2017-03-08 02:47:23 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: docs
|
|
|
|
|
page_title: Server Configuration
|
|
|
|
|
description: Vault server configuration reference.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Vault Configuration
|
|
|
|
|
|
|
|
|
|
Outside of development mode, Vault servers are configured using a file.
|
|
|
|
|
The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
|
2022-04-08 19:27:04 +00:00
|
|
|
|
|
2022-05-27 22:08:19 +00:00
|
|
|
|
@include 'plugin-file-permissions-check.mdx'
|
2022-04-08 19:27:04 +00:00
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
An example configuration is shown below:
|
|
|
|
|
|
|
|
|
|
```javascript
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
address = "127.0.0.1:8500"
|
2022-07-14 19:27:31 +00:00
|
|
|
|
path = "vault/"
|
2017-03-08 02:47:23 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
address = "127.0.0.1:8200"
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
telemetry {
|
|
|
|
|
statsite_address = "127.0.0.1:8125"
|
|
|
|
|
disable_hostname = true
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
After the configuration is written, use the `-config` flag with `vault server`
|
|
|
|
|
to specify where the configuration is.
|
|
|
|
|
|
|
|
|
|
## Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `storage` `([StorageBackend][storage-backend]: <required>)` –
|
2017-03-08 02:47:23 +00:00
|
|
|
|
Configures the storage backend where Vault data is stored. Please see the
|
|
|
|
|
[storage backends documentation][storage-backend] for the full list of
|
2017-03-11 14:43:14 +00:00
|
|
|
|
available storage backends. Running Vault in HA mode would require
|
|
|
|
|
coordination semantics to be supported by the backend. If the storage backend
|
|
|
|
|
supports HA coordination, HA backend options can also be specified in this
|
|
|
|
|
parameter block. If not, a separate `ha_storage` parameter should be
|
|
|
|
|
configured with a backend that supports HA, along with corresponding HA
|
|
|
|
|
options.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `ha_storage` `([StorageBackend][storage-backend]: nil)` – Configures
|
2017-03-08 02:47:23 +00:00
|
|
|
|
the storage backend where Vault HA coordination will take place. This must be
|
|
|
|
|
an HA-supporting backend. If not set, HA will be attempted on the backend
|
2017-03-11 14:43:14 +00:00
|
|
|
|
given in the `storage` parameter. This parameter is not required if the
|
|
|
|
|
storage backend supports HA coordination and if HA specific options are
|
2020-07-23 14:56:00 +00:00
|
|
|
|
already specified with `storage` parameter. (Refer to [Use Integrated Storage
|
|
|
|
|
for HA
|
|
|
|
|
Coordination](https://learn.hashicorp.com/vault/operations/raft-ha-storage)
|
|
|
|
|
for a usage example.)
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `listener` `([Listener][listener]: <required>)` – Configures how
|
2017-03-08 02:47:23 +00:00
|
|
|
|
Vault is listening for API requests.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `seal` `([Seal][seal]: nil)` – Configures the seal type to use for
|
2018-02-12 20:20:07 +00:00
|
|
|
|
auto-unsealing, as well as for
|
2017-11-14 17:26:58 +00:00
|
|
|
|
[seal wrapping][sealwrap] as an additional layer of data protection.
|
2017-11-14 11:13:11 +00:00
|
|
|
|
|
2018-02-12 20:20:07 +00:00
|
|
|
|
- `cluster_name` `(string: <generated>)` – Specifies the identifier for the
|
|
|
|
|
Vault cluster. If omitted, Vault will generate a value. When connecting to
|
|
|
|
|
Vault Enterprise, this value will be used in the interface.
|
|
|
|
|
|
2020-06-11 20:20:36 +00:00
|
|
|
|
- `cache_size` `(string: "131072")` – Specifies the size of the read cache used
|
2017-06-05 16:32:09 +00:00
|
|
|
|
by the physical storage subsystem. The value is in number of entries, so the
|
|
|
|
|
total cache size depends on the size of stored entries.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
- `disable_cache` `(bool: false)` – Disables all caches within Vault, including
|
|
|
|
|
the read cache used by the physical storage subsystem. This will very
|
|
|
|
|
significantly impact performance.
|
|
|
|
|
|
|
|
|
|
- `disable_mlock` `(bool: false)` – Disables the server from executing the
|
|
|
|
|
`mlock` syscall. `mlock` prevents memory from being swapped to disk. Disabling
|
2020-10-01 22:31:03 +00:00
|
|
|
|
`mlock` is not recommended unless using [integrated storage](/docs/internals/integrated-storage).
