3 KiB
3 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
docs | Environment | docs-commands-environment | Vault's behavior can be modified by certain environment variables. |
Environment variables
The Vault CLI will read the following environment variables to set behavioral defaults. These can be overridden in all cases using command-line arguments; see the command-line help for details.
The following table describes them:
Variable name | Value |
---|---|
VAULT_TOKEN | The Vault authentication token. If not specified, the token located in $HOME/.vault-token will be used if it exists. |
VAULT_ADDR | The address of the Vault server expressed as a URL and port, for example: http://127.0.0.1:8200 |
VAULT_CACERT | Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate. |
VAULT_CAPATH | Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. If VAULT_CACERT is specified, its value will take precedence. |
VAULT_CLIENT_CERT | Path to a PEM-encoded client certificate for TLS authentication to the Vault server. |
VAULT_CLIENT_KEY | Path to an unencrypted PEM-encoded private key matching the client certificate. |
VAULT_CLIENT_TIMEOUT | Timeout variable for the vault client. Default value is 60 seconds. |
VAULT_CLUSTER_ADDR | The address that should be used for other cluster members to connect to this node when in High Availability mode. |
VAULT_MAX_RETRIES | The maximum number of retries when a `5xx` error code is encountered. Default is `2`, for three total tries; set to `0` or less to disable retrying. |
VAULT_REDIRECT_ADDR | The address that should be used when clients are redirected to this node when in High Availability mode. |
VAULT_SKIP_VERIFY | If set, do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended except during testing. |
VAULT_TLS_SERVER_NAME | If set, use the given name as the SNI host when connecting via TLS. |
VAULT_MFA | (Enterprise Only) MFA credentials in the format **mfa_method_name[:key[=value]]** (items in `[]` are optional). Note that when using the environment variable, only one credential can be supplied. If a MFA method expects multiple credential values, or if there are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be used. |