Skip to content

Hashicorp Vault CLI Part 1: Initialization

By Sebastian Günther

Posted in Hashicorp_vault

The Hashicorp Vault secrets management tool comes as an executable binary supporting all major operating systems. The binary itself is a multi-purpose tool, providing several commands to start and configure single vault instances or a cluster of multiple servers, define authentication mechanisms and policies, and configure and work with secret engines.

In a series of blog posts, complete coverage of all CLI commands will be provided. This starting article treats all commands from the intialization group, showing how to start a full Vault server instance, an agent, or a proxy.

The technical context of this article is hashicorp_vault_v1.20, published 2025-06-25. All provided information and command examples should be valid with newer versions too, baring update to the syntax of CLI commands.

The background material for this article stems from the official Hashicorp Vault documentation about Vault CLI and subsequent pages, as well as information from the binary itself.

CLI Overview: Basic Commands

As every CLI, the Hashicorp Vault binary, aptly named vault, provides built-in documentation, exposed by passing --help to the root-level or its subcommands. Available commands are printed in a flat list, but they are applicable to different lifecycles of operating and using vault.

Grouping the commands accordingly yields the following structure. The section marked with an at sign is the focus for this article.

  • 🌀 Initialization
    • server: Starts a server process
    • agent: Starts an agent process, a utility to communicate with a vault server to gain access to tokens
    • proxy: Starts a vault proxy process
  • Configuration
    • operator: Cluster management operations, including memberships, encryption and unseal keys
    • plugin: Manage and install additional plugins
    • read / list: Access stored configuration and secrets
    • write / patch: Modify or create any data
    • delete: Delete stored secrets and data
  • Introspection
    • status: Show status information of the vault server
    • version: Shows compact version information and build timestamp
    • version-history: Shows detailed version information about all previously used vault server instances
    • print: Detailed view of the vault’s server runtime configuration
    • path-help: Detailed documentation about API endpoints
    • events: Subscribe to the event stream of a running vault instance
    • monitor: Print vault log messages
    • debug: Shows debug information of the connected Vault server
    • audit: Interact with connected audit devices
  • Vault Enterprise
    • hcp: Operate a managed Hashicorp Vault Cluster
    • namespace: Interact with configured namespaces of the cluster
  • Authorization
    • policy: Manage policy definitions that govern all vault operations
    • tokens: General token management
    • lease: Manage current token leases, including renewal, revocation and TTL modification
  • Authentication
    • auth: Interact with configured authentication options
    • login: Authenticates access to a Vault server
  • Secrets Management
    • secrets: General configuration of secret engines
    • kv: Access to the essential key-value store
    • pki: Access the private key infrastructure secrets engine
    • ssh: Initiates SSH sessions via the SSH secrets engine
    • transform: Interact with the transform secrets engine
    • transit: Interact with the Vaults transit secrets engine
    • unwrap: One-time access to arbitrary encrypted data

In this blog article, only the commands from groups initialization, authentication, and plugin management are explored.

Initialization Commands

This group contains all commands that start a Vault process or a process that communicates transparently with Vault servers are grouped together.

server

This command starts a new vault instance. The most important configuration options can be provided either as flags to this command, or expressed in a configuration file that itself becomes an argument. Defining attributes are these:

  • address: The local IP address and port to which the vault process is bound
  • ca-path: A directory with PEM-encoded certificates that vault uses for encrypting all local traffic
  • client-cert: One of Vaults authentication mechanisms are client certificates in PEM format. This flag designates a local folder from which the certificates will be loaded.
  • dev: This flag starts a non-production, no-encryption and in-memory only instance of a Vault server

agent

Agent mode provides a process-level communication mode of any server with a Vault instance or cluster. Agents work be being configured with special template formats in which plaintext secrets are rendered. The default options of the server command are available as well, with the following additions:

Subcommands

  • generate-config: As the name suggests, this command generates an agent configuration. In hashicorp_vault_v1.20, the only option is to append -type="env-template". The resulting file is as follows:
auto_auth {
  method {
    type = "token_file"

    config {
      token_file_path = "/home/users/.vault-token"
    }
  }
}

template_config {
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
  max_connections_per_host      = 10
}

vault {
  address = "http://127.0.0.1:8200"
}

exec {
  command                   = ["env"]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}

proxy

This command starts a local process that mimics the API of a Vault instance or cluster. Once authenticated with a Vault, it handles all client requests transparently. An additional benefit is the ability of local client caching, storing responses from authentication methods and leased secrets likewise. To facilitate the usage of a Vault proxy, the initial authentication with vault can be configured as auto authentication. This requires a supported authentication option and a "sink", a place where the auth information is stored.

No additional subcommands are provided, and as before, the default options of the server command are available too.

Conclusion

The Hashicorp Vault binary is a multipurpose CLI tool. Its more than 30 subcommands can be grouped along different tasks, from which initialization, starting a Vault server process, is the focus of this article. You learned how to start a Vault process that in server mode, as an agent for lightweight Vault interaction that renders secrets to template files, and as a proxy that serves a thin replica of the vault REST API.


Previous: Hashicorp Vault: High-Level Architecture, Components, and Key Concepts

Next: Hashicorp Vault CLI Part 2: Operation Commands