Authenticate against the vault¶

There are three ways to authenticate against the vault:

Token
Username and password
certificate

Token¶

Either store your token in a dedicated file or store it in the configuration directly:

---
token-file: /path/to/token/file
# Or
token: secret-token
...

In both cases, make sure the permissions of the file containing the token are not too broad.

The command-line flag --token is not available, in order to avoid the token from being too easily found in the bash history. You can either use the command-line flag --token-file=/path/to/token/file to read from a file (including - for stdin) or the VAULT_CLI_TOKEN=secret-token environment variable.

Username and password¶

A username and password pair can be used to generate a token:

---
username: foo

password: secret-password
# Or
password-file: /path/to/token/file
...

The restrictions on the token apply identically on the password.

Certificate¶

---
username: foo

login-cert: /path/to/public/certificate
login-cert-key: /path/to/private/key
...

Authenticate against the vault¶

Token¶

Username and password¶

Certificate¶

vault-cli

Navigation

Related Topics