Vault · Cheat sheet
HashiCorp Vault cheat sheet
A complete Vault reference, beginner to advanced: connect and authenticate, KV v2 secrets, auth methods, policies, dynamic database/PKI/transit secrets, and operator tasks — with example output.
Connect & authenticateBeginner
vault server -dev
Start a throwaway in-memory dev server (never for prod).
Unseal Key: 6S3... Root Token: hvs.abcd1234 export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_ADDR=https://vault.example.com:8200
Point the CLI at your Vault server.
vault status
Seal state, version, and HA mode.
Key Value Sealed false Version 1.15.0 HA Enabled true
vault login
Authenticate with a token (prompts for it).
vault login -method=userpass username=alice
Log in via a non-token auth method.
export VAULT_TOKEN=hvs.CAES...
Provide a token non-interactively (CI).
vault token lookup
Show the current token TTL, policies, and metadata.
policies [default kv-read] ttl 767h59m renewable true
vault token renew
Extend the current token lease.
KV v2 secretsBeginner
vault secrets enable -path=secret kv-v2
Mount a versioned key/value engine.
vault kv put secret/app db_pass=s3cr3t api_key=xyz
Write (creates version 1).
==== Secret Path ==== secret/data/app version 1 created_time 2025-06-12T...
vault kv get secret/app
Read the latest version of all fields.
====== Data ====== Key Value api_key xyz db_pass s3cr3t
vault kv get -field=db_pass secret/app
Print just one field (scripting).
s3cr3t
vault kv get -format=json secret/app
Machine-readable output for pipelines.
vault kv list secret/
List keys under a path.
vault kv patch secret/app db_pass=new
Update one field, creating a new version.
vault kv metadata get secret/app
Version history and current/oldest version.
vault kv get -version=2 secret/app
Read a specific historical version.
vault kv rollback -version=1 secret/app
Restore an old version as the newest.
vault kv delete secret/app
Soft-delete the latest version (recoverable).
vault kv destroy -versions=3 secret/app
Permanently remove version 3.
Auth methodsIntermediate
vault auth list
Enabled auth methods and their paths.
Path Type Description token/ token token based creds approle/ approle
vault auth enable userpass
Enable username/password auth.
vault write auth/userpass/users/alice password=pw policies=kv-read
Create a user bound to a policy.
vault auth enable approle
Enable AppRole (machine-to-machine).
vault write auth/approle/role/ci token_policies=deploy token_ttl=20m
Define a role for CI.
vault read auth/approle/role/ci/role-id
Fetch the stable role_id.
role_id 59d6...-...
vault write -f auth/approle/role/ci/secret-id
Generate a one-time secret_id.
secret_id a1b2... secret_id_ttl 0s
vault write auth/approle/login role_id=.. secret_id=..
Exchange for a scoped token.
token hvs.CAES... token_policies [default deploy]
vault auth enable kubernetes
Let pods authenticate with their ServiceAccount JWT.
PoliciesIntermediate
vault policy list
List all policies.
vault policy write kv-read policy.hcl
Create/update a policy from a file.
path "secret/data/app" { capabilities = ["read"] }
HCL rule — grant read on one path.
vault policy read kv-read
Print a policy body.
vault token capabilities secret/data/app
What can THIS token do on a path?
read
Dynamic database secretsAdvanced
vault secrets enable database
Enable the database secrets engine.
vault write database/config/mydb plugin_name=postgresql-database-plugin ...
Configure the connection + allowed roles.
vault write database/roles/ro db_name=mydb default_ttl=1h [email protected]
Define a role that mints short-lived DB users.
vault read database/creds/ro
Get fresh, expiring DB credentials on demand.
lease_id database/creds/ro/AbC username v-token-ro-x9 password A1b2-... ttl 1h
vault lease renew database/creds/ro/<id>
Extend a credential lease.
vault lease revoke database/creds/ro/<id>
Revoke immediately (drops the DB user).
PKI & transitAdvanced
vault secrets enable pki
Enable Vault as a certificate authority.
vault write pki/root/generate/internal common_name=example.com ttl=8760h
Generate a root CA.
vault write pki/roles/web allowed_domains=example.com allow_subdomains=true
Define what certs a role may issue.
vault write pki/issue/web common_name=app.example.com
Issue a short-lived leaf cert + key.
certificate -----BEGIN CERTIFICATE----- private_key -----BEGIN RSA... serial_number 3a:...
vault secrets enable transit
Encryption-as-a-service (keys never leave Vault).
vault write -f transit/keys/orders
Create a named encryption key.
vault write transit/encrypt/orders plaintext=$(base64 <<< secret)
Encrypt without handling the key.
ciphertext vault:v1:8SDd...
vault write transit/decrypt/orders ciphertext=vault:v1:8SDd...
Decrypt back to base64 plaintext.
OperateAdvanced
vault operator init
Initialize a new Vault: emits unseal keys + root token.
Unseal Key 1: ... Unseal Key 2: ... Initial Root Token: hvs...
vault operator unseal
Supply one unseal key share (repeat to threshold).
Unseal Progress 1/3
vault operator seal
Seal Vault (blocks all access until unsealed).
vault audit enable file file_path=/var/log/vault_audit.log
Turn on tamper-evident audit logging.
vault operator raft list-peers
Integrated-storage cluster members.
vault lease revoke -prefix database/creds
Bulk-revoke every lease under a prefix.
Go deeper
Full, hands-on DevSecOps courses