open-vault/website/source/docs/commands/help.html.md

107 lines
4.1 KiB
Markdown
Raw Normal View History

2015-04-21 17:04:21 +00:00
---
layout: "docs"
2015-07-13 10:03:29 +00:00
page_title: "Path Help"
sidebar_current: "docs-commands-path-help"
2015-04-21 17:04:21 +00:00
description: |-
The Vault CLI has a built-in help system that can be used to get help for not only the CLI itself, but also any paths that the CLI can be used with within Vault.
---
# Help
In addition to standard CLI help using the `-h` or `-help` flag for
2015-07-13 10:03:29 +00:00
commands, Vault has a built-in `path-help` command that can be used to get
2015-04-21 17:04:21 +00:00
help for specific paths within Vault. These paths are used with the
API or `read, write, delete` commands in order to interact with Vault.
The help system is the easiest way to learn how to use the various systems
in Vault, and also allows you to discover new paths.
-> **Important!** The help system is incredibly important in day-to-day
use of Vault. As a beginner or experienced user of Vault, you'll be using
the help command a lot to remember how to use different components of
Vault. Note that the Vault Server must be running and the client configured
2015-07-13 10:03:29 +00:00
properly to execute this command to look up paths.
2015-04-21 17:04:21 +00:00
## Discovering Paths
2015-07-13 10:03:29 +00:00
Before using `path-help`, it is important to understand "paths" within Vault.
2015-04-21 17:04:21 +00:00
Paths are the parameters used for `vault read`, `vault write`, etc. An
example path is `secret/foo`, or `aws/config/root`. The paths available
depend on the mounted secret backends. Because of this, the interactive
2015-04-28 18:30:17 +00:00
help is an indispensable tool to finding what paths are supported.
2015-04-21 17:04:21 +00:00
2015-07-13 10:03:29 +00:00
To discover what paths are supported, use `vault path-help <mount point>`.
2015-04-21 17:04:21 +00:00
For example, if you mounted the AWS secret backend, you can use
2015-07-13 10:03:29 +00:00
`vault path-help aws` to find the paths supported by that backend. The paths
2015-04-21 17:04:21 +00:00
will be shown with regular expressions, which can make them hard to
parse, but they're also extremely exact.
2015-07-13 10:03:29 +00:00
You can try it right away with any Vault with `vault path-help secret`, since
2015-04-21 17:04:21 +00:00
`secret` is always mounted initially. The output from this command is shown
below and contains both a description of what that backend is for, along with
the paths it supports.
```
2015-07-13 10:03:29 +00:00
$ vault path-help secret
2015-04-21 17:04:21 +00:00
## DESCRIPTION
The key/value backend reads and writes arbitrary secrets to the backend.
2015-04-21 17:04:21 +00:00
The secrets are encrypted/decrypted by Vault: they are never stored
unencrypted in the backend and the backend never has an opportunity to
see the unencrypted value.
Leases can be set on a per-secret basis. These leases will be sent down
when that secret is read, and it is assumed that some outside process will
revoke and/or replace the secret at that path.
## PATHS
The following paths are supported by this backend. To view help for
any of the paths below, use the help command with any route matching
the path pattern. Note that depending on the policy of your auth token,
you may or may not be able to access certain paths.
^.*$
Pass-through secret storage to the storage backend, allowing you to
2015-04-21 17:04:21 +00:00
read/write arbitrary data into secret storage.
```
## Single Path
Once you've found a path you like, you can learn more about it by
2015-07-13 10:03:29 +00:00
using `vault path-help <path>` where "path" is a path that matches one of the
2015-04-21 17:04:21 +00:00
regular expressions from the backend help.
Or, if you saw an example online with `vault write` or some similar
2015-07-13 10:03:29 +00:00
command, you can plug that directly into `vault path-help` to learn about it
2015-04-21 17:04:21 +00:00
(assuming you have the proper backends mounted!).
For example, below we get the help for a single secret in the `secret/`
mount point. The help shows the operations that that path supports, the
parameters it takes (for write), and a description of that specific path.
```
2015-07-13 10:03:29 +00:00
$ vault path-help secret/password
2015-04-21 17:04:21 +00:00
Request: password
Matching Route: ^.*$
Pass-through secret storage to the storage backend, allowing you to
2015-04-21 17:04:21 +00:00
read/write arbitrary data into secret storage.
## PARAMETERS
lease (string)
Lease time for this key when read. Ex: 1h
## DESCRIPTION
The pass-through backend reads and writes arbitrary data into secret storage,
encrypting it along the way.
A lease can be specified when writing with the "lease" field. If given, then
when the secret is read, Vault will report a lease with that duration. It
is expected that the consumer of this backend properly writes renewed keys
before the lease is up. In addition, revocation must be handled by the
user of this backend.
```