open-vault/website/source/docs/commands/read-write.html.md

---
layout: "docs"
page_title: "Reading and Writing Data"
sidebar_current: "docs-commands-readwrite"
description: |-
  The Vault CLI can be used to read, write, and delete secrets. This page documents how to do this.
---

# Reading and Writing Data with the CLI

The Vault CLI can be used to read, write, and delete data from Vault.
This data might be raw secrets, it might be configuration for
a backend, etc. Whatever it is, the interface to read and write data
to Vault is the same.

To determine what paths can be used to read and write data,
please use the built-in [help system](/docs/commands/help.html)
to discover the paths.

## Writing Data

To write data to Vault, you use `vault write`. It is very easy to use:

```
$ vault write secret/password \
    value=itsasecret
...
```

The above writes a value to `secret/password`. As mentioned in the getting
started guide, multiple values can also be written:

```
$ vault write secret/password \
    value=itsasecret \
    username=something
...
```

For the `secret/` backend, the key/value pairs are arbitrary and can be
anything. For other backends, they're generally more strict, and the
help system can tell you what data to send to Vault.

In addition to writing key/value pairs, Vault can write from a variety
more sources.

#### stdin

`vault write` can read data to write from stdin by using "-" as the value.
If you use "-" as the entire argument, then Vault expects to read a JSON
object from stdin. The example below is equivalent to the first example
above.

```
$ echo -n '{"value":"itsasecret"}' | vault write secret/password -
...
```

You can also add more values in addition to "-" on the command-line.
Depending on their ordering will determine if they overwrite the values
from stdin: if they're after the "-" (positionally on the command-line),
then they will overwrite it, otherwise the values in stdin will overwrite
the command line values.

In addition to reading full JSON objects, Vault can read just a JSON
value. The example below is also identical to the previous example.

```
$ echo -n "itsasecret" | vault write secret/password value=-
...
```

#### Files

`vault write` can read data from files as well. The usage is very similar
to stdin as documented above, but the syntax is `@filename`. Example:

```
$ cat data.json
{ "value": "itsasecret" }

$ vault write secret/password @data.json
...
```

And, just like stdin, you can also specify just values:

```
$ cat data.txt
itsasecret

$ vault write secret/password value=@data.txt
```

Unlike stdin, you can specify multiple files, repeat files, etc. all
on the command line. Reading from files is very useful for complex data.

## Reading Data

Data can be read using `vault read`. This command is very simple:

```
$ vault read secret/password
Key             Value
lease_id        secret/password/76c844fb-aeba-a766-0a50-2b907072233a
lease_duration  2592000
value           itsasecret
```

You can use the `-format` flag to get various different formats out
from the command. Some formats are easier to use in different environments
than others.

You can also use the `-field` flag to extract an individual field
from the secret data.

```
$ vault read -field=value secret/password
itsasecret
```
website: start documenting CLI more 2015-04-21 15:35:19 +00:00			`---`
			`layout: "docs"`
			`page_title: "Reading and Writing Data"`
			`sidebar_current: "docs-commands-readwrite"`
			`description: \|-`
			`The Vault CLI can be used to read, write, and delete secrets. This page documents how to do this.`
			`---`

			`# Reading and Writing Data with the CLI`

			`The Vault CLI can be used to read, write, and delete data from Vault.`
			`This data might be raw secrets, it might be configuration for`
			`a backend, etc. Whatever it is, the interface to read and write data`
			`to Vault is the same.`

			`To determine what paths can be used to read and write data,`
			`please use the built-in [help system](/docs/commands/help.html)`
			`to discover the paths.`

			`## Writing Data`

			To write data to Vault, you use `vault write`. It is very easy to use:

			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`$ vault write secret/password \`
			`value=itsasecret`
website: start documenting CLI more 2015-04-21 15:35:19 +00:00			`...`
			```

			The above writes a value to `secret/password`. As mentioned in the getting
			`started guide, multiple values can also be written:`

			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`$ vault write secret/password \`
			`value=itsasecret \`
			`username=something`
website: start documenting CLI more 2015-04-21 15:35:19 +00:00			`...`
			```

			For the `secret/` backend, the key/value pairs are arbitrary and can be
			`anything. For other backends, they're generally more strict, and the`
			`help system can tell you what data to send to Vault.`

			`In addition to writing key/value pairs, Vault can write from a variety`
			`more sources.`

			`#### stdin`

			`vault write` can read data to write from stdin by using "-" as the value.
			`If you use "-" as the entire argument, then Vault expects to read a JSON`
			`object from stdin. The example below is equivalent to the first example`
			`above.`

			```
			`$ echo -n '{"value":"itsasecret"}' \| vault write secret/password -`
			`...`
			```

			`You can also add more values in addition to "-" on the command-line.`
			`Depending on their ordering will determine if they overwrite the values`
			`from stdin: if they're after the "-" (positionally on the command-line),`
			`then they will overwrite it, otherwise the values in stdin will overwrite`
			`the command line values.`

			`In addition to reading full JSON objects, Vault can read just a JSON`
			`value. The example below is also identical to the previous example.`

			```
			`$ echo -n "itsasecret" \| vault write secret/password value=-`
			`...`
			```

			`#### Files`

			`vault write` can read data from files as well. The usage is very similar
			to stdin as documented above, but the syntax is `@filename`. Example:

			```
			`$ cat data.json`
			`{ "value": "itsasecret" }`

			`$ vault write secret/password @data.json`
			`...`
			```

			`And, just like stdin, you can also specify just values:`

			```
			`$ cat data.txt`
			`itsasecret`

			`$ vault write secret/password value=@data.txt`
			```

			`Unlike stdin, you can specify multiple files, repeat files, etc. all`
			`on the command line. Reading from files is very useful for complex data.`
website: TODO on reading data 2015-04-21 16:39:50 +00:00
			`## Reading Data`

website: reading data 2015-04-21 16:48:23 +00:00			Data can be read using `vault read`. This command is very simple:

			```
			`$ vault read secret/password`
Update website whitespace and formatting 2015-04-22 23:47:11 +00:00			`Key Value`
			`lease_id secret/password/76c844fb-aeba-a766-0a50-2b907072233a`
			`lease_duration 2592000`
			`value itsasecret`
website: reading data 2015-04-21 16:48:23 +00:00			```

			You can use the `-format` flag to get various different formats out
			`from the command. Some formats are easier to use in different environments`
			`than others.`
Add read field flag to documentation 2015-05-22 18:33:28 +00:00
			You can also use the `-field` flag to extract an individual field
			`from the secret data.`

			```
			`$ vault read -field=value secret/password`
			`itsasecret`
			```