DocumentationTutorialsTry Cloud!

plugin

The plugin command groups subcommands for interacting with Vault's plugins and the plugin catalog

Examples

List all available secret plugins in the catalog:

$ vault plugin list secret

Name            Version
----            -------
ad              v0.14.0+builtin
alicloud        v0.13.0+builtin
...

Register a new secret plugin to the catalog:

$ vault plugin register \
  -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
  secret my-custom-plugin
Success! Registered plugin: my-custom-plugin

Get information about a plugin in the catalog:

$ vault plugin info secret my-custom-plugin
Key                   Value
---                   -----
args                  []
builtin               false
command               my-custom-plugin
deprecation_status    n/a
name                  my-custom-plugin
oci_image             n/a
runtime               n/a
sha256                33e72f3d30ff2acdbf3cf3c8fa1c8945b60dab876c4226ab25617a63c9f16cc5
version               n/a

Usage

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

plugin deregister

The plugin deregister command deregisters an existing plugin from Vault's plugin catalog. If the plugin does not exist, no error is returned. The plugin's type of "auth", "database", or "secret" must be included.

Examples

Deregister a plugin:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

  • -version (string: "") - Semantic version of the plugin to deregister. If unset, only an unversioned plugin may be deregistered.

plugin info

The plugin info displays information about a plugin in the catalog. The plugin's type of "auth", "database", or "secret" must be included.

deprecation_status field

As of 1.12, all builtin plugins will have an associated Deprecation Status. This status will be reflected in the deprecation_status key/value pair, seen below.

Examples

Display information about a plugin

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -field (string: "") - Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

  • -plugin-version (string: "") - Semantic version of the plugin to read from the catalog. If unspecified, refers to the unversioned plugin registered with the same name and type, or the built-in plugin, in that order of precedence.

plugin list

The plugin list command lists all available plugins in the plugin catalog. It can be used alone or with a type such as "auth", "database", or "secret".

Deprecation status column

As of 1.12, all builtin plugins will have an associated Deprecation Status. This status will be reflected in the Deprecation Status column, seen below. All non-builtin plugins will show a Deprecation Status of "n/a".

Examples

List all available plugins in the catalog.

List detailed plugin information:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

  • -detailed (bool: false) - Print detailed information such as version and deprecation status about each plugin.

plugin register

The plugin register command registers a new plugin in Vault's plugin catalog. The plugin's type of "auth", "database", or "secret" must be included.

Examples

Register a plugin:

Register a plugin with custom args:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

  • -sha256 (string: <required>) - SHA256 of the plugin binary or the OCI image provided. This is required for all plugins.

  • -args ([]string: []) - Argument to pass to the plugin when starting. This flag can be specified multiple times to specify multiple args.

  • -command (string: "") - Command to spawn the plugin. This defaults to the name of the plugin if both -oci_image and -command are unspecified.

  • -env ([]string: []) - Environment variables to set for the plugin when starting. This flag can be specified multiple times to specify multiple environment variables.

  • -oci_image (string: "") - OCI image to run. If specified, setting -command, -args, and -env will update the container's entrypoint, args, and environment variables (append-only) respectively.

  • -runtime (string: "") - Vault plugin runtime to use if -oci_image is specified.

  • -version (string: "") - Semantic version of the plugin. Used as the tag when specifying -oci_image, but any leading 'v' will automatically be trimmed.

plugin reload

The plugin reload command is used to reload mounted plugin backends. Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

Examples

Reload a plugin by name:

Reload an auth plugin by mount:

Reload a secrets plugin by mount:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Command options

  • -plugin (string: "") - The name of the plugin to reload, as registered in the plugin catalog.

  • -mounts (array: []) - Array or comma-separated string mount paths of the plugin backends to reload.

  • -scope (string: "") - The scope of the reload. For local reloads, omit this flag. For reloads that span multiple Vault clusters, use global.

plugin runtime

The plugin runtime command groups subcommands for interacting with and configuring the context within which your external plugins run.

Limited type support

Support for runtime types is currently limited to `container`.

Limited OS support

Support for the 'container` runtime is currently limited to Linux.

If you register a container plugin without referencing a plugin runtime, it will use gVisor's OCI runtime runsc by default, with no resource limits. You can use plugin runtimes to configure other OCI-compliant runtimes such as runc. Vault does not come packaged with any supporting container runtimes, and you must separately install whichever you want to use.

To use a registered plugin runtime, use the -runtime option with the plugin registration command.

See containerized plugins for more details on running external plugins in containers.

Examples

Register a new plugin runtime to the catalog:

List all available plugin runtimes in the catalog:

Get information about a plugin runtime in the catalog:

Usage

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

plugin runtime deregister

Deregister an existing plugin runtime in the catalog with the given name. Returns an error if a registered plugin references the named plugin runtime or the named runtime does not exist.

Limited type support

Support for runtime types is currently limited to `container`.

Examples

Deregister a plugin:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

  • -type (string: <required>) - Plugin runtime type. Vault currently only supports container runtime type.

plugin runtime info

Displays information about a plugin runtime in the catalog with the given name. If the plugin runtime does not exist, an error is returned.

Limited type support

Support for runtime types is currently limited to `container`.

Examples

Display information about a plugin

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -field (string: "") - Print information for the named field without a trailing newline. The -field parameter takes precedence over other formatting directives.

  • -format (string: "table") - Print the output for the current command in the given format. Valid formats are table, json, or yaml. Use the VAULT_FORMAT environment variable to set your output preferences globally.

Command options

  • -type (string: "") - Plugin runtime type. Vault currently only supports container runtime type.

plugin list

List all plugin runtimes currently registered with Vault. Returns all the available plugin runtimes or an error if the set of registered runtimes is empty. Vault considers any registered plugin runtime "available", regardless of whether it is currently in use.

Examples

List all available plugin runtimes in the catalog.

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (string: "table") - Print the output for the current command in the given format. Valid formats are table, json, or yaml. Use the VAULT_FORMAT environment variable to set your output preferences globally.

Command options

  • -type (string: "") - Plugin runtime type. Vault currently only supports container runtime type.

plugin runtime register

Register a new plugin runtime in the plugin runtime catalog of your Vault instance.

Limited type support

Support for runtime types is currently limited to `container`.

To use a registered plugin runtime, use the -runtime option with the plugin registration command.

Examples

Register a plugin runtime:

Register a plugin runtime with resource limits:

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Command options

  • -type (string: <required>) - Plugin runtime type. Vault currently only supports container as a runtime type.

  • -cgroup_parent (string: "") - Parent cgroup to set for each container. Use cgroup_parent to control the total resource usage for a group of plugins.

  • -cpu_nanos (int: 0) - CPU limit to set per container in billionths of a CPU core. Defaults to no limit.

  • -memory_bytes (int: 0) - Memory limit to set per container in bytes. Defaults to no limit.

  • -oci_runtime (string: "") - Open Container Initiative (OCI) compliant container runtime to use. Default is the gVisor OCI runtime, runsc.

PreviouspkiNextpolicy

Last updated