Difference between revisions of "Vault server --help"
Jump to navigation
Jump to search
(Created page with "{{lc}} == See also == * {{vault}} Category:Vault") |
|||
| Line 1: | Line 1: | ||
{{lc}} | {{lc}} | ||
| + | <pre> | ||
| + | Usage: vault server [options] | ||
| + | |||
| + | This command starts a Vault server that responds to API requests. By default, | ||
| + | Vault will start in a "sealed" state. The Vault cluster must be initialized | ||
| + | before use, usually by the "vault operator init" command. Each Vault server must | ||
| + | also be unsealed using the "vault operator unseal" command or the API before the | ||
| + | server can respond to requests. | ||
| + | |||
| + | Start a server with a configuration file: | ||
| + | |||
| + | $ vault server -config=/etc/vault/config.hcl | ||
| + | |||
| + | Run in "dev" mode: | ||
| + | |||
| + | $ vault server -dev -dev-root-token-id="root" | ||
| + | |||
| + | For a full list of examples, please see the documentation. | ||
| + | |||
| + | HTTP Options: | ||
| + | |||
| + | -address=<string> | ||
| + | Address of the Vault server. The default is https://127.0.0.1:8200. This | ||
| + | can also be specified via the VAULT_ADDR environment variable. | ||
| + | |||
| + | -agent-address=<string> | ||
| + | Address of the Agent. This can also be specified via the | ||
| + | VAULT_AGENT_ADDR environment variable. | ||
| + | |||
| + | -ca-cert=<string> | ||
| + | Path on the local disk to a single PEM-encoded CA certificate to verify | ||
| + | the Vault server's SSL certificate. This takes precedence over -ca-path. | ||
| + | This can also be specified via the VAULT_CACERT environment variable. | ||
| + | |||
| + | -ca-path=<string> | ||
| + | Path on the local disk to a directory of PEM-encoded CA certificates to | ||
| + | verify the Vault server's SSL certificate. This can also be specified | ||
| + | via the VAULT_CAPATH environment variable. | ||
| + | |||
| + | -client-cert=<string> | ||
| + | Path on the local disk to a single PEM-encoded CA certificate to use | ||
| + | for TLS authentication to the Vault server. If this flag is specified, | ||
| + | -client-key is also required. This can also be specified via the | ||
| + | VAULT_CLIENT_CERT environment variable. | ||
| + | |||
| + | -client-key=<string> | ||
| + | Path on the local disk to a single PEM-encoded private key matching the | ||
| + | client certificate from -client-cert. This can also be specified via the | ||
| + | VAULT_CLIENT_KEY environment variable. | ||
| + | |||
| + | -disable-redirects | ||
| + | Disable the default client behavior, which honors a single redirect | ||
| + | response from a request The default is false. This can also be specified | ||
| + | via the VAULT_DISABLE_REDIRECTS environment variable. | ||
| + | |||
| + | -header=<key=value> | ||
| + | Key-value pair provided as key=value to provide http header added to any | ||
| + | request done by the CLI.Trying to add headers starting with 'X-Vault-' | ||
| + | is forbidden and will make the command fail This can be specified | ||
| + | multiple times. | ||
| + | |||
| + | -mfa=<string> | ||
| + | Supply MFA credentials as part of X-Vault-MFA header. This can also be | ||
| + | specified via the VAULT_MFA environment variable. | ||
| + | |||
| + | -namespace=<string> | ||
| + | The namespace to use for the command. Setting this is not necessary | ||
| + | but allows using relative paths. -ns can be used as shortcut. The | ||
| + | default is (not set). This can also be specified via the VAULT_NAMESPACE | ||
| + | environment variable. | ||
| + | |||
| + | -non-interactive | ||
| + | When set true, prevents asking the user for input via the terminal. The | ||
| + | default is false. | ||
| + | |||
| + | -output-curl-string | ||
| + | Instead of executing the request, print an equivalent cURL command | ||
| + | string and exit. The default is false. | ||
| + | |||
| + | -output-policy | ||
| + | Instead of executing the request, print an example HCL policy that would | ||
| + | be required to run this command, and exit. The default is false. | ||
| + | |||
| + | -policy-override | ||
| + | Override a Sentinel policy that has a soft-mandatory enforcement_level | ||
| + | specified The default is false. | ||
| + | |||
| + | -tls-server-name=<string> | ||
| + | Name to use as the SNI host when connecting to the Vault server via TLS. | ||
| + | This can also be specified via the VAULT_TLS_SERVER_NAME environment | ||
| + | variable. | ||
| + | |||
