Vault CLI Essentials

HashiCorp Vault CLI for secret management.

Auth

HashiCorp Vault is a popular secret management platform. The vault CLI is how engineers interact with Vault from the command line. Knowing the essentials accelerates routine operations.

What authentication looks like:

• vault login -method=oidc for SSO.: The OIDC method handles SSO authentication. The engineer's identity provider authenticates them; Vault accepts the OIDC token; the CLI is authenticated.
• Tokens cached locally.: The Vault token is cached in ~/.vault-token. Subsequent CLI commands use the cached token; re-authentication is rare during a session.
• Renewed before expiry.: Some teams' Vault setup renews tokens automatically. The engineer's session continues; the renewal is transparent.
• Multiple auth methods.: Beyond OIDC, Vault supports many auth methods: userpass, AppRole, AWS IAM, Kubernetes, others. The team picks the appropriate methods for different consumers.
• Audit logged.: Authentication events are logged in Vault's audit log. The team has visibility into who is accessing the vault; the security posture is observable.

Authentication is the foundation. After authentication, the CLI is fast.

Read secrets

The primary CLI operation is reading secrets. The commands are concise; the output supports both interactive and scripted use.

• vault read secret/path returns the secret.: The basic read operation. The path identifies the secret; the response contains the secret data; the engineer or script consumes it.
• vault kv list secret/ shows children.: Listing the children of a path. The command returns the names of secrets under the path; useful for navigation.
• vault kv get for KV v2.: Vault's KV v2 engine has versioning. vault kv get retrieves the current version; vault kv get -version=N retrieves a specific version.
• JSON output.: -format=json produces JSON output. The output is parseable; scripts can extract specific fields; the data flows into other tools.
• vault kv put to write.: Writing secrets uses vault kv put. The command takes the path and the data; the secret is stored; the version increments.

Reading is the foundation. Most CLI usage is reading; some is writing; the discipline includes both.

Rotate

Rotation is part of the secret lifecycle. Vault supports rotation via specific commands; the audit log captures all rotation events.

• vault write -force secret/path rotates a credential.: The -force flag generates a new credential. For dynamic secret engines (databases, AWS), this rotates the credential.
• Audit log captures every read/write.: Every Vault operation is logged. Reads, writes, rotations all are visible; the audit log is the security record.
• Dynamic secrets self-rotate.: Some Vault engines (database, AWS, others) generate secrets on demand. Each consumption produces a fresh credential; rotation is automatic; the discipline is built in.
• Lease management.: Vault secrets have leases. Renew or revoke explicitly; the lease management is part of the discipline; consumers respect the lease.
• Policy enforcement.: Vault policies determine who can read/write/rotate. The CLI respects the policies; access is bounded; the discipline is enforced.

Vault CLI essentials is one of those secret-management skills that pays off in routine operations. Nova AI Ops integrates with secret-management tools, surfaces access patterns, and supports the team's secret discipline.