Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Subcommands and Options
  • Examples

Was this helpful?

  1. vHSM CLI
  2. Secret Management

vhsm write

Learn to write data to a vHSM server at a specified path to store credentials, secrets, configurations, or arbitrary data.

The vhsm write command writes data to vHSM at the given path. It is a wrapper for HTTP PUT or POST requests. This command is used to store credentials, secrets, configurations, or arbitrary data. The behavior of this command depends on the secret engine mounted at the specified path.

Data is provided as key=value pairs. Special handling includes:

  • Values starting with @ are loaded from a file.

  • Values set to - are read from stdin.

  • If - is the only argument, vhsm write reads a JSON blob from stdin.

Usage

vhsm write <path> <key=value> [options]

Subcommands and Options

Option
Type
Description

-field

<string>

Prints only the specified field in the selected format (ideal for piping).

-format

<string>

Specifies the output format. Valid values: table, json, yaml. Defaults to table.

-force / -f

Allows write operations without key-value pairs. Used for actions that don’t require data.

Examples

Action
Command

Store arbitrary secrets

vhsm write cubbyhole/git-credentials username="student01" password="p@$$w0rd"

Create a new encryption key in the transit secrets engine

vhsm write -force transit/keys/my-key

Upload an AWS IAM policy from a file

vhsm write aws/roles/ops policy=@policy.json

Configure access to Consul using an access token

`echo $MY_TOKEN

Create a token with TTL, policy, and usage limit

vhsm write auth/token/create policies="admin" policies="secops" ttl=8h num_uses=3

Equivalent API request using cURL

tee request_payload.json -<<EOF
{
   "policies": ["admin", "secops"],
   "ttl": "8h",
   "num_uses": 3
}
EOF

curl --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @request_payload.json \
    $VAULT_ADDR/v1/auth/token/create

Simplified token creation using CLI

vhsm token create -policy=admin -policy=secops -ttl=8h -use-limit=3

Output

Key                  Value
---                  -----
token                hvs.CAESIBcWWiHVdrJIIqLUOIX5_QuJtp3xrd-FEFT-rqngnFXCGh4KHGh2cy5nZEl0ZWtkcmg5Q1kxMHJFNTVUcGtoMXA
token_accessor       LiCLc2rBMS5epeu6rcaJcJX4
token_duration       8h
token_renewable      true
token_policies       ["admin" "default" "secops"]
identity_policies    []
policies             ["admin" "default" "secops"]
Previousvhsm readNextvhsm delete

Last updated 2 months ago

Was this helpful?