Skip to content

Hashicorp Vault CLI Part 5: Vault Enterprise

By Sebastian Günther

The Hashicorp Vault CLI binary is a multi-purpose tool offering several commands for all configurational and operational aspects. This article investigates two commands available in Hashicorp Vault enterprise: Connecting with managed cloud plattform instances, and using namespaces.

The technical context of this article is hashicorp_vault_v1.21.1, released 2025-11-18. All provided information and command examples should be valid with newer versions too, baring update to the syntax of CLI commands.

The background material for this article stems from the official Hashicorp Vault documentation about Vault CLI and subsequent pages, as well as information from the binary itself.

Vault CLI Overview

The Vault CLI provides more than 30 commands. For systematically explaining and contextualizing each command, they can be structured as follows.

Groups marked with a checkmark were covered in an earlier article, and the section marked with an at sign is the focus for this article.

  • ✅ Initialization
    • server: Starts a server process
    • agent: Starts an agent process, a utility to communicate with a vault server to gain access to tokens
    • proxy: Starts a vault proxy process
  • ✅ Configuration
    • operator: Cluster management operations, including memberships, encryption and unseal keys
    • plugin: Manage and install additional plugins
    • read / list: Access stored configuration and secrets
    • write / patch: Modify or create any data
    • delete: Delete configuration data or secrets
  • ✅ Introspection
    • status: Show status information of the vault server
    • version: Shows compact version information and build timestamp
    • version-history: Shows detailed version information about all previously used vault server instances
    • print: Detailed view of the vault’s server runtime configuration
    • path-help: Detailed documentation about API endpoints
    • events: Subscribe to the event stream of a running vault instance
    • monitor: Print vault log messages
    • debug: Shows debug information of the connected Vault server
    • audit: Interact with connected audit devices
  • 🌀 Vault Enterprise
    • hcp: Operate a managed Hashicorp Vault cluster
    • namespace: Interact with configured namespaces of the cluster
  • Authorization
    • policy: Manage policy definitions that govern all vault operations
    • tokens: General token management
    • lease: Manage current token leases, including renewal, revocation and TTL modification
  • Authentication
    • auth: Interact with configured authentication options
    • login: Authenticates access to a Vault server
  • Secrets Management
    • secrets: General configuration of secret engines
    • kv: Access to the essential key-value store
    • transform: Interact with the transform secrets engine
    • transit: Interact with the Vaults transit secrets engine
    • unwrap: One-time access to arbitrary encrypted data
    • pki: Access the private key infrastructure secrets engine
    • ssh: Initiates SSH sessions via the SSH secrets engine

Vault Enterprise Commands

hcp

Hashicorp offers cloud-based managed installations of Vault, called Hashicorp Cloud Plattform (HCP). With the same-named command, a connection between HCP and any computer that runs the same version of the Vault CLI can be established.

In the absence of a HCP installation, the connection establashing can only be hinted at:

> vault hcp connect

# Log messages
The default web browser has been opened at https://auth.idp.hashicorp.com/oauth2/auth?access_type=offline&audience=https%3A%2F%2Fapi.hashicorp.cloud&client_id=4edd6521-6eb9-4d78-9039-7ce8569d667c&redirect_uri=http%3A%2F%2Flocalhost%3A8443%2Foidc%2Fcallback&response_type=code&scope=openid+offline_access&state=A45XFyg3naoKuyc2LASrFV1RvzNQpFzlbn2rXFlFZMU. Please continue the login in the web browser.

namespace

In Vault, all interactions ultimately send data to a mount point. And when managing an extensive suite of multiple version of the same secrets or authentication methods, the route paths can become cobbled. Namespaces add a path-segment to the mount point, helping to structure Vault e.g. into company sections.

A full set of CRUD methods is available:

  • create: adds a new namespace
  • lookup: checks if the given namespace exists
  • list: reads all child namespaces
  • patch: update the parameters of a given namespace
  • delete: removes the namespaces
  • lock: prevents access to any endpoints mounted under a target namespace
  • unlock: removes the lock for a namespace

However, namespaces are a feature for enterprise hashicorp vault only. Calling any methods with the community edition results merely in an error:

> vault namespace create data-center-1

# log messages
Error creating namespace: Error making API request.

URL: PUT http://127.0.0.1:8210/v1/sys/namespaces/data-center-1
Code: 404. Errors:

* enterprise-only feature

Conclusion

The VAUL CLI binary offers more than 30 subcommands. This blog post covered 2 miscellaneous commands. With hcp, a connection to a managed Hashicorp Vault Cloud Platform instance can be created. The namespace commands enables supplementing API endpoints with additional path segments to reflect organizational structure. Both commands require a Vault Enterprise server, they cannot be used in the Vault community version.