plugin
The plugin command groups subcommands for interacting with Vault's plugins and the plugin catalog
Examples
List all available secret plugins in the catalog:
Register a new secret plugin to the catalog:
Get information about a plugin in the catalog:
Usage
For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.
plugin deregister
The plugin deregister command deregisters an existing plugin from Vault's plugin catalog. If the plugin does not exist, no error is returned. The plugin's type of "auth", "database", or "secret" must be included.
Examples
Deregister a plugin:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
-version(string: "")- Semantic version of the plugin to deregister. If unset, only an unversioned plugin may be deregistered.
plugin info
The plugin info displays information about a plugin in the catalog. The plugin's type of "auth", "database", or "secret" must be included.
deprecation_status field
As of 1.12, all builtin plugins will have an associated Deprecation Status. This status will be reflected in the deprecation_status key/value pair, seen below.
Examples
Display information about a plugin
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-field(string: "")- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.-format(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMATenvironment variable.
Command options
-plugin-version(string: "")- Semantic version of the plugin to read from the catalog. If unspecified, refers to the unversioned plugin registered with the same name and type, or the built-in plugin, in that order of precedence.
plugin list
The plugin list command lists all available plugins in the plugin catalog. It can be used alone or with a type such as "auth", "database", or "secret".
Deprecation status column
As of 1.12, all builtin plugins will have an associated Deprecation Status. This status will be reflected in the Deprecation Status column, seen below. All non-builtin plugins will show a Deprecation Status of "n/a".
Examples
List all available plugins in the catalog.
List detailed plugin information:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-format(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMATenvironment variable.
Command options
-detailed(bool: false)- Print detailed information such as version and deprecation status about each plugin.
plugin register
The plugin register command registers a new plugin in Vault's plugin catalog. The plugin's type of "auth", "database", or "secret" must be included.
Examples
Register a plugin:
Register a plugin with custom args:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-format(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMATenvironment variable.
Command options
-sha256(string: <required>)- SHA256 of the plugin binary or the OCI image provided. This is required for all plugins.-args([]string: [])- Argument to pass to the plugin when starting. This flag can be specified multiple times to specify multiple args.-command(string: "")- Command to spawn the plugin. This defaults to the name of the plugin if both-oci_imageand-commandare unspecified.-env([]string: [])- Environment variables to set for the plugin when starting. This flag can be specified multiple times to specify multiple environment variables.-oci_image(string: "")- OCI image to run. If specified, setting-command,-args, and-envwill update the container's entrypoint, args, and environment variables (append-only) respectively.-runtime(string: "")- Vault plugin runtime to use if-oci_imageis specified.-version(string: "")- Semantic version of the plugin. Used as the tag when specifying-oci_image, but any leading 'v' will automatically be trimmed.
plugin reload
The plugin reload command is used to reload mounted plugin backends. Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.
Examples
Reload a plugin by name:
Reload an auth plugin by mount:
Reload a secrets plugin by mount:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Command options
-plugin(string: "")- The name of the plugin to reload, as registered in the plugin catalog.-mounts(array: [])- Array or comma-separated string mount paths of the plugin backends to reload.-scope(string: "")- The scope of the reload. For local reloads, omit this flag. For reloads that span multiple Vault clusters, useglobal.
plugin runtime
The plugin runtime command groups subcommands for interacting with and configuring the context within which your external plugins run.
Limited type support
Support for runtime types is currently limited to `container`.
Limited OS support
Support for the 'container` runtime is currently limited to Linux.
If you register a container plugin without referencing a plugin runtime, it will use gVisor's OCI runtime runsc by default, with no resource limits. You can use plugin runtimes to configure other OCI-compliant runtimes such as runc. Vault does not come packaged with any supporting container runtimes, and you must separately install whichever you want to use.
To use a registered plugin runtime, use the -runtime option with the plugin registration command.
See containerized plugins for more details on running external plugins in containers.
Examples
Register a new plugin runtime to the catalog:
List all available plugin runtimes in the catalog:
Get information about a plugin runtime in the catalog:
Usage
For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.
plugin runtime deregister
Deregister an existing plugin runtime in the catalog with the given name. Returns an error if a registered plugin references the named plugin runtime or the named runtime does not exist.
Limited type support
Support for runtime types is currently limited to `container`.
Examples
Deregister a plugin:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
-type(string: <required>)- Plugin runtime type. Vault currently only supportscontainerruntime type.
plugin runtime info
Displays information about a plugin runtime in the catalog with the given name. If the plugin runtime does not exist, an error is returned.
Limited type support
Support for runtime types is currently limited to `container`.
Examples
Display information about a plugin
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-field(string: "")- Print information for the named field without a trailing newline. The-fieldparameter takes precedence over other formatting directives.-format(string: "table")- Print the output for the current command in the given format. Valid formats aretable,json, oryaml. Use theVAULT_FORMATenvironment variable to set your output preferences globally.
Command options
-type(string: "")- Plugin runtime type. Vault currently only supportscontainerruntime type.
plugin list
List all plugin runtimes currently registered with Vault. Returns all the available plugin runtimes or an error if the set of registered runtimes is empty. Vault considers any registered plugin runtime "available", regardless of whether it is currently in use.
Examples
List all available plugin runtimes in the catalog.
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-format(string: "table")- Print the output for the current command in the given format. Valid formats aretable,json, oryaml. Use theVAULT_FORMATenvironment variable to set your output preferences globally.
Command options
-type(string: "")- Plugin runtime type. Vault currently only supportscontainerruntime type.
plugin runtime register
Register a new plugin runtime in the plugin runtime catalog of your Vault instance.
Limited type support
Support for runtime types is currently limited to `container`.
To use a registered plugin runtime, use the -runtime option with the plugin registration command.
Examples
Register a plugin runtime:
Register a plugin runtime with resource limits:
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Command options
-type(string: <required>)- Plugin runtime type. Vault currently only supportscontaineras a runtime type.-cgroup_parent(string: "")- Parent cgroup to set for each container. Usecgroup_parentto control the total resource usage for a group of plugins.-cpu_nanos(int: 0)- CPU limit to set per container in billionths of a CPU core. Defaults to no limit.-memory_bytes(int: 0)- Memory limit to set per container in bytes. Defaults to no limit.-oci_runtime(string: "")- Open Container Initiative (OCI) compliant container runtime to use. Default is the gVisor OCI runtime,runsc.
Last updated