vault agent
Start an instance of Vault Agent.
$ vault agent -config <config_file> $ vault agent [-help | -h]
Description
vault agent
start an instance of Vault Agent, which automatically
authenticates and fetches secrets for client applications.
Related API endpoints
None
Command arguments
None.
Command options
None.
Command flags
-config (string : <required>)
Path to a single
Vault Agent configuration file
or directory of configuration files with agent directives. Repeat the -config
flag as needed to specify more than one discrete configuration file. If you
specify more than one configuration file, Agent composes the source files into
a single configuration file at runtime.
Example: -config /path/to/file.hcl
-exit-after-auth (bool : false)
Exit with code 0
after a single successful auth. Success indicates successful
token retrieval and write to sink.
Example: -exit-after-auth
-log-file (string : "./<service>.log")
Absolute path where Vault Agent saves logging data.
- Paths ending with
/
use the default file name<service>.log
. For example,vault.log
for Vault andagent.log
for Vault Agent. - Paths ending with a name but not an extension use the
.log
extension. - Paths ending with a name and extension use the provided file name.
Example: -log-file "/var/log/vault-logs/"
[-log-format | VAULT_LOG_FORMAT] (enum : standard)
Format of log data:
standard
- Write log data as basic text.json
- Write log data as JSON.
Examples:
- CLI flag:
-log-format json
- Environment variable:
export VAULT_LOG_FORMAT=json
[-log-level | VAULT_LOG_LEVEL] (enum : info)
Default logging level for the Vault server.
Enum | Logging behavior |
---|---|
trace | Log everything including details about process flow within the server |
debug | info level logging and detailed server state |
info | warn level logging, server events, and general server state |
warn | err level logging, deprecations, and potentially harmful events/states in the server |
err | Log information about non-fatal errors and handled exceptions |
Examples:
- CLI flag:
-log-level debug
- Environment variable:
export VAULT_LOG_LEVEL=debug
-log-rotate-bytes (int : <unset>)
File size, in bytes, after which log files must rotate. Leave log-rotate-bytes
unset if you prefer not to limit log file size.
Example: -log-rotate-bytes 1000000
-log-rotate-duration (string : "24h")
Amount of time, in <number>[s|m|h|d]
format, after which log files must
rotate.
Example: -log-rotate-duration "2h"
-log-rotate-max-files (int : 0)
The number of log file archives to preserve over time:
n
- Preserve up ton
archived logs.0
- Never delete log archives.-1
- Always delete log archives.
The archived name of rotated logs includes a timestamp indicating when the log
rotated. For example, the file /var/log/agent.log
archives to
/var/log/agent-{timestamp}.log
before resetting.
Example: -log-rotate-max-files 5
Standard flags
[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')
Address of the Vault server.
Examples:
- CLI flag:
-address "https://mydomain/vault:8200"
- Environment variable:
export VAULT_ADDR="https://mydomain/vault:8200"
[-agent-address | VAULT_AGENT_ADDR] (string : "")
Address of the Vault Agent, if used.
Examples:
- CLI flag:
-agent-address "https://mydomain/vault-agent:8200"
- Environment variable:
export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"
[-ca-cert | VAULT_CACERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL
certificates for the server. Takes precedence over -ca_path
.
Examples:
- CLI flag:
-ca-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CACERT="/path/to/certs/mycert.pem"
[-ca-path | VAULT_CAPATH] (string : "")
Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.
Examples:
- CLI flag:
-ca-path "/path/to/certs/dir"
- Environment variable:
export VAULT_CAPATH="/path/to/certs/dir"
[-client-cert | VAULT_CLIENT_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used for TLS
communication with the server. The specified certificate must match to the
private key specified with -client-cert
.
Examples:
- CLI flag:
-client-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"
[-client-key | VAULT_CLIENT_KEY] (string : "")
Path to a PEM-encoded private key that matches the client certificate set with
-client-cert
.
Examples:
- CLI flag:
-client-key "/path/to/keys/myprivatekey.pem"
- Environment variable:
export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"
[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)
Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.
Examples:
- CLI flag:
-disable-redirects
- Environment variable:
export VAULT_DISABLE_REDIRECTS=1
Warning
Disabling the default redirect behavior may cause commands that redirect
requests to primary cluster notes (like vault operator raft snapshot
) to
misbehave.
-header (string : "")
Optional HTTP header in the form "<key>=<value>"
for the CLI request. Repeat
the -header
flag as needed with one string per flag. User-defined headers
cannot start with X-Vault-
Example: -header "Cache-Control=max-age=0"
[-mfa | VAULT_MFA] (string : "")
Enterprise
A multi-factor authentication (MFA) credential, in the format
mfa_method_name[:key[=value]]
, that the CLI should use to authenticate to
Vault. The CLI adds MFA credentials to the X-Vault-MFA
header when calling the
underlying API endpoint.
Examples:
- CLI flag:
-mfa "totp:password=12345"
- Environment variable:
export VAULT_MFA="totp:password=12345"
Note
The VAULT_MFA
environment variable only accepts one MFA method specification
and one credential for the specified method. To supply multiple credentials or
MFA methods, use the -mfa
CLI flag and repeat the flag as needed.
[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)
Root namespace for the CLI command. Setting a default namespace allow relative mount paths.
Examples:
- CLI flag:
-namespace "admin"
- Environment variable:
export VAULT_NAMESPACE="admin"
-non-interactive (bool : false)
Prevent the CLI from asking users for input through the terminal.
Example: -non-interactive
-output-curl-string (bool : false)
Print the API call(s) required to execute the CLI command as cURL
strings
then exit without running the command.
Example: -output-curl-string
-output-policy (bool : false)
Print the Vault policy required to execute the CLI command as HCL then exit without running the command.
Example: -output-policy
-policy-override (bool : false)
Overrides any Sentinel policy where enforcement_level
is "soft-mandatory".
Example: -policy-override
[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")
Name of the SNI host for TLS handshake resolution for TLS connections to Vault.
Examples:
- CLI flag:
-tls-server-name "hostname.domain"
- Environment variable:
export VAULT_TLS_SERVER_NAME="hostname.domain"
[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)
Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.
Examples:
- CLI flag:
-tls-skip-verify
- Environment variable:
export VAULT_SKIP_VERIFY=1
-unlock-key (string : <unset>)
Plaintext key that unlocks the underlying API endpoint for a given namespace.
Example: -unlock-key "7oXtdlmvRQ"
[-wrap-ttl | VAULT_WRAP_TTL] (string : "")
Default time-to-live in <number>[s|m|h|d]
format for the Cubbyhole token used
to wrap CLI responses. You must use vault unwrap
to view response data before
the duration expires. Leave wrap_ttl
unset to leave CLI responses unwrapped.
Examples:
- CLI flag:
-wrap-ttl "5m"
- Environment variable:
export VAULT_WRAP_TTL="5m"
Examples
Start Vault Agent with a single configuration file:
$ vault agent -config=/etc/vault/agent/config.hcl
Start Vault Agent with a two discrete configuration files:
$ vault agent \ -config=/etc/vault/agent/base-config.hcl \ -config=/etc/vault/agent/auto-auth-config.hcl
Start Vault Agent with a set of configuration files under the `` directory:
$ vault agent -config=/etc/vault/agent/config-files/