open-vault/website/source/docs/commands/environment.html.md

3.0 KiB

layout page_title sidebar_current description
docs Environment docs-commands-environment Vault's behavior can be modified by certain environment variables.

Environment variables

The Vault CLI will read the following environment variables to set behavioral defaults. These can be overridden in all cases using command-line arguments; see the command-line help for details.

The following table describes them:

Variable name Value
VAULT_TOKEN The Vault authentication token. If not specified, the token located in $HOME/.vault-token will be used if it exists.
VAULT_ADDR The address of the Vault server expressed as a URL and port, for example: http://127.0.0.1:8200
VAULT_CACERT Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
VAULT_CAPATH Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. If VAULT_CACERT is specified, its value will take precedence.
VAULT_CLIENT_CERT Path to a PEM-encoded client certificate for TLS authentication to the Vault server.
VAULT_CLIENT_KEY Path to an unencrypted PEM-encoded private key matching the client certificate.
VAULT_CLIENT_TIMEOUT Timeout variable for the vault client. Default value is 60 seconds.
VAULT_CLUSTER_ADDR The address that should be used for other cluster members to connect to this node when in High Availability mode.
VAULT_MAX_RETRIES The maximum number of retries when a `5xx` error code is encountered. Default is `2`, for three total tries; set to `0` or less to disable retrying.
VAULT_REDIRECT_ADDR The address that should be used when clients are redirected to this node when in High Availability mode.
VAULT_SKIP_VERIFY If set, do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended except during testing.
VAULT_TLS_SERVER_NAME If set, use the given name as the SNI host when connecting via TLS.
VAULT_MFA (Enterprise Only) MFA credentials in the format **mfa_method_name[:key[=value]]** (items in `[]` are optional). Note that when using the environment variable, only one credential can be supplied. If a MFA method expects multiple credential values, or if there are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be used.