2015-04-10 05:52:02 +00:00
---
2020-01-18 00:18:09 +00:00
layout: docs
page_title: Commands (CLI)
2015-04-10 05:52:02 +00:00
description: |-
2017-09-08 02:14:50 +00:00
In addition to a verbose HTTP API, Vault features a command-line interface
that wraps common functionality and formats output. The Vault CLI is a single
static binary. It is a thin wrapper around the HTTP API. Every CLI command
maps directly to the HTTP API internally.
2015-04-10 05:52:02 +00:00
---
# Vault Commands (CLI)
2022-04-21 16:17:24 +00:00
~> **Note:** The Vault command-line interface (CLI) changed substantially in
0.9.2+ and may cause confusion while using older versions of Vault with this
documentation. Read our [upgrade
guide](/docs/upgrading/upgrade-to-0.9.2#backwards-compatible-cli-changes) for
more information.
2018-01-30 18:30:47 +00:00
2022-04-21 16:17:24 +00:00
In addition to a verbose [HTTP API](/api-docs), Vault features a command-line
interface (CLI) that wraps common functionality and formats output. The Vault
CLI is a single static binary. It is a thin wrapper around the HTTP API. Every
CLI command maps directly to the HTTP API internally.
2022-04-08 16:58:50 +00:00
2019-01-15 19:24:50 +00:00
## CLI Command Structure
2022-04-21 16:17:24 +00:00
Each command is represented as a command or subcommand, and there are a number
of command and subcommand options available: HTTP options, output options, and
command-specific options.
2019-01-15 19:24:50 +00:00
Construct your Vault CLI command such that the command options precede its path
and arguments if any:
2022-04-21 16:17:24 +00:00
<CodeBlockConfig hideClipboard>
2019-01-15 19:24:50 +00:00
```text
vault <command> [options] [path] [args]
```
2022-04-21 16:17:24 +00:00
</CodeBlockConfig>
2020-01-22 20:05:41 +00:00
- `options` - [Flags](/docs/commands#flags) to specify additional settings
2019-01-15 19:24:50 +00:00
- `args` - API arguments specific to the operation
2022-04-21 16:17:24 +00:00
-> **NOTE:** Use the [command help](#command-help) to display available options
and arguments.
2019-01-15 19:24:50 +00:00
#### Examples:
The following `write` command creates a new user (`bob`) in the userpass auth
method. It passes the `-address` flag to specify the Vault server address which
precedes the path (`auth/userpass/users/bob`) and its
2022-03-18 01:14:48 +00:00
[argument](/api-docs/auth/userpass#create-update-user)
2019-01-15 19:24:50 +00:00
(`password="long-password"`) at last.
2020-05-21 17:18:17 +00:00
```shell-session
2019-01-15 19:24:50 +00:00
$ vault write -address="http://127.0.0.1:8200" auth/userpass/users/bob password="long-password"
```
If multiple options (`-address` and `-namespace`) and
2022-03-18 01:14:48 +00:00
[arguments](/api-docs/auth/userpass#create-update-user) (`password` and
2019-01-15 19:24:50 +00:00
`policies`) are specified, the command would look like:
2020-05-21 17:18:17 +00:00
```shell-session
2019-01-15 19:24:50 +00:00
$ vault write -address="http://127.0.0.1:8200" -namespace="my-organization" \
auth/userpass/users/bob password="long-password" policies="admin"
```
The options (flags) come after the command (or subcommand) preceding the path,
and the args always follow the path to set API parameter values.
2022-04-21 16:17:24 +00:00
The four most common operations in Vault are [read](/docs/commands/read),
[write](/docs/commands/write), [delete](/docs/commands/delete), and
[list](/docs/commands/list). These operations work on most paths in Vault. Some
paths will contain secrets while other paths may contain configuration. Whatever it
is, the primary interface for reading and writing data to Vault is similar.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
### Print cURL Command
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
To see the equivalent API call to perform the same operation, use the
`-output-curl-string` flag after the subcommand.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
```shell-session
$ vault write -output-curl-string auth/userpass/users/bob password="long-password"
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"password":"long-password"}' http://127.0.0.1:8200/v1/auth/userpass/users/bob
```
2017-08-24 22:23:40 +00:00
2022-07-07 19:54:27 +00:00
#### Print Policy Requirements
To view the policy requirements to perform an operation, use the `-output-policy` flag after the subcommand.
