open-vault/website/content/docs/commands/read.mdx
Alexander Scheel 6d92ef4d9a
Fix raw format for other commands, add to docs! (#17730)
* Clarify when -format=raw fails

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document Vault read's new -format=raw mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw format to usage, completion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing support for raw format field printing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prohibit command execution with wrong formatter

This allows us to restrict the raw formatter to only commands that
understand it; otherwise, when running `vault write -format=raw`, we'd
actually hit the Vault server, but hide the output from the user. By
switching this to a flag-parse time check, we avoid running the rest of
the command if a bad formatter was specified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 12:53:23 -04:00

78 lines
2.4 KiB
Plaintext

---
layout: docs
page_title: read - Command
description: |-
The "read" command reads data from Vault at the given path. This can be used
to read secrets, generate dynamic credentials, get configuration details, and
more.
---
# read
The `read` command reads data from Vault at the given path (wrapper command for
HTTP GET). You can use the command to read secrets, generate dynamic
credentials, get configuration details, and more.
## Examples
Read entity details of a given ID:
```shell-session
$ vault read identity/entity/id/2f09126d-d161-abb8-2241-555886491d97
```
Generate dynamic AWS credentials for a `my-role`:
```shell-session
$ vault read aws/creds/my-role
```
### API versus CLI
Assuming that you have K/V version 2 (`kv-v2`) secrets engine enabled at
`secret/`, the following command reads secrets at the `secret/data/customers`
API path:
```shell-session
$ vault read secret/data/customers
```
This is equivalent to:
```shell-session
$ curl --request GET --header "X-Vault-Token: $VAULT_TOKEN" \
$VAULT_ADDR/v1/secret/data/customers
```
Since K/V secrets engine is a commonly used feature, Vault CLI provides the
[`kv`](/docs/commands/kv) command. Read secrets from the `secret/data/customers`
path using the `kv` CLI command:
```shell-session
$ vault kv get -mount=secret customers
```
-> **Comparison:** All three commands retrieve the same data, but display the
output in a different format. By default, `vault read` prints output in
key-value format. The `curl` command prints the response in JSON. Since the
`kv` command is designed to handle operations associated with K/V secrets
engine, it prints the output in more structured format that is easy to read.
## Usage
The following flags are available in addition to the [standard set of
flags](/docs/commands) included on all commands.
### Output Options
- `-field` `(string: "")` - Print only the field with the given name. Specifying
this option will take precedence over other formatting directives. The result
will not have a trailing newline making it ideal for piping to other processes.
- `-format` `(string: "table")` - Print the output in the given format. Valid
formats are "table", "json", "yaml", or "raw". This can also be specified
via the `VAULT_FORMAT` environment variable.
For a full list of examples and paths, please see the documentation that
corresponds to the secrets engine in use.