read | Reads data from Vault at the given path |
write | Writes data from Vault at the given path |
delete | Deletes secrets and configuration from Vault at the given path |
list | Lists data from Vault at the given path |
login | Authenticates users or machines to Vault using the provided arguments |
agent | This command starts a Vault agent that can perform automatic authentication in certain environments |
server | This command starts a Vault server that responds to API requests. By default, Vault will start in a 'sealed' state. The Vault cluster must be initialized before use, usually by the 'vault operator init' command. Each Vault server must also be unsealed using the 'vault operator unseal' command or the API before the server can respond to requests |
status | Prints the current state of Vault including whether it is sealed and if HA mode is enabled. This command prints regardless of whether the Vault is sealed |
unwrap | Unwraps a wrapped secret from Vault by the given token. The result is the same as the 'vault read' operation on the non-wrapped secret. If no token is given, the data in the currently authenticated token is unwrapped |
audit | This command groups subcommands for interacting with Vault's audit devices. Users can list, enable, and disable audit devices |
debug | Probes a specific Vault server node for a specified period of time, recording information about the node, its cluster, and its host environment |
kv | This command has subcommands for interacting with Vault's key-value store. Here are some simple examples, and more detailed examples are available in the subcommands or the documentation |
lease | This command groups subcommands for interacting with leases. Users can revoke or renew leases |
monitor | Stream log messages of a Vault server. The monitor command lets you listen for log levels that may be filtered out of the server logs. For example, the server may be logging at the INFO level, but with the monitor command you can set -log-level=DEBUG |
namespace | This command groups subcommands for interacting with Vault namespaces. These subcommands operate in the context of the namespace that the currently logged in token belongs to |
operator | This command groups subcommands for operators interacting with Vault. Most users will not need to interact with these commands. Here are a few examples of the operator commands |
path-help | Retrieves API help for paths. All endpoints in Vault provide built-in help in markdown format. This includes system paths, secret engines, and auth methods |
plugin | This command groups subcommands for interacting with Vault's plugins and the plugin catalog. The plugin catalog is divided into three types: 'auth', 'database', and 'secret' plugins. A type must be specified on each call. Here are a few examples of the plugin commands |
policy | |
print | This command groups subcommands for interacting with Vault's runtime values |
secrets | This command groups subcommands for interacting with Vault's secrets engines. Each secret engine behaves differently. Please see the documentation for more information |
ssh | Establishes an SSH connection with the target machine |
token | This command groups subcommands for interacting with tokens. Users can create, lookup, renew, and revoke tokens |
version-history | Prints the version history of the target Vault server |