vault token create
Creates a new token that can be used for authentication. This token will be created as a child of the currently authenticated token. The generated token will inherit all policies and permissions of the currently authenticated token unless you explicitly define a subset list policies to assign to the token
Options
| Name | Description |
|---|---|
--help, -h | Display help |
-address <string> | Address of the Vault server. The default is https://127.0.0.1:8200. This can also be specified via the VAULT_ADDR environment variable |
-agent-address <string> | Address of the Agent. This can also be specified via the VAULT_AGENT_ADDR environment variable |
-ca-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to verify the Vault server's SSL certificate. This takes precedence over -ca-path. This can also be specified via the VAULT_CACERT environment variable |
-ca-path <string> | Path on the local disk to a directory of PEM-encoded CA certificates to verify the Vault server's SSL certificate. This can also be specified via the VAULT_CAPATH environment variable |
-client-cert <string> | Path on the local disk to a single PEM-encoded CA certificate to use for TLS authentication to the Vault server. If this flag is specified, -client-key is also required. This can also be specified via the VAULT_CLIENT_CERT environment variable |
-client-key <string> | Path on the local disk to a single PEM-encoded private key matching the client certificate from -client-cert. This can also be specified via the VAULT_CLIENT_KEY environment variable |
-header-key <string> | Key-value pair provided as key=value to provide http header added to any request done by the CLI.Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail This can be specified multiple times |
-mfa <string> | Supply MFA credentials as part of X-Vault-MFA header. This can also be specified via the VAULT_MFA environment variable |
-namespace <string> | The namespace to use for the command. Setting this is not necessary but allows using relative paths. -ns can be used as shortcut. The default is (not set). This can also be specified via the VAULT_NAMESPACE environment variable |
-non-interactive <string> | When set true, prevents asking the user for input via the terminal. The default is false |
-output-curl-string <string> | Instead of executing the request, print an equivalent cURL command string and exit. The default is false |
-policy-override <string> | Override a Sentinel policy that has a soft-mandatory enforcement_level specified The default is false |
-tls-server-name <string> | Name to use as the SNI host when connecting to the Vault server via TLS. This can also be specified via the VAULT_TLS_SERVER_NAME environment variable |
-tls-skip-verify <string> | Disable verification of TLS certificates. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server. The default is false. This can also be specified via the VAULT_SKIP_VERIFY environment variable |
-unlock-key <string> | Key to unlock a namespace API lock. The default is (not set) |
-wrap-ttl <string> | Wraps the response in a cubbyhole token with the requested TTL. The response is available via the 'vault unwrap' command. The TTL is specified as a numeric string with suffix like '30s' or '5m'. This can also be specified via the VAULT_WRAP_TTL environment variable |
-field <string> | Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes |
-format <string> | Print the output in the given format. Valid formats are 'table', 'json', 'yaml', or 'pretty'. The default is table. This can also be specified via the VAULT_FORMAT environment variable |
-display-name <string> | Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes) |
-empty-alias <string> | Name of the entity alias to associate with during token creation. Only works in combination with -role argument and used entity alias must be listed in allowed_entity_aliases. If this has been specified, the entity will not be inherited from the parent |
-explicit-max-ttl <duration> | Explicit maximum lifetime for the token. Unlike normal TTLs, the maximum TTL is a hard limit and cannot be exceeded. This is specified as a numeric string with suffix like '30s' or '5m' |
-id <string> | Value for the token. By default, this is an auto-generated string. Specifying this value requires sudo permissions |
-metadata <key=value> | Arbitrary key=value metadata to associate with the token. This metadata will show in the audit log when the token is used. This can be specified multiple times to add multiple pieces of metadata |
-no-default-policy | Detach the 'default' policy from the policy set for this token. The default is false |
-orphan | Create the token with no parent. This prevents the token from being revoked when the token which created it expires. Setting this value requires root or sudo permissions. The default is false |
-period <duration> | If specified, every renewal will use the given period. Periodic tokens do not expire (unless -explicit-max-ttl is also provided). Setting this value requires sudo permissions. This is specified as a numeric string with suffix like '30s' or '5m' |
-policy <string> | Name of a policy to associate with this token. This can be specified multiple times to attach multiple policies |
-renewable | Allow the token to be renewed up to it's maximum TTL. The default is true |
-role <string> | Name of the role to create the token against. Specifying -role may override other arguments. The locally authenticated Vault token must have permission for 'auth/token/create/<role>' |
-ttl <duration> | Initial TTL to associate with the token. Token renewals may be able to extend beyond this value, depending on the configured maximum TTLs. This is specified as a numeric string with suffix like '30s' or '5m' |
-type <string> | The type of token to create. Can be 'service' or 'batch'. The default is service |
-use-limit <int> | Number of times this token can be used. After the last use, the token is automatically revoked. By default, tokens can be used an unlimited number of times until their expiration |