Vault Cheat Sheet

Start the server in DEV mode

vault server -dev

Enable a Secrets Engine

vault secrets enable -path=<name of secret> kv

Write key value pair

vault write secret/<name of secret> <data kv pairs>

Write specific secret to file

vault kv put secret/<name of secret> @<file>

Or specify the contents of a file as a value:

vault kv put secret/<name of secret> value=@<file>

Read secret

vault read secret/<name of secret>

Read secret as JSON

vault read -format=json secret/<name of secret>

Read specific secret field

vault kv get -format=json secret/<name of secret> | jq -r .data.data.<name of field>

vault kv get -field=<name of field> secret/<name of secret>

Delete secret

vault delete secret/<name of secret>

Mount backend

vault mount kv

List mounts

vault mounts

Unmount

vault unmount kv

Mount aws back-end

vault mount aws

Create token

vault token create

Revoke token

vault token revoke

Authenticate

vault login <token>

Policies

Creating a policy

vault policy write <policy-name> <policy-file> ( V1 et V2 hcl might need to be implemented )

HCL example

# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
  capabilities = ["create"]
}
path "secret/foo" {
  capabilities = ["read"]
}

# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
path "secret/data/*" {
  capabilities = ["create"]
}
path "secret/data/foo" {
  capabilities = ["read"]
}

Using a policy

vault token create -policy=<policy-name> [-no-default-policy]