vault-cli: 12-factor oriented command line tool for Hashicorp Vault

Deployed to PyPI Documentation Status Continuous Integration Status Coverage Status Apache License Contributor Covenant

vault-cli is a Python 3.6+ tool that offers simple interactions to manipulate secrets from Hashicorp Vault. With vault-cli, your secrets can be kept secret, while following 12-factor principles.

Some features

  • Configure once, use everywhere thanks to cascading (local, user, global) YAML configuration file

  • Read, browse, write, move, delete secrets easily

  • Read multiple secrets at once, as YAML

  • Launch processes with your secrets as environment variables

  • Launch processes with ssh-agent configured from your vault

  • Write templated files with secrets inside

  • Combine multiple secrets into a single one (e.g. a DSN string from components)

vault-cli tries to make accessing secrets both secure and painless.


Here are a few things you might do with vault-cli:

$ # Install:
$ pip install vault-cli

$ # Write a secret:
$ vault-cli set mysecret mykey --prompt
Please enter a value for key `mykey` of `mysecret`: *******

$ # Read a secret:
$ vault-cli get mysecret mykey

$ # Load a secret into the environment variables:
$ vault-cli env --path mysecret -- env | grep MYSECRET

$ # Load an ssh key into your ssh-agent:
$ vault-cli ssh --key ssh_private_key -- ssh -T
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.


The package is young but supported and alive. We’re mindful of deprecations through semantic versionning and accepting bug reports and feature requests.

In action

$ vault-cli --help
Usage: vault-cli [OPTIONS] COMMAND [ARGS]...

  Interact with a Vault. See subcommands for details.

  All arguments can be passed by environment variables:

  -U, --url TEXT                  URL of the vault instance
  --verify / --no-verify          Verify HTTPS certificate
  --ca-bundle PATH                Location of the bundle containing the server
                                  certificate to check against.

  --login-cert PATH               Path to a public client certificate to use
                                  for connecting to vault.

  --login-cert-key PATH           Path to a private client certificate to use
                                  for connecting to vault.

  -T, --token-file PATH           File which contains the token to connect to
                                  Vault. Configuration file can also contain a
                                  "token" key.

  -u, --username TEXT             Username used for userpass authentication
  -w, --password-file PATH        Can read from stdin if "-" is used as
                                  parameter. Configuration file can also
                                  contain a "password" key.

  -b, --base-path TEXT            Base path for requests
  -s, --safe-write / --unsafe-write
                                  When activated, you can't overwrite a secret
                                  without passing "--force" (in commands
                                  "set", "mv", "cp", etc)

  --render / --no-render          Render templated values
  --umask TEXT                    Set umask for newly created files.
  -v, --verbose                   Use multiple times to increase verbosity
  --config-file PATH              Config file to use. Use 'no' to disable
                                  config file. Default value: first of
                                  ./vault.yml, ~/.vault.yml, /etc/vault.yml

  -V, --version
  -h, --help                      Show this message and exit.

  cp            Recursively copy secrets from source to destination path.
  delete        Delete a single secret.
  delete-all    Delete multiple secrets.
  dump-config   Display settings in the format of a config file.
  env           Launch a command, loading secrets in environment.
  get           Return a single secret value.
  get-all       Return multiple secrets.
  list          List all the secrets at the given path.
  lookup-token  Return information regarding the current token
  mv            Recursively move secrets from source to destination path.
  set           Set a secret.
  ssh           Launch a command, with a configured ssh-agent running.
  template      Render the given template and insert secrets in it.