vault.cheat

% vault

# Before executing any command, export: VAULT_ADDR, VAULT_NAMESPACE, and don't forget to login
vault login -method=oidc

# Renaming a.k.a moving Secrets Engine.
vault secrets move <prev_name>/ <new_name>/

# List all AppRoles
vault list auth/approle/role

# View detailed information about AppRole, role
vault read auth/approle/role/<role_name>

# Generate role-id for AppRole
vault read -field=role_id auth/approle/role/<role_name>/role-id

# Generate secret-id for AppRole
vault write -field=secret_id -force auth/approle/role/<role_name>/secret-id

# Login with role-id and secret-id from AppRole
vault write auth/approle/login role_id=<role_id> secret_id=<secret_id>

# Read/get secret
vault kv get <secret_engine_name>/<secret_path>

# List all authentication methods
vault auth list -detailed -namespace=<name>

# Delete AppRole
vault delete auth/approle/role/<role_name>

# Delete secret
vault kv delete <secret_engine_name>/<secret_path>

# Lookup special paths for a Secret Engine
vault path-help <secret_engine>

# Create AppRole
vault write auth/approle/role/<name> secret_id_ttl=10m token_ttl=20m token_max_ttl=30m secret_id_num_uses=1 token_policies=<policy_name_to_attach>

# Write a KV secret
vault kv put <secret_engine_name>/<secret_path> <key>=<value>

# Enable new KV secrets engine
vault secrets enable -path=<name> kv

# List all secrets engines
vault secrets list

# Delete/disable secrets engine
vault secrets disable <name>/

# Revoke all tokens generated by the AppRole auth method
vault token revoke -mode path auth/approle

# List all policies
vault policy list

# Read policy
vault policy read <name>

# Create token
vault token create -policy=<name> -namespace=<full/name>

# Create DEV server with root token as 'root'
vault server -dev -dev-root-token-id=root

# Delete policy
vault policy delete <name>