```
$ vault kv put -output-policy kv/secret value=itsasecret
path "kv/data/secret" {
capabilities = ["create", "update"]
}
```
2022-04-21 16:17:24 +00:00
## Command Help
2017-08-24 22:23:40 +00:00
2022-04-21 16:17:24 +00:00
There are two primary ways to get help in Vault: [CLI help (`help`)](#cli-help)
and [API help (`path-help`)](#api-help).
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
### CLI Help
Use `help` (or `-h` for shorthand) to see the CLI help output which corresponds
to your Vault version.
To get CLI help:
2017-09-08 02:14:50 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2022-04-21 16:17:24 +00:00
$ vault help
2017-09-08 02:14:50 +00:00
```
2022-04-21 16:17:24 +00:00
**Example:** To get help on the `kv` command.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
```shell-session
$ vault kv help
```
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
The help output displays available subcommands, parameters, and command flags.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
### API Help
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
To invoke the Vault API paths, you can use the [read](/docs/commands/read) (for
HTTP GET), [write](/docs/commands/write) (for HTTP PUT or POST),
[delete](/docs/commands/delete) (for HTTP DELETE), and
[list](/docs/commands/list) (for HTTP LIST) commands.
2018-08-13 21:09:48 +00:00
2022-04-21 16:17:24 +00:00
Use `path-help` to get Vault API help:
2018-08-13 21:09:48 +00:00
2022-04-21 16:17:24 +00:00
```shell-session
$ vault path-help -h
```
2018-08-13 21:09:48 +00:00
2022-04-21 16:17:24 +00:00
The `path-help` retrieves API help on any API paths. Vault API paths provide
built-in help in markdown format. This includes system paths, secret engines,
and auth methods.
2017-08-24 22:23:40 +00:00
2022-04-21 16:17:24 +00:00
**Example:** API help on the [`sys/mounts/`](/api-docs/system/mounts) path.
```shell-session
$ vault path-help sys/mounts
Request: mounts
Matching Route: ^mounts$
List the currently mounted backends.
## DESCRIPTION
This path responds to the following HTTP methods.
GET /
Lists all the mounted secret backends.
GET /<mount point>
Get information about the mount at the specified path.
POST /<mount point>
Mount a new secret backend to the mount point in the URL.
POST /<mount point>/tune
Tune configuration parameters for the given mount point.
DELETE /<mount point>
Unmount the specified mount point.
```
The help output displays supported child-paths and available parameters if there
are any.
## Command Input
To write data to Vault, the input can be a part of the command in key-value
format.
2017-09-08 02:14:50 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2018-04-04 06:22:41 +00:00
$ vault kv put secret/password value=itsasecret
2017-09-08 02:14:50 +00:00
```
2022-04-21 16:17:24 +00:00
However, some Vault API require more advanced structures such as maps. You can
use stdin or file input instead.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
### stdin
2017-09-08 02:14:50 +00:00
Some commands in Vault can read data from stdin using `-` as the value. If `-`
is the entire argument, Vault expects to read a JSON object from stdin:
2020-05-21 17:18:17 +00:00
```shell-session
2018-04-04 06:22:41 +00:00
$ echo -n '{"value":"itsasecret"}' | vault kv put secret/password -
2017-09-08 02:14:50 +00:00
```
2018-08-13 21:09:48 +00:00
In addition to reading full JSON objects, Vault can read just a value from
2017-09-08 02:14:50 +00:00
stdin:
2020-05-21 17:18:17 +00:00
```shell-session
2018-04-04 06:22:41 +00:00
$ echo -n "itsasecret" | vault kv put secret/password value=-
2017-08-24 22:23:40 +00:00
```
2022-04-21 16:17:24 +00:00
### Files
2017-09-08 02:14:50 +00:00
Some commands can also read data from a file on disk. The usage is similar to
stdin as documented above. If an argument starts with `@`, Vault will read it as
a file:
2020-05-21 17:18:17 +00:00
```shell-session
2018-04-04 06:22:41 +00:00
$ vault kv put secret/password @data.json
2017-09-08 02:14:50 +00:00
```
Or specify the contents of a file as a value:
2020-05-21 17:18:17 +00:00
```shell-session
2018-04-04 06:22:41 +00:00
$ vault kv put secret/password value=@data.txt
2017-09-08 02:14:50 +00:00
```
2022-03-10 20:09:45 +00:00
Note that if an argument is supplied in a @key=value format, Vault will treat that as a
2021-09-07 20:15:33 +00:00
kv pair with the key being `@key`, not a file called `key=value`. This also means that Vault
does not support filenames with `=` in them.