|
|
|
|
|
Follow the additional security precautions outlined below when disabling `mlock`.
|
|
|
|
|
This can also be provided via the environment variable `VAULT_DISABLE_MLOCK`.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Disabling `mlock` is not recommended unless the systems running Vault only
|
|
|
|
|
use encrypted swap or do not use swap at all. Vault only supports memory
|
|
|
|
|
locking on UNIX-like systems that support the mlock() syscall (Linux, FreeBSD, etc).
|
|
|
|
|
Non UNIX-like systems (e.g. Windows, NaCL, Android) lack the primitives to keep a
|
|
|
|
|
process's entire memory address space from spilling to disk and is therefore
|
|
|
|
|
automatically disabled on unsupported platforms.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-06-05 22:02:55 +00:00
|
|
|
|
Disabling `mlock` is strongly recommended if using [integrated
|
|
|
|
|
storage](/docs/internals/integrated-storage) due to
|
|
|
|
|
the fact that `mlock` does not interact well with memory mapped files such as
|
|
|
|
|
those created by BoltDB, which is used by Raft to track state. When using
|
|
|
|
|
`mlock`, memory-mapped files get loaded into resident memory which causes
|
|
|
|
|
Vault's entire dataset to be loaded in-memory and cause out-of-memory
|
|
|
|
|
issues if Vault's data becomes larger than the available RAM. In this case,
|
|
|
|
|
even though the data within BoltDB remains encrypted at rest, swap should be
|
|
|
|
|
disabled to prevent Vault's other in-memory sensitive data from being dumped
|
|
|
|
|
into disk.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
On Linux, to give the Vault executable the ability to use the `mlock`
|
|
|
|
|
syscall without running the process as root, run:
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
```shell
|
|
|
|
|
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
|
|
|
|
|
```
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2020-06-22 17:05:15 +00:00
|
|
|
|
~> Note: Since each plugin runs as a separate process, you need to do the same
|
2020-06-05 22:02:55 +00:00
|
|
|
|
for each plugin in your [plugins
|
2022-03-22 20:07:32 +00:00
|
|
|
|
directory](/docs/plugins/plugin-architecture#plugin-directory).
|
2018-03-16 13:05:01 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
If you use a Linux distribution with a modern version of systemd, you can add
|
|
|
|
|
the following directive to the "[Service]" configuration section:
|
2017-12-18 14:29:37 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
```ini
|
|
|
|
|
LimitMEMLOCK=infinity
|
|
|
|
|
```
|
2017-12-04 15:56:16 +00:00
|
|
|
|
|
2017-06-03 12:11:03 +00:00
|
|
|
|
- `plugin_directory` `(string: "")` – A directory from which plugins are
|
|
|
|
|
allowed to be loaded. Vault must have permission to read files in this
|
2019-10-07 14:17:12 +00:00
|
|
|
|
directory to successfully load plugins, and the value cannot be a symbolic link.
|
2017-06-03 12:11:03 +00:00
|
|
|
|
|
2022-04-08 19:27:04 +00:00
|
|
|
|
@include 'plugin-file-permissions-check.mdx'
|
|
|
|
|
|
2022-05-27 22:08:19 +00:00
|
|
|
|
- `plugin_file_uid` `(integer: 0)` – Uid of the plugin directories and plugin binaries if they
|
|
|
|
|
are owned by an user other than the user running Vault. This only needs to be set if the
|
|
|
|
|
file permissions check is enabled via the environment variable `VAULT_ENABLE_FILE_PERMISSIONS_CHECK`.
|
2022-04-08 19:27:04 +00:00
|
|
|
|
|
|
|
|
|
- `plugin_file_permissions` `(string: "")` – Octal permission string of the plugin
|
2022-05-27 22:08:19 +00:00
|
|
|
|
directories and plugin binaries if they have write or execute permissions for group or others.
|
|
|
|
|
This only needs to be set if the file permissions check is enabled via the environment variable
|
|
|
|
|
`VAULT_ENABLE_FILE_PERMISSIONS_CHECK`.
|
2022-04-08 19:27:04 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `telemetry` `([Telemetry][telemetry]: <none>)` – Specifies the telemetry
|
2017-03-08 02:47:23 +00:00
|
|
|
|
reporting system.
