HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

vault agent

Start an instance of Vault Agent.

$ vault agent -config <config_file>$ vault agent [-help | -h]

Description

vault agent start an instance of Vault Agent, which automatically authenticates and fetches secrets for client applications.

Related API endpoints

None

Command arguments

None.

Command options

None.

Command flags


-config (string : <required>)

Path to a single Vault Agent configuration file or directory of configuration files with agent directives. Repeat the -config flag as needed to specify more than one discrete configuration file. If you specify more than one configuration file, Agent composes the source files into a single configuration file at runtime.

Example: -config /path/to/file.hcl



-exit-after-auth (bool : false)

Exit with code 0 after a single successful auth. Success indicates successful token retrieval and write to sink.

Example: -exit-after-auth



-log-file (string : "./<service>.log")

Absolute path where Vault Agent saves logging data.

  • Paths ending with / use the default file name <service>.log. For example, vault.log for Vault and agent.log for Vault Agent.
  • Paths ending with a name but not an extension use the .log extension.
  • Paths ending with a name and extension use the provided file name.

Example: -log-file "/var/log/vault-logs/"



[-log-format | VAULT_LOG_FORMAT] (enum : standard)

Format of log data:

  • standard - Write log data as basic text.
  • json - Write log data as JSON.

Examples:

  • CLI flag: -log-format json
  • Environment variable: export VAULT_LOG_FORMAT=json


[-log-level | VAULT_LOG_LEVEL] (enum : info)

Default logging level for the Vault server.

EnumLogging behavior
traceLog everything including details about process flow within the server
debuginfo level logging and detailed server state
infowarn level logging, server events, and general server state
warnerr level logging, deprecations, and potentially harmful events/states in the server
errLog information about non-fatal errors and handled exceptions

Examples:

  • CLI flag: -log-level debug
  • Environment variable: export VAULT_LOG_LEVEL=debug


-log-rotate-bytes (int : <unset>)

File size, in bytes, after which log files must rotate. Leave log-rotate-bytes unset if you prefer not to limit log file size.

Example: -log-rotate-bytes 1000000



-log-rotate-duration (string : "24h")

Amount of time, in <number>[s|m|h|d] format, after which log files must rotate.

Example: -log-rotate-duration "2h"



-log-rotate-max-files (int : 0)

The number of log file archives to preserve over time:

  • n - Preserve up to n archived logs.
  • 0 - Never delete log archives.
  • -1 - Always delete log archives.

The archived name of rotated logs includes a timestamp indicating when the log rotated. For example, the file /var/log/agent.log archives to /var/log/agent-{timestamp}.log before resetting.

Example: -log-rotate-max-files 5

Standard flags


[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

  • CLI flag: -address "https://mydomain/vault:8200"
  • Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"


[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

  • CLI flag: -agent-address "https://mydomain/vault-agent:8200"
  • Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"


[-ca-cert | VAULT_CACERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

  • CLI flag: -ca-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CACERT="/path/to/certs/mycert.pem"


[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

  • CLI flag: -ca-path "/path/to/certs/dir"
  • Environment variable: export VAULT_CAPATH="/path/to/certs/dir"


[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-cert.

Examples:

  • CLI flag: -client-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"


[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

  • CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
  • Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"


[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

  • CLI flag: -disable-redirects
  • Environment variable: export VAULT_DISABLE_REDIRECTS=1

Warning

Disabling the default redirect behavior may cause commands that redirect requests to primary cluster notes (like vault operator raft snapshot) to misbehave.



-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"



[-mfa | VAULT_MFA] (string : "") Enterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_name[:key[=value]], that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

  • CLI flag: -mfa "totp:password=12345"
  • Environment variable: export VAULT_MFA="totp:password=12345"

Note

The VAULT_MFA environment variable only accepts one MFA method specification and one credential for the specified method. To supply multiple credentials or MFA methods, use the -mfa CLI flag and repeat the flag as needed.



[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

  • CLI flag: -namespace "admin"
  • Environment variable: export VAULT_NAMESPACE="admin"


-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive



-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string



-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy



-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override



[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

  • CLI flag: -tls-server-name "hostname.domain"
  • Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"


[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

  • CLI flag: -tls-skip-verify
  • Environment variable: export VAULT_SKIP_VERIFY=1


-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"



[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

  • CLI flag: -wrap-ttl "5m"
  • Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Start Vault Agent with a single configuration file:

$ vault agent -config=/etc/vault/agent/config.hcl

Start Vault Agent with a two discrete configuration files:

$ vault agent                                   \    -config=/etc/vault/agent/base-config.hcl    \    -config=/etc/vault/agent/auto-auth-config.hcl

Start Vault Agent with a set of configuration files under the `` directory:

$ vault agent -config=/etc/vault/agent/config-files/
Edit this page on GitHub