HashiCorp Vault CLI

Use the vault CLI for Vault work. Prefer read-only inspection first, then confirm before writing secrets, changing auth methods, enabling engines, or editing policies.

Quick checks

vault version
vault status
vault auth list
vault secrets list
vault token lookup

If VAULT_ADDR is missing, set it first:

export VAULT_ADDR='https://vault.example.com'

For a local lab Vault, an example endpoint is:

export VAULT_ADDR='http://192.168.1.101:8200'
vault status
curl -s "$VAULT_ADDR/v1/sys/health"

Notes:

• Replace the example address with your actual Vault endpoint.
• Some local test deployments use plain HTTP instead of HTTPS.
• Prefer reading tokens from a local file or environment variable instead of echoing them in chat.

Verify auth before assuming a path is missing:

vault token lookup
vault kv get secret/my-app

Read secrets

For KV v2 paths, use vault kv commands instead of raw API-style paths.

vault kv get secret/my-app
vault kv get -field=password secret/my-app
vault kv list secret/

If output is unclear, use JSON:

vault kv get -format=json secret/my-app
vault secrets list -format=json

Helper scripts

This skill includes simple wrappers that auto-load local settings:

{baseDir}/scripts/vault-list.sh secret/openclaw
{baseDir}/scripts/vault-get.sh secret/openclaw/openclaw-test
{baseDir}/scripts/vault-put.sh secret/openclaw/demo status=ok source=openclaw

Behavior:

• Defaults VAULT_ADDR to http://192.168.1.101:8200
• Loads VAULT_TOKEN from ~/.vault-token if not already exported
• Uses vault kv commands for the common KV v2 workflow

Write secrets

Confirm before overwriting or deleting anything.

vault kv put secret/my-app username=app password='s3cr3t'
vault kv patch secret/my-app password='rotated'

Prefer patch when updating a subset of keys on KV v2.

Policies and mounts

Inspect first:

vault policy list
vault policy read my-policy
vault secrets list -detailed

Change only with explicit user intent:

vault policy write my-policy ./policy.hcl
vault secrets enable -path=secret kv-v2
vault secrets tune -max-versions=10 secret/

Authentication helpers

Common login flows:

vault login
vault login -method=userpass username=<user>
vault write auth/approle/login role_id=<role_id> secret_id=<secret_id>

When troubleshooting auth, inspect enabled auth backends and token details first:

vault auth list -detailed
vault token lookup

Troubleshooting workflow

1. Check vault status and VAULT_ADDR.
2. Check auth with vault token lookup or the intended login flow.
3. Confirm mount names with vault secrets list.
4. For KV access, verify whether the engine is KV v1 or KV v2 before choosing commands.
5. Prefer -format=json when output will be parsed or compared.
6. Read references/kv-and-troubleshooting.md for command patterns and common errors when the task is non-trivial.