vhsm delete

Lean to remove the secrets and configurations from vHSM server.

The vhsm delete command removes secrets and configuration from vHSM at the specified path. The behavior of this command is delegated to the backend corresponding to the given path.

Usage

vhsm delete [options] PATH

Examples

Example 1: Remove a Secret from the Static Secrets Engine

vhsm delete secret/my-secret

This command deletes the secret stored at secret/my-secret.

Example 2: Uninstall an Encryption Key in the Transit Backend

vhsm delete transit/keys/my-key

Note: Some encryption keys may require additional configuration to allow deletion.

Example 3: Delete an IAM Role

vhsm delete aws/roles/ops

This removes the IAM role named ops from the AWS backend.

Output

The vhsm delete command does not return any output upon successful execution. If an error occurs, vHSM will return an appropriate error message.

Options

HTTP Options

Option
Type
Description

-address

<string>

Address of the vHSM server (default: https://127.0.0.1:8200). Can be set via VAULT_ADDR.

-agent-address

<string>

Address of the Agent. Can be set via VAULT_AGENT_ADDR.

-ca-cert

<string>

Path to a PEM-encoded CA certificate for verifying the vHSM server's SSL certificate. Can be set via VAULT_CACERT.

-ca-path

<string>

Path to a directory of PEM-encoded CA certificates. Can be set via VAULT_CAPATH.

-client-cert

<string>

Path to a client certificate for TLS authentication. Requires -client-key. Can be set via VAULT_CLIENT_CERT.

-client-key

<string>

Path to a private key matching the client certificate. Can be set via VAULT_CLIENT_KEY.

-disable-redirects

<boolean>

Disable client behavior that follows a single redirect (default: false). Can be set via VAULT_DISABLE_REDIRECTS.

-header

<key=value>

Key-value pair added as an HTTP header. Cannot start with X-Vault-.

-mfa

<string>

Supply MFA credentials as part of the X-Vault-MFA header. Can be set via VAULT_MFA.

-namespace

<string>

Specify the namespace for the command. Can be set via VAULT_NAMESPACE.

-non-interactive

<boolean>

Prevents user input prompts (default: false).

-output-curl-string

<boolean>

Prints an equivalent cURL command instead of executing the request (default: false).

-output-policy

<boolean>

Prints an example HCL policy instead of executing the request (default: false).

-policy-override

<boolean>

Overrides a Sentinel policy with soft-mandatory enforcement (default: false).

-tls-server-name

<string>

Name to use as the SNI host when connecting via TLS. Can be set via VAULT_TLS_SERVER_NAME.

-tls-skip-verify

<boolean>

Disable TLS certificate verification (default: false). Not recommended. Can be set via VAULT_SKIP_VERIFY.

-unlock-key

<string>

Key to unlock a namespace API lock.

-wrap-ttl

<duration>

Wraps the response in a cubbyhole token with a specified TTL (e.g., 30s, 5m). Can be set via VAULT_WRAP_TTL.

Output Options

Option
Type
Description

Description

-field

<string>

Prints only the specified field. Useful for piping output.

-format

<string>

Defines output format: table, json, yaml, pretty. raw is allowed for vhsm read operations only. Can be set via VAULT_FORMAT.

Last updated

Was this helpful?