| + | -tls-skip-verify | ||
| + | Disable verification of TLS certificates. Using this option is highly | ||
| + | discouraged as it decreases the security of data transmissions to and | ||
| + | from the Vault server. The default is false. This can also be specified | ||
| + | via the VAULT_SKIP_VERIFY environment variable. | ||
| + | |||
| + | -unlock-key=<string> | ||
| + | Key to unlock a namespace API lock. The default is (not set). | ||
| + | |||
| + | -wrap-ttl=<duration> | ||
| + | Wraps the response in a cubbyhole token with the requested TTL. The | ||
| + | response is available via the "vault unwrap" command. The TTL is | ||
| + | specified as a numeric string with suffix like "30s" or "5m". This can | ||
| + | also be specified via the VAULT_WRAP_TTL environment variable. | ||
| + | |||
| + | Command Options: | ||
| + | |||
| + | -config=<string> | ||
| + | Path to a configuration file or directory of configuration files. This | ||
| + | flag can be specified multiple times to load multiple configurations. | ||
| + | If the path is a directory, all files which end in .hcl or .json are | ||
| + | loaded. | ||
| + | |||
| + | -exit-on-core-shutdown | ||
| + | Exit the vault server if the vault core is shutdown. The default is | ||
| + | false. | ||
| + | |||
| + | -log-format=<string> | ||
| + | Log format. Supported values are "standard" and "json". The default is | ||
| + | (not set). | ||
| + | |||
| + | -log-level=<string> | ||
| + | Log verbosity level. Supported values (in order of detail) are "trace", | ||
| + | "debug", "info", "warn", and "error". The default is (not set). This can | ||
| + | also be specified via the VAULT_LOG_LEVEL environment variable. | ||
| + | |||
| + | -recovery | ||
| + | Enable recovery mode. In this mode, Vault is used to perform recovery | ||
| + | actions.Using a recovery operation token, "sys/raw" API can be used to | ||
| + | manipulate the storage. The default is false. | ||
| + | |||
| + | Dev Options: | ||
| + | |||
| + | -dev | ||
| + | Enable development mode. In this mode, Vault runs in-memory and starts | ||
| + | unsealed. As the name implies, do not run "dev" mode in production. The | ||
| + | default is false. | ||
| + | |||
| + | -dev-listen-address=<string> | ||
| + | Address to bind to in "dev" mode. The default is 127.0.0.1:8200. This | ||
| + | can also be specified via the VAULT_DEV_LISTEN_ADDRESS environment | ||
| + | variable. | ||
| + | |||
| + | -dev-no-store-token | ||
| + | Do not persist the dev root token to the token helper (usually the local | ||
| + | filesystem) for use in future requests. The token will only be displayed | ||
| + | in the command output. The default is false. | ||
| + | |||
| + | -dev-root-token-id=<string> | ||
| + | Initial root token. This only applies when running in "dev" mode. | ||
| + | This can also be specified via the VAULT_DEV_ROOT_TOKEN_ID environment | ||
| + | variable. | ||
| + | |||
| + | -dev-tls | ||
| + | Enable TLS development mode. In this mode, Vault runs in-memory and | ||
| + | starts unsealed, with a generated TLS CA, certificate and key. As the | ||
| + | name implies, do not run "dev-tls" mode in production. The default is | ||
| + | false. | ||
| + | |||
| + | -dev-tls-cert-dir=<string> | ||
| + | Directory where generated TLS files are created if `-dev-tls` is | ||
| + | specified. If left unset, files are generated in a temporary directory. | ||
| + | </pre> | ||
Revision as of 17:44, 30 November 2022
Usage: vault server [options]
This command starts a Vault server that responds to API requests. By default,
Vault will start in a "sealed" state. The Vault cluster must be initialized
before use, usually by the "vault operator init" command. Each Vault server must
also be unsealed using the "vault operator unseal" command or the API before the
server can respond to requests.
Start a server with a configuration file:
$ vault server -config=/etc/vault/config.hcl
Run in "dev" mode:
$ vault server -dev -dev-root-token-id="root"
For a full list of examples, please see the documentation.
HTTP Options:
-address=<string>
Address of the Vault server. The default is https://127.0.0.1:8200. This
can also be specified via the VAULT_ADDR environment variable.
-agent-address=<string>
Address of the Agent. This can also be specified via the
VAULT_AGENT_ADDR environment variable.
-ca-cert=<string>
Path on the local disk to a single PEM-encoded CA certificate to verify
the Vault server's SSL certificate. This takes precedence over -ca-path.
