Vault
HomeDocumentationTutorialsTry Cloud!
  • Vault
  • Documentation
    • What is Vault?
    • Use Cases
    • Setup
      • Install
      • Configuration
    • Get Started
      • Starting the server
      • Your first secret
      • Deploying Vault on VMs with Let's encrypt! TLS certs
    • Concepts
      • Operations
        • Seal/Unseal
        • "Dev" server mode
        • Namespace lock and unlock
        • Lease, renew, and revoke
        • Lease Explosions
        • Mount migration
        • Client count
        • Resource quotas
        • Response wrapping
      • Authentication
        • Identity
        • Tokens
        • OIDC provider
        • Username templating
        • Passwordless
      • Secrets
      • Storage
        • Integrated storage
        • High availability mode (HA)
        • Recovery mode
      • Policies
  • Tutorials
    • CLI
      • Operations
        • Deploy Vault
        • Using the HTTP API
        • Unseal/Seal
      • Authentication
        • Token
        • GitHub authentication
        • Username/Password
        • TLS Client Certificates
        • SSH Keys
        • AWS, Azure, GCP and external auth methods
          • Azure
          • AWS
          • GCP
          • Github
          • Terraform
      • Secrets
        • Secrets engines
        • Built-in help
      • Access Control
        • Policies
    • UI
      • Authentication
        • Username/Password
        • Passwordless
      • Operations
        • Unseal / Seal
        • API Explorer
      • Secrets
        • Secrets engines
      • Access Control
        • Policies
    • Use Cases
      • Namespaces
      • MongoDB admin password
      • VM Disk Encryption Keys
      • VM SSH Keys
      • Kubernetes Configuration
      • GitHub Actions
      • Dynamic credentials for cloud providers
        • AWS
        • Azure
        • GCP
  • CLI
    • agent
    • audit
    • auth
    • debug
    • delete
    • events
    • kv
    • lease
    • license
    • list
    • login
    • monitor
    • namespace
    • operator
    • patch
    • path-help
    • pki
    • plugin
    • policy
    • print
    • proxy
    • read
    • secrets
    • server
    • ssh
    • status
    • token
    • transit
    • unwrap
    • version
    • version-history
    • write
  • API
    • Secrets engines
      • AliCloud secrets engine (API)
      • AWS secrets engine (API)
      • Azure secrets engine (API)
      • Cubbyhole secrets engine (API)
      • Database
        • Cassandra database plugin HTTP API
        • Elasticsearch database plugin HTTP API
        • Influxdb database plugin HTTP API
        • MongoDB database plugin HTTP API
        • MSSQL database plugin HTTP API
        • MySQL/MariaDB database plugin HTTP API
        • Oracle database plugin HTTP API
        • PostgreSQL database plugin HTTP API
        • Redis database plugin HTTP API
        • Redis ElastiCache database plugin HTTP API
        • Redshift database plugin HTTP API
        • Snowflake database plugin HTTP API
      • Google Cloud secrets engine (API)
      • Google Cloud KMS secrets engine (API)
      • Identity
        • entity
        • entity-alias
        • group
        • group-alias
        • tokens
        • lookup
        • oidc-provider
        • MFA
          • duo
          • okta
          • pingid
          • totp
          • login-enforcement
      • KV secrets engine (API)
      • Buckypaper secrets engine
      • Kubernetes secrets engine (API)
      • Nomad secrets engine (API)
      • LDAP secrets engine (API)
      • PKI secrets engine (API)
      • RabbitMQ secrets engine (API)
      • SSH secrets engine (API)
      • TOTP secrets engine (API)
      • Transit secrets engine (API)
    • Auth engines
      • AliCloud auth method (API)
      • AppRole auth method (API)
      • AWS auth method (API)
      • Azure auth method (API)
      • Pivotal Cloud Foundry (CF) auth method (API)
      • GitHub auth method (API)
      • Google Cloud auth method (API)
      • JWT/OIDC auth method (API)
      • Kerberos auth method (API)
      • Kubernetes auth method (API)
      • LDAP auth method (API)
      • OCI auth method (API)
      • Okta auth method (API)
      • Passwordless auth method (API)
      • RADIUS auth method (API)
      • TLS certificate auth method (API)
      • Token auth method (API)
      • Userpass auth method (HTTP API)
    • Service engines
      • Licence Manager
    • System backend
      • /sys/audit
      • /sys/audit-hash
      • /sys/auth
      • /sys/capabilities
      • /sys/capabilities-accessor
      • /sys/capabilities-self
      • /sys/config/auditing/request-headers
      • /sys/config/control-group
      • /sys/config/cors
      • /sys/config/reload
      • /sys/config/state
      • /sys/config/ui
      • /sys/decode-token
      • /sys/experiments
      • /sys/generate-recovery-token
      • /sys/generate-root
      • /sys/health
      • /sys/host-info
      • /sys/in-flight-req
      • /sys/init
      • /sys/internal/counters
      • /sys/internal/inspect
        • /sys/internal/inspect/router
      • /sys/internal/specs/openapi
      • /sys/internal/ui/feature-flags
      • /sys/internal/ui/mounts
      • /sys/internal/ui/namespaces
      • /sys/internal/ui/resultant-acl
      • /sys/key-status
      • /sys/ha-status
      • /sys/leader
      • /sys/leases
      • /sys/license/status
      • /sys/locked-users
      • /sys/loggers
      • /sys/metrics
      • /sys/monitor
      • /sys/mounts
      • /sys/namespaces
      • /sys/plugins/reload/backend
      • /sys/plugins/catalog
      • /sys/plugins/runtimes/catalog
      • /sys/policy
      • /sys/policies/
      • /sys/policies/password/
      • /sys/pprof
      • /sys/quotas/config
      • /sys/quotas/rate-limit
      • /sys/quotas/lease-count
      • /sys/raw
      • /sys/rekey
      • /sys/rekey-recovery-key
      • /sys/remount
      • /sys/rotate
      • /sys/rotate/config
      • /sys/seal
      • /sys/seal-status
      • /sys/seal-backend-status
      • /sys/step-down
      • /sys/storage
        • /sys/storage/raft
        • /sys/storage/raft/autopilot
      • /sys/tools
      • /sys/unseal
      • /sys/version-history
      • /sys/wrapping/lookup
      • /sys/wrapping/rewrap
      • /sys/wrapping/unwrap
      • /sys/wrapping/wrap
  • Resources
    • Blog
    • GitHub
    • Youtube
    • CCx101
Powered by GitBook
On this page
  • Examples
  • Usage
  1. CLI

