Vault
agent generate-config
Use secrets plugin data to generate a basic configuration file for running Vault Agent in process supervisor mode.
$ vault agent generate-config -type <config_file_type> [options] [<file_path>]
Description
agent generate-config
composes configuration details for Vault Agent
based on the configuration type
and writes a local configuration file for
running Vault agent in process supervisor mode.
Related API endpoints
- None
Limitations and warnings
Limitations:
- Plugin support limited to KV plugins.
- Configuration type limited to environment variable templates.
Not appropriate for production
The file created by agent generate-config
includes an auto_auth
section
configured to use the token_file
authentication method.
Token files are convenient for local testing, but are not appropriates for production use. Refer to the full list of Vault Agent autoAuth methods for available production-ready authentication methods.
Arguments
file_path (string : "./agent.hcl")
The path where Vault should save the generated configuration file.
Example: "./agent/custom-config.hcl"
Options
None.
Command Flags
-exec (string : "")
Path to the command for child processes with optional arguments. Relative paths
start from the current working directory when executed. Corresponds to
exec.command
in the Vault Agent configuration file.
Example: -exec "./my-app arg1 arg2"
-path (string : "")
Path to one or more kv
secrets store. Paths that end with a wildcard (*
)
include all secrets under that path.
Repeat the -path
flag as needed to specify the full set of target secrets.
Example: -path secret/kv/agent-keys/*
-type (enum : <required>)
The configuration file entry to create.
Enum | Description |
---|---|
env-template | Create environment variable templates from JSON keys in kv plugins |
Example: -type env-template
Global flags
[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')
Address of the Vault server.
Examples:
- CLI flag:
-address "https://mydomain/vault:8200"
- Environment variable:
export VAULT_ADDR="https://mydomain/vault:8200"
[-agent-address | VAULT_AGENT_ADDR] (string : "")
Address of the Vault Agent, if used.
Examples:
- CLI flag:
-agent-address "https://mydomain/vault-agent:8200"
- Environment variable:
export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"
[-ca-cert | VAULT_CACERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL
certificates for the server. Takes precedence over -ca_path
.
Examples:
- CLI flag:
-ca-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CACERT="/path/to/certs/mycert.pem"
[-ca-path | VAULT_CAPATH] (string : "")
Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.
Examples:
- CLI flag:
-ca-path "/path/to/certs/dir"
- Environment variable:
export VAULT_CAPATH="/path/to/certs/dir"
[-client-cert | VAULT_CLIENT_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used for TLS
communication with the server. The specified certificate must match to the
private key specified with -client-cert
.
Examples:
- CLI flag:
-client-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"
[-client-key | VAULT_CLIENT_KEY] (string : "")
Path to a PEM-encoded private key that matches the client certificate set with
-client-cert
.
Examples:
- CLI flag:
-client-key "/path/to/keys/myprivatekey.pem"
- Environment variable:
export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"
[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)
Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.
Examples:
- CLI flag:
-disable-redirects
- Environment variable:
export VAULT_DISABLE_REDIRECTS=1
Warning
Disabling the default redirect behavior may cause commands that redirect
requests to primary cluster notes (like vault operator raft snapshot
) to
misbehave.
-header (string : "")
Optional HTTP header in the form "<key>=<value>"
for the CLI request. Repeat
the -header
flag as needed with one string per flag. User-defined headers
cannot start with X-Vault-
Example: -header "Cache-Control=max-age=0"
[-mfa | VAULT_MFA] (string : "")
Enterprise
A multi-factor authentication (MFA) credential, in the format
mfa_method_name[:key[=value]]
, that the CLI should use to authenticate to
Vault. The CLI adds MFA credentials to the X-Vault-MFA
header when calling the
underlying API endpoint.
Examples:
- CLI flag:
-mfa "totp:password=12345"
- Environment variable:
export VAULT_MFA="totp:password=12345"
Note
The VAULT_MFA
environment variable only accepts one MFA method specification
and one credential for the specified method. To supply multiple credentials or
MFA methods, use the -mfa
CLI flag and repeat the flag as needed.
[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)
Root namespace for the CLI command. Setting a default namespace allow relative mount paths.
Examples:
- CLI flag:
-namespace "admin"
- Environment variable:
export VAULT_NAMESPACE="admin"
-non-interactive (bool : false)
Prevent the CLI from asking users for input through the terminal.
Example: -non-interactive
-output-curl-string (bool : false)
Print the API call(s) required to execute the CLI command as cURL
strings
then exit without running the command.
Example: -output-curl-string
-output-policy (bool : false)
Print the Vault policy required to execute the CLI command as HCL then exit without running the command.
Example: -output-policy
-policy-override (bool : false)
Overrides any Sentinel policy where enforcement_level
is "soft-mandatory".
Example: -policy-override
[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")
Name of the SNI host for TLS handshake resolution for TLS connections to Vault.
Examples:
- CLI flag:
-tls-server-name "hostname.domain"
- Environment variable:
export VAULT_TLS_SERVER_NAME="hostname.domain"
[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)
Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.
Examples:
- CLI flag:
-tls-skip-verify
- Environment variable:
export VAULT_SKIP_VERIFY=1
-unlock-key (string : <unset>)
Plaintext key that unlocks the underlying API endpoint for a given namespace.
Example: -unlock-key "7oXtdlmvRQ"
[-wrap-ttl | VAULT_WRAP_TTL] (string : "")
Default time-to-live in <number>[s|m|h|d]
format for the Cubbyhole token used
to wrap CLI responses. You must use vault unwrap
to view response data before
the duration expires. Leave wrap_ttl
unset to leave CLI responses unwrapped.
Examples:
- CLI flag:
-wrap-ttl "5m"
- Environment variable:
export VAULT_WRAP_TTL="5m"
Examples
Generate an environment variable template configuration for the foo
secrets
plugin:
$ vault agent generate-config \
-type="env-template" \
-exec="./my-app arg1 arg2" \
-path="secret/foo"
Command output
Generate an environment variable template configuration for more than one secrets plugin:
$ vault agent generate-config -type="env-template" \
-exec="./my-app arg1 arg2" \
-path="secret/foo" \
-path="secret/bar" \
-path="secret/my-app/*"