vault agent
Start an instance of Vault Agent.
Description
vault agent
start an instance of Vault Agent, which automatically
authenticates and fetches secrets for client applications.
Related API endpoints
None
Command arguments
None.
Command options
None.
Command flags
-config (string : <required>)
Path to a single
Vault Agent configuration file
or directory of configuration files with agent directives. Repeat the -config
flag as needed to specify more than one discrete configuration file. If you
specify more than one configuration file, Agent composes the source files into
a single configuration file at runtime.
Example: -config /path/to/file.hcl
-exit-after-auth (bool : false)
Exit with code 0
after a single successful auth. Success indicates successful
token retrieval and write to sink.
Example: -exit-after-auth
-log-file (string : "./<service>.log")
Absolute path where Vault Agent saves logging data.
- Paths ending with
/
use the default file name<service>.log
. For example,vault.log
for Vault andagent.log
for Vault Agent. - Paths ending with a name but not an extension use the
.log
extension. - Paths ending with a name and extension use the provided file name.
Example: -log-file "/var/log/vault-logs/"
[-log-format | VAULT_LOG_FORMAT] (enum : standard)
Format of log data:
standard
- Write log data as basic text.json
- Write log data as JSON.
Examples:
- CLI flag:
-log-format json
- Environment variable:
export VAULT_LOG_FORMAT=json
[-log-level | VAULT_LOG_LEVEL] (enum : info)
Default logging level for the Vault server.
Enum | Logging behavior |
---|---|
trace | Log everything including details about process flow within the server |
debug | info level logging and detailed server state |
info | warn level logging, server events, and general server state |
warn | err level logging, deprecations, and potentially harmful events/states in the server |
err | Log information about non-fatal errors and handled exceptions |
Examples:
- CLI flag:
-log-level debug
- Environment variable:
export VAULT_LOG_LEVEL=debug
-log-rotate-bytes (int : <unset>)
File size, in bytes, after which log files must rotate. Leave log-rotate-bytes
unset if you prefer not to limit log file size.
Example: -log-rotate-bytes 1000000
-log-rotate-duration (string : "24h")
Amount of time, in <number>[s|m|h|d]
format, after which log files must
rotate.
Example: -log-rotate-duration "2h"
-log-rotate-max-files (int : 0)
The number of log file archives to preserve over time:
n
- Preserve up ton
archived logs.0
- Never delete log archives.-1
- Always delete log archives.
The archived name of rotated logs includes a timestamp indicating when the log
rotated. For example, the file /var/log/agent.log
archives to
/var/log/agent-{timestamp}.log
before resetting.
Example: -log-rotate-max-files 5
Standard flags
[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')
Address of the Vault server.
Examples:
- CLI flag:
-address "https://mydomain/vault:8200"
- Environment variable:
export VAULT_ADDR="https://mydomain/vault:8200"
[-agent-address | VAULT_AGENT_ADDR] (string : "")
Address of the Vault Agent, if used.
Examples:
- CLI flag:
-agent-address "https://mydomain/vault-agent:8200"
- Environment variable:
export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"
[-ca-cert | VAULT_CA_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL
certificates for the server. Takes precedence over -ca_path
.
Examples:
- CLI flag:
-ca-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CA_CERT="/path/to/certs/mycert.pem"
[-ca-path | VAULT_CAPATH] (string : "")
Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.
Examples:
- CLI flag:
-ca-path "/path/to/certs/dir"
- Environment variable:
export VAULT_CAPATH="/path/to/certs/dir"
[-client-cert | VAULT_CLIENT_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used for TLS
communication with the server. The specified certificate must match to the
private key specified with -client-cert
.
Examples:
- CLI flag:
-client-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"
[-client-key | VAULT_CLIENT_KEY] (string : "")
Path to a PEM-encoded private key that matches the client certificate set with
-client-cert
.
Examples:
- CLI flag:
-client-key "/path/to/keys/myprivatekey.pem"
- Environment variable:
export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"
[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)
Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.
Examples:
- CLI flag:
-disable-redirects
- Environment variable:
export VAULT_DISABLE_REDIRECTS=1
Warning
Disabling the default redirect behavior may cause commands that redirect
requests to primary cluster notes (like vault operator raft snapshot
) to
misbehave.
-header (string : "")
Optional HTTP header in the form "<key>=<value>"
for the CLI request. Repeat
the -header
flag as needed with one string per flag. User-defined headers
cannot start with X-Vault-
Example: -header "Cache-Control=max-age=0"
[-mfa | VAULT_MFA] (string : "")
Enterprise
A multi-factor authentication (MFA) credential, in the format
mfa_method_name[:key[=value]]
, that the CLI should use to authenticate to
Vault. The CLI adds MFA credentials to the X-Vault-MFA
header when calling the
underlying API endpoint.
Examples:
- CLI flag:
-mfa "totp:password=12345"
- Environment variable:
export VAULT_MFA="totp:password=12345"
Note
The VAULT_MFA
environment variable only accepts one MFA method specification
and one credential for the specified method. To supply multiple credentials or
MFA methods, use the -mfa
CLI flag and repeat the flag as needed.
[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)
Root namespace for the CLI command. Setting a default namespace allow relative mount paths.
Examples:
- CLI flag:
-namespace "admin"
- Environment variable:
export VAULT_NAMESPACE="admin"
-non-interactive (bool : false)
Prevent the CLI from asking users for input through the terminal.
Example: -non-interactive
-output-curl-string (bool : false)
Print the API call(s) required to execute the CLI command as cURL
strings
then exit without running the command.
Example: -output-curl-string
-output-policy (bool : false)
Print the Vault policy required to execute the CLI command as HCL then exit without running the command.
Example: -output-policy
-policy-override (bool : false)
Overrides any Sentinel policy where enforcement_level
is "soft-mandatory".
Example: -policy-override
[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")
Name of the SNI host for TLS handshake resolution for TLS connections to Vault.
Examples:
- CLI flag:
-tls-server-name "hostname.domain"
- Environment variable:
export VAULT_TLS_SERVER_NAME="hostname.domain"
[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)
Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.
Examples:
- CLI flag:
-tls-skip-verify
- Environment variable:
export VAULT_SKIP_VERIFY=1
-unlock-key (string : <unset>)
Plaintext key that unlocks the underlying API endpoint for a given namespace.
Example: -unlock-key "7oXtdlmvRQ"
[-wrap-ttl | VAULT_WRAP_TTL] (string : "")
Default time-to-live in <number>[s|m|h|d]
format for the Cubbyhole token used
to wrap CLI responses. You must use vault unwrap
to view response data before
the duration expires. Leave wrap_ttl
unset to leave CLI responses unwrapped.
Examples:
- CLI flag:
-wrap-ttl "5m"
- Environment variable:
export VAULT_WRAP_TTL="5m"
Examples
Start Vault Agent with a single configuration file:
Start Vault Agent with a two discrete configuration files:
Start Vault Agent with a set of configuration files under the `` directory: