vhsm write

Learn to write data to a vHSM server at a specified path to store credentials, secrets, configurations, or arbitrary data.

The vhsm write command writes data to vHSM at the given path. It is a wrapper for HTTP PUT or POST requests. This command is used to store credentials, secrets, configurations, or arbitrary data. The behavior of this command depends on the secret engine mounted at the specified path.

Data is provided as key=value pairs. Special handling includes:

  • Values starting with @ are loaded from a file.

  • Values set to - are read from stdin.

  • If - is the only argument, vhsm write reads a JSON blob from stdin.

Usage

vhsm write <path> <key=value> [options]

Subcommands and Options

Option
Type
Description

-field

<string>

Prints only the specified field in the selected format (ideal for piping).

-format

<string>

Specifies the output format. Valid values: table, json, yaml. Defaults to table.

-force / -f

Allows write operations without key-value pairs. Used for actions that don’t require data.

Examples

Action
Command

Store arbitrary secrets

vhsm write cubbyhole/git-credentials username="student01" password="p@$$w0rd"

Create a new encryption key in the transit secrets engine

vhsm write -force transit/keys/my-key

Upload an AWS IAM policy from a file

vhsm write aws/roles/ops [email protected]

Configure access to Consul using an access token

`echo $MY_TOKEN

Create a token with TTL, policy, and usage limit

vhsm write auth/token/create policies="admin" policies="secops" ttl=8h num_uses=3

Equivalent API request using cURL

tee request_payload.json -<<EOF
{
   "policies": ["admin", "secops"],
   "ttl": "8h",
   "num_uses": 3
}
EOF

curl --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @request_payload.json \
    $VAULT_ADDR/v1/auth/token/create

Simplified token creation using CLI

vhsm token create -policy=admin -policy=secops -ttl=8h -use-limit=3

Output

Key                  Value
---                  -----
token                hvs.CAESIBcWWiHVdrJIIqLUOIX5_QuJtp3xrd-FEFT-rqngnFXCGh4KHGh2cy5nZEl0ZWtkcmg5Q1kxMHJFNTVUcGtoMXA
token_accessor       LiCLc2rBMS5epeu6rcaJcJX4
token_duration       8h
token_renewable      true
token_policies       ["admin" "default" "secops"]
identity_policies    []
policies             ["admin" "default" "secops"]

Last updated

Was this helpful?