--help, -h | Display help |
-address <string> | Address of the Vault server. The default is https://127.0.0.1:8200. This can also be specified via the VAULT_ADDR environment variable |
-agent-address <string> | Address of the Agent. This can also be specified via the VAULT_AGENT_ADDR environment variable |
-ca-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to verify the Vault server's SSL certificate. This takes precedence over -ca-path. This can also be specified via the VAULT_CACERT environment variable |
-ca-path <string> | Path on the local disk to a directory of PEM-encoded CA certificates to verify the Vault server's SSL certificate. This can also be specified via the VAULT_CAPATH environment variable |
-client-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to use for TLS authentication to the Vault server. If this flag is specified, -client-key is also required. This can also be specified via the VAULT_CLIENT_CERT environment variable |
-client-key <string> | Path on the local disk to a single PEM-encoded private key matching the client certificate from -client-cert. This can also be specified via the VAULT_CLIENT_KEY environment variable |
-header-key <string> | Key-value pair provided as key=value to provide http header added to any request done by the CLI.Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail This can be specified multiple times |
-mfa <string> | Supply MFA credentials as part of X-Vault-MFA header. This can also be specified via the VAULT_MFA environment variable |
-namespace <string> | The namespace to use for the command. Setting this is not necessary but allows using relative paths. -ns can be used as shortcut. The default is (not set). This can also be specified via the VAULT_NAMESPACE environment variable |
-non-interactive <string> | When set true, prevents asking the user for input via the terminal. The default is false |
-output-curl-string <string> | Instead of executing the request, print an equivalent cURL command string and exit. The default is false |
-policy-override <string> | Override a Sentinel policy that has a soft-mandatory enforcement_level specified The default is false |
-tls-server-name <string> | Name to use as the SNI host when connecting to the Vault server via TLS. This can also be specified via the VAULT_TLS_SERVER_NAME environment variable |
-tls-skip-verify <string> | Disable verification of TLS certificates. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server. The default is false. This can also be specified via the VAULT_SKIP_VERIFY environment variable |
-unlock-key <string> | Key to unlock a namespace API lock. The default is (not set) |
-wrap-ttl <string> | Wraps the response in a cubbyhole token with the requested TTL. The response is available via the 'vault unwrap' command. The TTL is specified as a numeric string with suffix like '30s' or '5m'. This can also be specified via the VAULT_WRAP_TTL environment variable |
-allowed-managed-keys <string> | Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key |
-allowed-response-headers <string> | Comma-separated string or list of response header values that plugins will be allowed to set |
-audit-non-hmac-request-keys <string> | Comma-separated string or list of keys that will not be HMAC'd by audit devices in the request data object |
-audit-non-hmac-response-keys <string> | Comma-separated string or list of keys that will not be HMAC'd by audit devices in the response data object |
-default-lease-ttl <duration> | The default lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured default lease TTL |
-description <string> | Human-friendly description for the purpose of this engine |
-external-entropy-access | Enable secrets engine to access Vault's external entropy source. The default is false |
-force-no-cache | Force the secrets engine to disable caching. If unspecified, this defaults to the Vault server's globally configured cache settings. This does not affect caching of the underlying encrypted data storage. The default is false |
-listing-visibility <string> | Determines the visibility of the mount in the UI-specific listing endpoint |
-local | Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. The default is false |
-max-lease-ttl <duration> | The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL |
-options <key=value> | Key-value pair provided as key=value for the mount options. This can be specified multiple times |
-passthrough-request-headers <string> | Comma-separated string or list of request header values that will be sent to the plugins |
-path <string> | Place where the secrets engine will be accessible. This must be unique cross all secrets engines. This defaults to the 'type' of the secrets engine |
-plugin-name <string> | Name of the secrets engine plugin. This plugin name must already exist in Vault's plugin catalog |
-seal-wrap | Enable seal wrapping of critical values in the secrets engine. The default is false |
-version <int> | Select the version of the engine to run. Not supported by all engines |