Configure vault-cli
¶
There are 3 ways to configure vault-cli
(by decreasing priority):
Command-line flags (a.k.a.
--foo=
)Environment variables (a.k.a
VAULT_CLI_FOO=
)YAML configuration file (preferred)
The configuration works identically for each way:
Configuration file |
Environment variable |
Command-line flag |
---|---|---|
|
|
|
|
|
|
|
|
|
For example verify: yes
or verify: no
in the configuration file translates into
--verify / --no-verify
as command-line flag or VAULT_CLI_VERIFY=true
as
environment variable.
The environment variable name is always the uppercase underscored name of the equivalent configuration file option.
For boolean environment variables, when lowercased, the following evaluates to:
True
:1
,yes
,y
,t
,true
False
:0
,no
,n
,f
,false
The best way to get a up-to-date description of each configuration setting depending on your version is through:
$ vault-cli -h
YAML Configuration files¶
The first file found in the following location is read, parsed and used:
/etc/vault.yml
~/.vault.yml
./vault.yml
The expected format of the configuration is a mapping, with option names and their corresponding values:
---
username: my_username
password-file: ~/.vault-password
# or
token-file: ~/.vault-token
url: https://vault.mydomain:8200
verify: no
base-path: project/
...
Make sure the secret files have their permissions set accordingly.
(Re)create a configuration file based on the current settings¶
The vault-cli dump-config
will output a YAML file that can be used as a
configuration file, but mind following the caveats:
Default values will be explicited
Secrets (token or username) will be included directly, even if they were loaded from a dedicated file
$ vault-cli --url https://something --token-file /path dump-config > vault.yml