|
|
|
|
|
|
2018-09-05 19:52:54 +00:00
|
|
|
|
- `log_level` `(string: "")` – Specifies the log level to use; overridden by
|
2021-05-07 12:30:11 +00:00
|
|
|
|
CLI and env var parameters. On SIGHUP (`sudo kill -s HUP` *pid of vault*), Vault will update the log level to the
|
2018-09-05 19:52:54 +00:00
|
|
|
|
current value specified here (including overriding the CLI/env var
|
|
|
|
|
parameters). Not all parts of Vault's logging can have its level be changed
|
|
|
|
|
dynamically this way; in particular, secrets/auth plugins are currently not
|
2019-02-07 19:27:08 +00:00
|
|
|
|
updated dynamically. Supported log levels: Trace, Debug, Error, Warn, Info.
|
2019-10-07 14:17:12 +00:00
|
|
|
|
|
2019-07-18 19:59:27 +00:00
|
|
|
|
- `log_format` `(string: "")` – Specifies the log format to use; overridden by
|
|
|
|
|
CLI and env var parameters. Supported log formats: "standard", "json".
|
2018-09-05 19:52:54 +00:00
|
|
|
|
|
2017-06-20 14:12:59 +00:00
|
|
|
|
- `default_lease_ttl` `(string: "768h")` – Specifies the default lease duration
|
2017-03-08 02:47:23 +00:00
|
|
|
|
for tokens and secrets. This is specified using a label suffix like `"30s"` or
|
|
|
|
|
`"1h"`. This value cannot be larger than `max_lease_ttl`.
|
|
|
|
|
|
2017-06-20 14:12:59 +00:00
|
|
|
|
- `max_lease_ttl` `(string: "768h")` – Specifies the maximum possible lease
|
2017-03-08 02:47:23 +00:00
|
|
|
|
duration for tokens and secrets. This is specified using a label
|
2021-10-12 12:24:07 +00:00
|
|
|
|
suffix like `"30s"` or `"1h"`. Individual mounts can override this value
|
|
|
|
|
by tuning the mount with the `max-lease-ttl` flag of the
|
|
|
|
|
[auth](/docs/commands/auth/tune#max-lease-ttl) or
|
|
|
|
|
[secret](/docs/commands/secrets/tune#max-lease-ttl) commands.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2018-09-18 21:30:21 +00:00
|
|
|
|
- `default_max_request_duration` `(string: "90s")` – Specifies the default
|
|
|
|
|
maximum request duration allowed before Vault cancels the request. This can
|
|
|
|
|
be overridden per listener via the `max_request_duration` value.
|
|
|
|
|
|
2017-12-18 14:29:37 +00:00
|
|
|
|
- `raw_storage_endpoint` `(bool: false)` – Enables the `sys/raw` endpoint which
|
|
|
|
|
allows the decryption/encryption of raw data into and out of the security
|
|
|
|
|
barrier. This is a highly privileged endpoint.
|
2017-09-15 04:21:35 +00:00
|
|
|
|
|
2018-05-17 15:48:10 +00:00
|
|
|
|
- `ui` `(bool: false)` – Enables the built-in web UI, which is available on all
|
|
|
|
|
listeners (address + port) at the `/ui` path. Browsers accessing the standard
|
|
|
|
|
Vault API address will automatically redirect there. This can also be provided
|
|
|
|
|
via the environment variable `VAULT_UI`. For more information, please see the
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[ui configuration documentation](/docs/configuration/ui).
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2017-09-16 21:09:37 +00:00
|
|
|
|
- `pid_file` `(string: "")` - Path to the file in which the Vault server's
|
|
|
|
|
Process ID (PID) should be stored.
|
|
|
|
|
|
2021-04-20 22:25:04 +00:00
|
|
|
|
- `enable_response_header_hostname` `(bool: false)` - Enables the addition of an HTTP header
|
|
|
|
|
in all of Vault's HTTP responses: `X-Vault-Hostname`. This will contain the
|
|
|
|
|
host name of the Vault node that serviced the HTTP request. This information
|
|
|
|
|
is best effort and is not guaranteed to be present. If this configuration
|
|
|
|
|
option is enabled and the `X-Vault-Hostname` header is not present in a response,
|
|
|
|
|
it means there was some kind of error retrieving the host name from the
|
|
|
|
|
operating system.
|
|
|
|
|
|
|
|
|
|
- `enable_response_header_raft_node_id` `(bool: false)` - Enables the addition of an HTTP header
|
|
|
|
|
in all of Vault's HTTP responses: `X-Vault-Raft-Node-ID`. If Vault is participating
|
|
|
|
|
in a Raft cluster (i.e. using integrated storage), this header will contain the
|
|
|
|
|
Raft node ID of the Vault node that serviced the HTTP request. If Vault is not
|
|
|
|
|
participating in a Raft cluster, this header will be omitted, whether this configuration
|
|
|
|
|
option is enabled or not.
