vault operator init
Initializes a Vault server. Initialization is the process by which Vault's storage backend is prepared to receive data. Since Vault servers share the same storage backend in HA mode, you only need to initialize one Vault to initialize the storage backend
Options
| Name | Description |
|---|---|
--help, -h | Display help |
-address <string> | Address of the Vault server. The default is https://127.0.0.1:8200. This can also be specified via the VAULT_ADDR environment variable |
-agent-address <string> | Address of the Agent. This can also be specified via the VAULT_AGENT_ADDR environment variable |
-ca-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to verify the Vault server's SSL certificate. This takes precedence over -ca-path. This can also be specified via the VAULT_CACERT environment variable |
-ca-path <string> | Path on the local disk to a directory of PEM-encoded CA certificates to verify the Vault server's SSL certificate. This can also be specified via the VAULT_CAPATH environment variable |
-client-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to use for TLS authentication to the Vault server. If this flag is specified, -client-key is also required. This can also be specified via the VAULT_CLIENT_CERT environment variable |
-client-key <string> | Path on the local disk to a single PEM-encoded private key matching the client certificate from -client-cert. This can also be specified via the VAULT_CLIENT_KEY environment variable |
-header-key <string> | Key-value pair provided as key=value to provide http header added to any request done by the CLI.Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail This can be specified multiple times |
-mfa <string> | Supply MFA credentials as part of X-Vault-MFA header. This can also be specified via the VAULT_MFA environment variable |
-namespace <string> | The namespace to use for the command. Setting this is not necessary but allows using relative paths. -ns can be used as shortcut. The default is (not set). This can also be specified via the VAULT_NAMESPACE environment variable |
-non-interactive <string> | When set true, prevents asking the user for input via the terminal. The default is false |
-output-curl-string <string> | Instead of executing the request, print an equivalent cURL command string and exit. The default is false |
-policy-override <string> | Override a Sentinel policy that has a soft-mandatory enforcement_level specified The default is false |
-tls-server-name <string> | Name to use as the SNI host when connecting to the Vault server via TLS. This can also be specified via the VAULT_TLS_SERVER_NAME environment variable |
-tls-skip-verify <string> | Disable verification of TLS certificates. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server. The default is false. This can also be specified via the VAULT_SKIP_VERIFY environment variable |
-unlock-key <string> | Key to unlock a namespace API lock. The default is (not set) |
-wrap-ttl <string> | Wraps the response in a cubbyhole token with the requested TTL. The response is available via the 'vault unwrap' command. The TTL is specified as a numeric string with suffix like '30s' or '5m'. This can also be specified via the VAULT_WRAP_TTL environment variable |
-format <string> | Print the output in the given format. Valid formats are 'table', 'json', 'yaml', or 'pretty'. The default is table. This can also be specified via the VAULT_FORMAT environment variable |
-key-shares, -n <int> | Number of key shares to split the generated root key into. This is the number of 'unseal keys' to generate. This is aliased as '-n'. The default is 5 |
-key-threshold, -t <int> | Number of key shares required to reconstruct the root key. This must be less than or equal to -key-shares. This is aliased as '-t'. The default is 3 |
-pgp-keys <pgp_key> | Comma-separated list of paths to files on disk containing public PGP keys OR a comma-separated list of Keybase usernames using the format 'keybase:<username>'. When supplied, the generated unseal keys will be encrypted and base64-encoded in the order specified in this list. The number of entries must match -key-shares, unless -stored-shares are used |
-root-token-pgp-key <pgp_key> | Path to a file on disk containing a binary or base64-encoded public PGP key. This can also be specified as a Keybase username using the format 'keybase:<username>'. When supplied, the generated root token will be encrypted and base64-encoded with the given public key |
-status | Print the current initialization status. An exit code of 0 means the Vault is already initialized. An exit code of 1 means an error occurred. An exit code of 2 means the Vault is not initialized. The default is false |
-stored-shares <int> | DEPRECATED: This flag does nothing. It will be removed in Vault 1.3. The default is -1 |
-consul-auto | Perform automatic service discovery using Consul in HA mode. When all nodes in a Vault HA cluster are registered with Consul, enabling this option will trigger automatic service discovery based on the provided -consul-service value. When Consul is Vault's HA backend, this functionality is automatically enabled. Ensure the proper Consul environment variables are set (CONSUL_HTTP_ADDR, etc). When only one Vault server is discovered, it will be initialized automatically. When more than one Vault server is discovered, they will each be output for selection. The default is false |
-consul-service <string> | Name of the service in Consul under which the Vault servers are registered. The default is vault |