2022-06-15 23:07:50 +00:00
## Mount flag syntax (KV)
2022-07-07 19:54:27 +00:00
All `kv` commands can alternatively refer to the path to the KV secrets engine using a flag-based syntax like `$ vault kv get -mount=secret password`
instead of `$ vault kv get secret/password`. The mount flag syntax was created to mitigate confusion caused by the fact that for KV v2 secrets,
their full path (used in policies and raw API calls) actually contains a nested `/data/` element (e.g. `secret/data/password`) which can be easily overlooked when using
2022-06-15 23:07:50 +00:00
the above KV v1-like syntax `secret/password`. To avoid this confusion, all KV-specific docs pages will use the `-mount` flag.
2022-04-21 16:17:24 +00:00
## Exit Codes
The Vault CLI aims to be consistent and well-behaved unless documented
otherwise.
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
- Local errors such as incorrect flags, failed validations, or wrong numbers
of arguments return an exit code of 1.
- Any remote errors such as API failures, bad TLS, or incorrect API parameters
return an exit status of 2
Some commands override this default where it makes sense. These commands
document this anomaly.
## Autocompletion
The `vault` command features opt-in autocompletion for flags, subcommands, and
arguments (where supported).
Enable autocompletion by running:
2017-09-08 02:14:50 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2022-04-21 16:17:24 +00:00
$ vault -autocomplete-install
2017-08-24 22:23:40 +00:00
```
2017-09-08 02:14:50 +00:00
2022-04-21 16:17:24 +00:00
~> Be sure to **restart your shell** after installing autocompletion!
When you start typing a Vault command, press the `<tab>` character to show a
list of available completions. Type `-<tab>` to show available flag completions.
If the `VAULT_*` environment variables are set, the autocompletion will
automatically query the Vault server and return helpful argument suggestions.
2017-09-08 02:14:50 +00:00
## Token Helper
By default, the Vault CLI uses a "token helper" to cache the token after
authentication. This is conceptually similar to how a website securely stores
your session information as a cookie in the browser. Token helpers are
customizable, and you can even build your own.
The default token helper stores the token in `~/.vault-token`. You can delete
this file at any time to "logout" of Vault.
## Environment Variables
The CLI reads the following environment variables to set behavioral defaults.
This can alleviate the need to repetitively type a flag. Flags always take
precedence over the environment variables.
### `VAULT_TOKEN`
Vault authentication token. Conceptually similar to a session token on a
website, the `VAULT_TOKEN` environment variable holds the contents of the token.
For more information, please see the [token
2020-01-22 20:05:41 +00:00
concepts](/docs/concepts/tokens) page.
2017-09-08 02:14:50 +00:00
### `VAULT_ADDR`
Address of the Vault server expressed as a URL and port, for example:
2018-03-26 19:02:22 +00:00
`https://127.0.0.1:8200/`.
2017-09-08 02:14:50 +00:00
### `VAULT_CACERT`
Path to a PEM-encoded CA certificate _file_ on the local disk. This file is used
to verify the Vault server's SSL certificate. This environment variable takes
precedence over `VAULT_CAPATH`.
### `VAULT_CAPATH`
Path to a _directory_ of PEM-encoded CA certificate files on the local disk.
These certificates are used to verify the Vault server's SSL certificate.
### `VAULT_CLIENT_CERT`
Path to a PEM-encoded client certificate on the local disk. This file is used
for TLS communication with the Vault server.
### `VAULT_CLIENT_KEY`
Path to an unencrypted, PEM-encoded private key on disk which corresponds to the
matching client certificate.
### `VAULT_CLIENT_TIMEOUT`
Timeout variable. The default value is 60s.
### `VAULT_CLUSTER_ADDR`
Address that should be used for other cluster members to connect to this node
when in High Availability mode.
2020-06-08 14:40:03 +00:00
### `VAULT_FORMAT`
Provide Vault output (read/status/write) in the specified format. Valid formats are "table", "json", or "yaml".
2021-06-18 16:19:18 +00:00
### `VAULT_LICENSE`
2022-04-21 16:17:24 +00:00
[Enterprise, Server only] Specify a license to use for this node. This takes
2021-06-18 16:19:18 +00:00
precedence over [#VAULT_LICENSE_PATH](#vault_license_path) and
[license_path in config](/docs/configuration#license_path).
### `VAULT_LICENSE_PATH`
[Enterprise, Server only] Specify a path to a license on disk to use for this node.
This takes precedence over [license_path in config](/docs/configuration#license_path).
2017-09-08 02:14:50 +00:00
### `VAULT_MAX_RETRIES`
2022-03-10 20:09:45 +00:00
Maximum number of retries when certain error codes are encountered. The default
is `2`, for three total attempts. Set this to `0` or less to disable retrying.
