
KV list secrets
List all keys under a KV path
vault kv list -mount=secret path/to/
KV delete secret
Soft-delete the latest version of a KV secret
vault kv delete -mount=secret path/to/secret
KV metadata — secret history
See all versions, creation dates, deletion status
vault kv metadata get -mount=secret path/to/secret
Create token with policy
Issue a short-lived token limited to a specific policy
vault token create -policy=read-only -ttl=1h
List auth methods
Show all enabled auth backends in Vault
vault auth list
Enable Kubernetes auth
Enable and configure Kubernetes auth method
vault auth enable kubernetes && vault write auth/kubernetes/config kubernetes_host=https://$KUBERNETES_PORT_443_TCP_ADDR:443
Create Kubernetes role
Bind a k8s ServiceAccount to a Vault policy
vault write auth/kubernetes/role/my-role bound_service_account_names=<sa> bound_service_account_namespaces=<ns> policies=<policy> ttl=1h
Write policy
Upload an HCL policy file to Vault
vault policy write my-policy policy.hcl
List policies
List all policies in Vault
vault policy list
Enable secrets engine
Mount a new secrets engine at a given path
vault secrets enable -path=myapp kv-v2
Transit encrypt
Encrypt data using Vault's transit encryption engine
vault write transit/encrypt/my-key plaintext=$(echo -n 'secret' | base64)
Transit decrypt
Decrypt a ciphertext with transit engine
vault write transit/decrypt/my-key ciphertext=vault:v1:... | base64 -d
Token lookup self
Show TTL, policies, and capabilities of current token
vault token lookup
Renew token
Extend the current token's TTL
vault token renew
Vault status
Show seal status, HA mode, cluster info
vault status
Enable KV v2 secrets engine
Mount a KV version 2 secrets engine at 'secret/'
vault secrets enable -path=secret kv-v2
Write a secret
Store multiple key-value pairs at a path
vault kv put secret/myapp/config db_password=s3cr3t api_key=abc123
Read a secret
Read a KV v2 secret and extract the data payload
vault kv get -format=json secret/myapp/config | jq '.data.data'
List secrets at path
List all keys under a KV v2 prefix
vault kv list secret/myapp/
Create periodic token
Issue a renewable token with a 24h TTL for CI
vault token create -policy=read-only -period=24h -display-name=ci-pipeline
Enable Kubernetes auth method
Allow pods to authenticate with Vault via ServiceAccount JWT
vault auth enable kubernetes && vault write auth/kubernetes/config kubernetes_host=https://kubernetes.default.svc
Generate dynamic DB credentials
Obtain short-lived Postgres credentials from the database secrets engine
vault read database/creds/readonly-role
Seal / unseal Vault
Manually seal or unseal Vault with an unseal key shard
vault operator seal
vault operator unseal $UNSEAL_KEY
Patch one KV field
Update one field without rewriting the whole secret; note: kv patch needs KV-v2
vault kv patch -mount=secret app api_key=<id>
Response wrapping handoff
Pass a secret as a single-use wrapping token; note: any reuse trips a security alarm
T=$(vault kv get -wrap-ttl=60s -field=wrapping_token -mount=secret app); vault unwrap $T
Check token path capabilities
Show effective ACL verbs the current token has on a path; fast policy debugging
vault token capabilities database/creds/readonly
Revoke a dynamic lease
Revoke all leases under a prefix to kill leaked dynamic DB creds instantly
vault lease revoke -prefix database/creds/readonly
no commands match