2017-03-08 02:47:23 +00:00
|
|
|
|
---
|
|
|
|
|
|
layout: "docs"
|
|
|
|
|
|
page_title: "Server Configuration"
|
|
|
|
|
|
sidebar_current: "docs-configuration"
|
|
|
|
|
|
description: |-
|
|
|
|
|
|
Vault server configuration reference.
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
# Vault Configuration
|
|
|
|
|
|
|
|
|
|
|
|
Outside of development mode, Vault servers are configured using a file.
|
|
|
|
|
|
The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
|
|
|
|
|
|
An example configuration is shown below:
|
|
|
|
|
|
|
|
|
|
|
|
```javascript
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
address = "127.0.0.1:8500"
|
|
|
|
|
|
path = "vault"
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
|
address = "127.0.0.1:8200"
|
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
telemetry {
|
|
|
|
|
|
statsite_address = "127.0.0.1:8125"
|
|
|
|
|
|
disable_hostname = true
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
After the configuration is written, use the `-config` flag with `vault server`
|
|
|
|
|
|
to specify where the configuration is.
|
|
|
|
|
|
|
|
|
|
|
|
## Parameters
|
|
|
|
|
|
|
2017-03-14 14:11:47 +00:00
|
|
|
|
- `storage` <tt>([StorageBackend][storage-backend]: \<required\>)</tt> –
|
2017-03-08 02:47:23 +00:00
|
|
|
|
Configures the storage backend where Vault data is stored. Please see the
|
|
|
|
|
|
[storage backends documentation][storage-backend] for the full list of
|
2017-03-11 14:43:14 +00:00
|
|
|
|
available storage backends. Running Vault in HA mode would require
|
|
|
|
|
|
coordination semantics to be supported by the backend. If the storage backend
|
|
|
|
|
|
supports HA coordination, HA backend options can also be specified in this
|
|
|
|
|
|
parameter block. If not, a separate `ha_storage` parameter should be
|
|
|
|
|
|
configured with a backend that supports HA, along with corresponding HA
|
|
|
|
|
|
options.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2017-03-14 14:11:47 +00:00
|
|
|
|
- `ha_storage` <tt>([StorageBackend][storage-backend]: nil)</tt> – Configures
|
2017-03-08 02:47:23 +00:00
|
|
|
|
the storage backend where Vault HA coordination will take place. This must be
|
|
|
|
|
|
an HA-supporting backend. If not set, HA will be attempted on the backend
|
2017-03-11 14:43:14 +00:00
|
|
|
|
given in the `storage` parameter. This parameter is not required if the
|
|
|
|
|
|
storage backend supports HA coordination and if HA specific options are
|
|
|
|
|
|
already specified with `storage` parameter.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
|
- `cluster_name` `(string: <generated>)` – Specifies the identifier for the
|
|
|
|
|
|
Vault cluster. If omitted, Vault will generate a value. When connecting to
|
|
|
|
|
|
Vault Enterprise, this value will be used in the interface.
|
|
|
|
|
|
|
2017-03-14 14:11:47 +00:00
|
|
|
|
- `listener` <tt>([Listener][listener]: \<required\>)</tt> – Configures how
|
2017-03-08 02:47:23 +00:00
|
|
|
|
Vault is listening for API requests.
|
|
|
|
|
|
|
2017-05-19 16:32:44 +00:00
|
|
|
|
- `cache_size` `(string: "32000")` – Specifies the size of the read cache used
|
|
|
|
|
|
by the physical storage subsystem will be set to this value. The value is in
|
2017-03-08 02:47:23 +00:00
|
|
|
|
number of entries so the total cache size is dependent on the entries being
|
|
|
|
|
|
stored.
|
|
|
|
|
|
|
|
|
|
|
|
- `disable_cache` `(bool: false)` – Disables all caches within Vault, including
|
|
|
|
|
|
the read cache used by the physical storage subsystem. This will very
|
|
|
|
|
|
significantly impact performance.
|
|
|
|
|
|
|
|
|
|
|
|
- `disable_mlock` `(bool: false)` – Disables the server from executing the
|
|
|
|
|
|
`mlock` syscall. `mlock` prevents memory from being swapped to disk. Disabling
|
|
|
|
|
|
`mlock` is not recommended in production, but is fine for local development
|
|
|
|
|
|
and testing.
|
|
|
|
|
|
|
|
|
|
|
|
Disabling `mlock` is not recommended unless the systems running Vault only
|
|
|
|
|
|
use encrypted swap or do not use swap at all. Vault only supports memory
|
2017-05-01 21:36:37 +00:00
|
|
|
|
locking on UNIX-like systems that support the mlock() syscall (Linux, FreeBSD, etc).
|
2017-04-22 20:56:01 +00:00
|
|
|
|
Non UNIX-like systems (e.g. Windows, NaCL, Android) lack the primitives to keep a
|
2017-03-08 02:47:23 +00:00
|
|
|
|
process's entire memory address space from spilling to disk and is therefore
|
|
|
|
|
|
automatically disabled on unsupported platforms.
|
|
|
|
|
|
|
|
|
|
|
|
On Linux, to give the Vault executable the ability to use the `mlock`
|
|
|
|
|
|
syscall without running the process as root, run:
|
|
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
|
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
- `telemetry` <tt>([Telemetry][telemetry]: nil)</tt> – Specifies the telemetry
|
|
|
|
|
|
reporting system.
|
|
|
|
|
|
|
|
|
|
|
|
- `default_lease_ttl` `(string: "32d")` – Specifies the default lease duration
|
|
|
|
|
|
for tokens and secrets. This is specified using a label suffix like `"30s"` or
|
|
|
|
|
|
`"1h"`. This value cannot be larger than `max_lease_ttl`.
|
|
|
|
|
|
|
|
|
|
|
|
- `max_lease_ttl` `(string: "32d")` – Specifies the maximum possible lease
|
|
|
|
|
|
duration for tokens and secrets. This is specified using a label
|
|
|
|
|
|
suffix like `"30s"` or `"1h"`.
|
|
|
|
|
|
|
2017-05-01 21:36:37 +00:00
|
|
|
|
- `ui` `(bool: false, Enterprise-only)` – Enables the built-in web UI, which is
|
|
|
|
|
|
available on all listeners (address + port) at the `/ui` path. Browsers accessing
|
|
|
|
|
|
the standard Vault API address will automatically redirect there. This can also
|
|
|
|
|
|
be provided via the environment variable `VAULT_UI`.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
|
[storage-backend]: /docs/configuration/storage/index.html
|
|
|
|
|
|
[listener]: /docs/configuration/listener/index.html
|
|
|
|
|
|
[telemetry]: /docs/configuration/telemetry.html
|