Error codes that are retried are 412 (client consistency requirement not
satisfied) and all 5xx except for 501 (not implemented).
2017-09-08 02:14:50 +00:00
### `VAULT_REDIRECT_ADDR`
Address that should be used when clients are redirected to this node when in
High Availability mode.
### `VAULT_SKIP_VERIFY`
Do not verify Vault's presented certificate before communicating with it.
Setting this variable is not recommended and voids Vault's [security
2020-01-22 20:05:41 +00:00
model](/docs/internals/security).
2017-09-08 02:14:50 +00:00
### `VAULT_TLS_SERVER_NAME`
Name to use as the SNI host when connecting via TLS.
2018-02-12 23:12:16 +00:00
### `VAULT_CLI_NO_COLOR`
If provided, Vault output will not include ANSI color escape sequence characters.
2018-05-11 14:42:06 +00:00
### `VAULT_RATE_LIMIT`
2019-05-06 11:24:37 +00:00
This environment variable will limit the rate at which the `vault` command
2018-05-11 14:42:06 +00:00
sends requests to Vault.
2019-05-06 11:24:37 +00:00
This environment variable has the format `rate[:burst]` (where items in `[]` are
2019-01-15 19:24:50 +00:00
optional). If not specified, the burst value defaults to rate. Both rate and
2018-05-11 14:42:06 +00:00
burst are specified in "operations per second". If the environment variable is
2020-01-18 00:18:09 +00:00
not specified, then the rate and burst will be unlimited _i.e._ rate
2018-05-11 14:42:06 +00:00
limiting is off by default.
2020-01-18 00:18:09 +00:00
_Note:_ The rate is limited for each invocation of the `vault` CLI. Since
2018-05-11 14:42:06 +00:00
each invocation of the `vault` CLI typically only makes a few requests,
2019-05-06 11:24:37 +00:00
this environment variable is most useful when using the Go
2022-03-18 01:14:48 +00:00
[Vault client API](/api-docs/libraries#go).
2018-05-11 14:42:06 +00:00
2018-09-28 00:08:14 +00:00
### `VAULT_NAMESPACE`
The namespace to use for the command. Setting this is not necessary
but allows using relative paths.
2020-03-11 13:22:58 +00:00
### `VAULT_SRV_LOOKUP`
Enables the client to lookup the host through DNS SRV look up as described in this
[draft](https://tools.ietf.org/html/draft-andrews-http-srv-02).
This is not designed for high-availability, just discovery.
The draft specifies that the SRV record lookup is ignored if a port is given.
2017-09-08 02:14:50 +00:00
### `VAULT_MFA`
**ENTERPRISE ONLY**
MFA credentials in the format `mfa_method_name[:key[=value]]` (items in `[]` are
optional). Note that when using the environment variable, only one credential
can be supplied. If a MFA method expects multiple credential values, or if there
are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
used.
2018-09-28 00:08:14 +00:00
2021-10-06 16:40:31 +00:00
### `VAULT_HTTP_PROXY`
2022-05-24 17:38:51 +00:00
HTTP or HTTPS proxy location which should be used by all requests to access Vault.
When present, this overrides the default proxy resolution behavior.
Format should be `http://server:port` or `https://server:port`.
(See `VAULT_PROXY_ADDR` below).
### `VAULT_PROXY_ADDR`
HTTP or HTTPS proxy location which should be used by all requests to access Vault.
When present, this overrides the default proxy resolution behavior.
Format should be `http://server:port` or `https://server:port`.
~> Note: When using `VAULT_HTTP_PROXY` or `VAULT_PROXY_ADDR` any of the standard
proxy variables found in the environment will be ignored.
Specifically `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
All requests will resolve the specified proxy; there is no way to exclude
domains from consulting the proxy server.
~> Note: If both `VAULT_HTTP_PROXY` and `VAULT_PROXY_ADDR` environment
variables are supplied, `VAULT_PROXY_ADDR` will be prioritized and preferred.
2021-10-06 16:40:31 +00:00
2018-09-28 00:08:14 +00:00
## Flags
2018-12-12 13:56:58 +00:00
There are different CLI flags that are available depending on subcommands. Some
2018-09-28 00:08:14 +00:00
flags, such as those used for setting HTTP and output options, are available
2021-10-13 01:50:20 +00:00
globally, while others are specific to a particular subcommand. For a complete
2018-09-28 00:08:14 +00:00
list of available flags, run:
2020-05-21 17:18:17 +00:00
```shell-session
2018-09-28 00:08:14 +00:00
$ vault <subcommand> -h
2018-12-12 13:56:58 +00:00
```