|
|
|
|
|
|
2017-11-11 01:06:07 +00:00
|
|
|
|
### High Availability Parameters
|
|
|
|
|
|
|
|
|
|
The following parameters are used on backends that support [high availability][high-availability].
|
|
|
|
|
|
2022-02-04 01:49:46 +00:00
|
|
|
|
- `api_addr` `(string: "")` – Specifies the address (full URL) to advertise to
|
2017-12-05 17:01:35 +00:00
|
|
|
|
other Vault servers in the cluster for client redirection. This value is also
|
|
|
|
|
used for [plugin backends][plugins]. This can also be provided via the
|
2018-03-26 17:46:54 +00:00
|
|
|
|
environment variable `VAULT_API_ADDR`. In general this should be set as a full
|
|
|
|
|
URL that points to the value of the [`listener`](#listener) address.
|
2022-01-10 14:06:30 +00:00
|
|
|
|
This can be dynamically defined with a
|
|
|
|
|
[go-sockaddr template](https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template)
|
|
|
|
|
that is resolved at runtime.
|
2017-11-11 01:06:07 +00:00
|
|
|
|
|
2022-02-04 01:49:46 +00:00
|
|
|
|
- `cluster_addr` `(string: "")` – Specifies the address to advertise to other
|
2017-11-11 01:06:07 +00:00
|
|
|
|
Vault servers in the cluster for request forwarding. This can also be provided
|
|
|
|
|
via the environment variable `VAULT_CLUSTER_ADDR`. This is a full URL, like
|
|
|
|
|
`api_addr`, but Vault will ignore the scheme (all cluster members always
|
|
|
|
|
use TLS with a private key/certificate).
|
2022-01-10 14:06:30 +00:00
|
|
|
|
This can be dynamically defined with a
|
|
|
|
|
[go-sockaddr template](https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template)
|
|
|
|
|
that is resolved at runtime.
|
2017-11-11 01:06:07 +00:00
|
|
|
|
|
|
|
|
|
- `disable_clustering` `(bool: false)` – Specifies whether clustering features
|
|
|
|
|
such as request forwarding are enabled. Setting this to true on one Vault node
|
2020-04-21 20:45:07 +00:00
|
|
|
|
will disable these features _only when that node is the active node_. This
|
|
|
|
|
parameter cannot be set to `true` if `raft` is the storage type.
|
2017-11-11 01:06:07 +00:00
|
|
|
|
|
2018-08-28 16:08:50 +00:00
|
|
|
|
### Vault Enterprise Parameters
|
|
|
|
|
|
2018-08-28 19:48:02 +00:00
|
|
|
|
The following parameters are only used with Vault Enterprise
|
|
|
|
|
|
2018-08-28 16:08:50 +00:00
|
|
|
|
- `disable_sealwrap` `(bool: false)` – Disables using [seal wrapping][sealwrap]
|
2022-03-17 05:01:38 +00:00
|
|
|
|
for any value except the root key. If this value is toggled, the new
|
2018-08-28 16:08:50 +00:00
|
|
|
|
behavior will happen lazily (as values are read or written).
|
|
|
|
|
|
2018-08-28 19:48:02 +00:00
|
|
|
|
- `disable_performance_standby` `(bool: false)` – Specifies whether performance
|
|
|
|
|
standbys should be disabled on this node. Setting this to true on one Vault
|
|
|
|
|
node will disable this feature when this node is Active or Standby. It's
|
2019-05-01 07:24:59 +00:00
|
|
|
|
recommended to sync this setting across all nodes in the cluster.
|
2018-08-28 16:08:50 +00:00
|
|
|
|
|
2021-06-18 16:19:18 +00:00
|
|
|
|
- `license_path` `(string: "")` - Path to license file. This can also be
|
|
|
|
|
provided via the environment variable `VAULT_LICENSE_PATH`, or the license
|
|
|
|
|
itself can be provided in the environment variable `VAULT_LICENSE`.
|
|
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[storage-backend]: /docs/configuration/storage
|
|
|
|
|
[listener]: /docs/configuration/listener
|
|
|
|
|
[seal]: /docs/configuration/seal
|
|
|
|
|
[sealwrap]: /docs/enterprise/sealwrap
|
|
|
|
|
[telemetry]: /docs/configuration/telemetry
|
2020-07-22 18:07:51 +00:00
|
|
|
|
[sentinel]: /docs/configuration/sentinel
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[high-availability]: /docs/concepts/ha
|
|
|
|
|
[plugins]: /docs/plugin
|