server

The server command starts a Vault server that responds to API requests. By default, Vault will start in a "sealed" state. The Vault cluster must be initialized before use, usually by the vault operator init command. Each Vault server must also be unsealed using the vault operator unseal command or the API before the server can respond to requests.

For more information, please see:

  • operator init command for information on initializing a Vault server.

  • operator unseal command for information on providing unseal keys.

  • Vault configuration for the syntax and various configuration options for a Vault server.

Examples

Start a server with a configuration file:

$ vault server -config=/etc/vault/config.hcl

Run in "dev" mode with a custom initial root token:

$ vault server -dev -dev-root-token-id="root"

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Command options

  • -config (string: "") - Path to a configuration file or directory of configuration files. This flag can be specified multiple times to load multiple configurations. If the path is a directory, all files which end in .hcl or .json are loaded.

  • -log-level (string: "info") - Log verbosity level. Supported values (in order of descending detail) are trace, debug, info, warn, and error. This can also be specified via the VAULT_LOG_LEVEL environment variable.

  • -log-format (string: "standard") - Log format. Supported values are standard and json. This can also be specified via the VAULT_LOG_FORMAT environment variable.

  • -log-file - writes all the Vault log messages to a file. This value is used as a prefix for the log file name. The current timestamp is appended to the file name. If the value ends in a path separator, vault will be appended to the value. If the file name is missing an extension, .log is appended. For example, setting log-file to /var/log/ would result in a log file path of /var/log/vault-{timestamp}.log. log-file can be combined with -log-rotate-bytes and -log-rotate-duration for a fine-grained log rotation experience. This output operates in addition to existing outputs, meaning logs will continue to be written to journald / stdout (where appropriate).

  • -log-rotate-bytes - to specify the number of bytes that should be written to a log before it needs to be rotated. Unless specified, there is no limit to the number of bytes that can be written to a log file.

  • -log-rotate-duration - to specify the maximum duration a log should be written to before it needs to be rotated. Must be a duration value such as 30s. Defaults to 24h.

  • -log-rotate-max-files - to specify the maximum number of older log file archives to keep. Defaults to 0 (no files are ever deleted). Set to -1 to discard old log files when a new one is created.

  • -experiment (string array: []) - The name of an experiment to enable for this node. This flag can be specified multiple times to enable multiple experiments. Experiments should NOT be used in production, and the associated APIs may have backwards incompatible changes between releases. Additional experiments can also be specified via the VAULT_EXPERIMENTS environment variable as a comma-separated list, or via the experiments config key.

  • VAULT_ALLOW_PENDING_REMOVAL_MOUNTS (bool: false) - (environment variable) Allow Vault to be started with builtin engines which have the Pending Removal deprecation state. This is a temporary stopgap in place in order to perform an upgrade and disable these engines. Once these engines are marked Removed (in the next major release of Vault), the environment variable will no longer work and a downgrade must be performed in order to remove the offending engines. For more information, see the deprecation faq.

Dev options

  • -dev (bool: false) - Enable development mode. In this mode, Vault runs in-memory and starts unsealed. As the name implies, do not run "dev" mode in production.

  • -dev-tls (bool: false) - Enable TLS development mode. In this mode, Vault runs in-memory and starts unsealed with a generated TLS CA, certificate and key. As the name implies, do not run "dev" mode in production.

  • -dev-tls-cert-dir (string: "") - Directory where generated TLS files are created if -dev-tls is specified. If left unset, files are generated in a temporary directory.

  • -dev-listen-address (string: "127.0.0.1:8200") - Address to bind to in "dev" mode. This can also be specified via the VAULT_DEV_LISTEN_ADDRESS environment variable.

  • -dev-root-token-id (string: "") - Initial root token. This only applies when running in "dev" mode. This can also be specified via the VAULT_DEV_ROOT_TOKEN_ID environment variable.

    Note: The token ID should not start with the s. prefix.

  • -dev-no-store-token (string: "") - Do not persist the dev root token to the token helper (usually the local filesystem) for use in future requests. The token will only be displayed in the command output.

  • -dev-plugin-dir (string: "") - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.

PrevioussecretsNextssh

Last updated 1 year ago