This can also be specified via the VAULT_CACERT environment variable.
-ca-path=<string>
Path on the local disk to a directory of PEM-encoded CA certificates to
verify the Vault server's SSL certificate. This can also be specified
via the VAULT_CAPATH environment variable.
-client-cert=<string>
Path on the local disk to a single PEM-encoded CA certificate to use
for TLS authentication to the Vault server. If this flag is specified,
-client-key is also required. This can also be specified via the
VAULT_CLIENT_CERT environment variable.
-client-key=<string>
Path on the local disk to a single PEM-encoded private key matching the
client certificate from -client-cert. This can also be specified via the
VAULT_CLIENT_KEY environment variable.
-disable-redirects
Disable the default client behavior, which honors a single redirect
response from a request The default is false. This can also be specified
via the VAULT_DISABLE_REDIRECTS environment variable.
-header=<key=value>
Key-value pair provided as key=value to provide http header added to any
request done by the CLI.Trying to add headers starting with 'X-Vault-'
is forbidden and will make the command fail This can be specified
multiple times.
-mfa=<string>
Supply MFA credentials as part of X-Vault-MFA header. This can also be
specified via the VAULT_MFA environment variable.
-namespace=<string>
The namespace to use for the command. Setting this is not necessary
but allows using relative paths. -ns can be used as shortcut. The
default is (not set). This can also be specified via the VAULT_NAMESPACE
environment variable.
-non-interactive
When set true, prevents asking the user for input via the terminal. The
default is false.
-output-curl-string
Instead of executing the request, print an equivalent cURL command
string and exit. The default is false.
-output-policy
Instead of executing the request, print an example HCL policy that would
be required to run this command, and exit. The default is false.
-policy-override
Override a Sentinel policy that has a soft-mandatory enforcement_level
specified The default is false.
-tls-server-name=<string>
Name to use as the SNI host when connecting to the Vault server via TLS.
This can also be specified via the VAULT_TLS_SERVER_NAME environment
variable.
-tls-skip-verify
Disable verification of TLS certificates. Using this option is highly
discouraged as it decreases the security of data transmissions to and
from the Vault server. The default is false. This can also be specified
via the VAULT_SKIP_VERIFY environment variable.
-unlock-key=<string>
Key to unlock a namespace API lock. The default is (not set).
-wrap-ttl=<duration>
Wraps the response in a cubbyhole token with the requested TTL. The
response is available via the "vault unwrap" command. The TTL is
specified as a numeric string with suffix like "30s" or "5m". This can
also be specified via the VAULT_WRAP_TTL environment variable.
Command Options:
-config=<string>
Path to a configuration file or directory of configuration files. This
flag can be specified multiple times to load multiple configurations.
If the path is a directory, all files which end in .hcl or .json are
loaded.
-exit-on-core-shutdown
Exit the vault server if the vault core is shutdown. The default is
false.
-log-format=<string>
Log format. Supported values are "standard" and "json". The default is
(not set).
-log-level=<string>
Log verbosity level. Supported values (in order of detail) are "trace",
"debug", "info", "warn", and "error". The default is (not set). This can
also be specified via the VAULT_LOG_LEVEL environment variable.
-recovery
Enable recovery mode. In this mode, Vault is used to perform recovery
actions.Using a recovery operation token, "sys/raw" API can be used to
manipulate the storage. The default is false.
Dev Options:
-dev
Enable development mode. In this mode, Vault runs in-memory and starts
unsealed. As the name implies, do not run "dev" mode in production. The
default is false.
-dev-listen-address=<string>
Address to bind to in "dev" mode. The default is 127.0.0.1:8200. This
can also be specified via the VAULT_DEV_LISTEN_ADDRESS environment
variable.
-dev-no-store-token
Do not persist the dev root token to the token helper (usually the local
filesystem) for use in future requests. The token will only be displayed
in the command output. The default is false.
-dev-root-token-id=<string>
Initial root token. This only applies when running in "dev" mode.
This can also be specified via the VAULT_DEV_ROOT_TOKEN_ID environment
variable.
-dev-tls
Enable TLS development mode. In this mode, Vault runs in-memory and
starts unsealed, with a generated TLS CA, certificate and key. As the
name implies, do not run "dev-tls" mode in production. The default is
false.
-dev-tls-cert-dir=<string>
Directory where generated TLS files are created if `-dev-tls` is
specified. If left unset, files are generated in a temporary directory.
See also
vault [ secrets enable | kv put | kv get | server | operator | auth | token | secrets | auth enable | status] Vault Changelog,vault help
Advertising:
