Basis

Env Variables

export VAULT_TOKEN=hvs.xxxxxxxxxxxxxxxx
Set Token for Token Authentication Method.

export VAULT_SKIP_VERIFY=true
Skip TLS check.

Initialization

Check Status

vault status
Check if server is running.

Initialize and Unseal Vault

vault operator init
Initialize vault.

vault operator unseal
Ask for an unseal keys to unlock the vault (it unlocks when the required number of unseal keys are given).

Login

vault login
Login to Vault using a Token.

vault login -method=userpass username="my_user" password="my_pass"
Login to Vault using UserPass.

vault login -method=oidc role="my_role"
Login to Vault with OIDC.

vault write auth/approle/login role_id="my_role_id" secret_id="my_secret_id"
Login to Vault using AppRole.

vault write auth/jwt/login role=my_role jwt=my_jwt
Login to Vault using a JWT.

Tokens

Lookup

vault list auth/my_auth_method/accessors
List tokens created with specified Auth Method.

vault token lookup -accessor <token_accessor>
Return info about the token (type, TTL, max TTL ...).

Create

vault token create -policy=my_policy -ttl=30m
Create a token with a specified Policy and TTL.

vault token renew myToken
Renew a token.

Revoke

vault token revoke <token_id>
Revoke token.

vault token revoke -accessor <token_accessor>
Revoke token using its accessor.

vault token revoke -self
Revoke current token.

vault token revoke -mode-path auth/my_auth_method
Revoke all tokens (and their children) created with specified auth method.

Traceability

Entity

vault list identity/entity/id
List entities.

vault delete identity/entity/id/f53c4994-8458-6b6c-8cff-eaf869c9aefc
Delete entity.

Audit Device

vault audit list
List audit devices.

vault audit enable file file_path=/var/log/vault_audit.log
Create an audit device (the user running Vault has to be able to write to the given path).

vault audit disable file
Disable specified audit device.

vault write sys/audit-hash/file input="P@ssword!"
Compute the hash for a given input (can be used to check hashed values in audit file). Warning: only admin should be able to write in sys/audit-hash/file.

Access Control

Lease

vault lease revoke aws/creds/myRole/my_lease_id
Revoke specified lease.

vault lease revoke -prefix aws/
Revoke all leases under the specified prefix.

Policy

vault policy list
List policies.

vault policy read my-policy
Read policy content.

vault policy write my-policy my-policy.hcl
Create a policy from local file.

vault token capabilities hvs.XXXXXXXXXXXX /transit/encrypt/my_key
Check capabilities of a token for the given path (output example: update).

Namespaces (Enterprise)

vault namespace list
List namespaces.

vault namespace create my-namespace
Create namespace.

vault namespace delete my-namespace
Delete namespace.

vault secrets list -namespace=my_namespace
Use a namespace in a command.

Authentication Methods

List

vault auth list
List authentication backends enabled.

Enable

vault auth enable aws
Enable an authentication backend.

Secret Engines

For more details on specific Secret Engines see: Vault CLI Secret Engines

List

vault secrets list
Return info about secret engines.

vault secrets list -detailed
Return more info about secret engines (e.g. KV version).

Enable

vault secrets enable -path=my_secret_engine_path kv
Create a new Key Value (KV) secrets engine.

Modify

vault secrets move my/old/path my/new/path
Change the path of the Secret Engine.

vault secrets tune -default-lease-ttl=12h
Change the configuration of the Secret Engine.

Operator

Regenerate Root Token

vault operator generate-root -generate-otp
Generate an OTP for the generate-root command.

vault operator generate-root -init -otp=<otp_token>
Initialize Root Token Generation. Give the generated nonce to the Recovery Keys holders.

vault operator generate-root -nonce=<request_nonce>
Validate the request with every one that has a Recovery Keys until quorum is reached. This will return the encoded token.

vault operator generate-root -decode=<encoded_token> -otp=<otp_token>
Decode the newly generated Root Token.

ReKey (Regenerate Unseal Keys)

vault operator rekey -init -key-shares=3 -key-threshold=2
Initialize request for ReKey.

vault operator rekey -nonce=<request_nonce>
Validate the request with Useal Keys until quorum is reached. This will output new Unseal.

vault operator rekey -target=recovery -init -key-shares=3 -key-threshold=2
Initialize request for ReKey with Recovery Key mode (Auto Unseal enabled).

vault operator rekey -target=recovery -nonce=<request_nonce>
Validate the request with Recovery Keys until quorum is reached. This will output new Unseal.

Rotate Encryption Keys

vault operator rotate
Vault automatically rotate the Encryption Key.

Raft

Cluster

vault operator raft list-peers
List Raft members.

vault operator raft autopilot state
Show current cluster autopilot state.

vault operator raft autopilot get-config
Show autopilot config.

Snapshot

vault operator raft snapshot save backup.snap
Create a Snapshot.

vault operator raft snapshot restore -force backup.snap
Restore Snapshot from local file (copy the Snapshot file on the machine to restore). -force option is required here since the Auto-Unseal or Shamir keys will not be consistent with the snapshot data (snapshot from a different cluster). https://developer.hashicorp.com/vault/tutorials/standard-procedures/sop-restore

Snapshot Auto (Enterprise)

vault list /sys/storage/raft/snapshot-auto/config
List Auto Snapshot configs.

vault read /sys/storage/raft/snapshot-auto/config/my-auto-snapshot-config
Check specified Auto Snapshot config.

Replication

Basis

vault read sys/replication/status
Check replication status (DR and Performance).

Disaster Recovery

https://developer.hashicorp.com/vault/tutorials/enterprise/disaster-recovery

vault read sys/replication/dr/status
Check DR replication status.

vault write -f sys/replication/dr/primary/enable
Enable DR replication as Primary.

vault write sys/replication/dr/primary/secondary-token id=dr-secondary
Create a token for a Secondary cluster.

vault write sys/replication/dr/secondary/enable token=DR_SECONDARY_TOKEN
Enable DR replication as Secondary.

Performance

https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication#configure-the-secondary-cluster

vault read sys/replication/performance/status
Check Performance replication status.

vault write -f sys/replication/performance/primary/enable
Enable Performance replication as Primary.

vault write sys/replication/performance/primary/secondary-token id=perf-secondary
Create a token for a Secondary cluster.

vault write sys/replication/performance/secondary/enable token=PERF_SECONDARY_TOKEN
Enable Performance replication as Secondary.

Agent

Basis

vault agent generate-config -type="env-template" -exec="./my_script.sh" -path="secret/my_secret" agent-config.hcl
Generate a configuration file for an agent.

vault agent -config=agent-config.hcl
Run an agent.