All resources
Vault · Cheat sheet

HashiCorp Vault cheat sheet

A complete Vault reference, beginner to advanced: connect and authenticate, KV v2 secrets, auth methods, policies, dynamic database/PKI/transit secrets, and operator tasks — with example output.

Connect & authenticateBeginner
vault server -dev
Start a throwaway in-memory dev server (never for prod).
Unseal Key: 6S3...
Root Token: hvs.abcd1234
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_ADDR=https://vault.example.com:8200
Point the CLI at your Vault server.
vault status
Seal state, version, and HA mode.
Key             Value
Sealed          false
Version         1.15.0
HA Enabled      true
vault login
Authenticate with a token (prompts for it).
vault login -method=userpass username=alice
Log in via a non-token auth method.
export VAULT_TOKEN=hvs.CAES...
Provide a token non-interactively (CI).
vault token lookup
Show the current token TTL, policies, and metadata.
policies    [default kv-read]
ttl         767h59m
renewable   true
vault token renew
Extend the current token lease.
KV v2 secretsBeginner
vault secrets enable -path=secret kv-v2
Mount a versioned key/value engine.
vault kv put secret/app db_pass=s3cr3t api_key=xyz
Write (creates version 1).
==== Secret Path ====
secret/data/app
version    1
created_time  2025-06-12T...
vault kv get secret/app
Read the latest version of all fields.
====== Data ======
Key       Value
api_key   xyz
db_pass   s3cr3t
vault kv get -field=db_pass secret/app
Print just one field (scripting).
s3cr3t
vault kv get -format=json secret/app
Machine-readable output for pipelines.
vault kv list secret/
List keys under a path.
vault kv patch secret/app db_pass=new
Update one field, creating a new version.
vault kv metadata get secret/app
Version history and current/oldest version.
vault kv get -version=2 secret/app
Read a specific historical version.
vault kv rollback -version=1 secret/app
Restore an old version as the newest.
vault kv delete secret/app
Soft-delete the latest version (recoverable).
vault kv destroy -versions=3 secret/app
Permanently remove version 3.
Auth methodsIntermediate
vault auth list
Enabled auth methods and their paths.
Path         Type       Description
token/       token      token based creds
approle/     approle
vault auth enable userpass
Enable username/password auth.
vault write auth/userpass/users/alice password=pw policies=kv-read
Create a user bound to a policy.
vault auth enable approle
Enable AppRole (machine-to-machine).
vault write auth/approle/role/ci token_policies=deploy token_ttl=20m
Define a role for CI.
vault read auth/approle/role/ci/role-id
Fetch the stable role_id.
role_id    59d6...-...
vault write -f auth/approle/role/ci/secret-id
Generate a one-time secret_id.
secret_id           a1b2...
secret_id_ttl       0s
vault write auth/approle/login role_id=.. secret_id=..
Exchange for a scoped token.
token             hvs.CAES...
token_policies    [default deploy]
vault auth enable kubernetes
Let pods authenticate with their ServiceAccount JWT.
PoliciesIntermediate
vault policy list
List all policies.
vault policy write kv-read policy.hcl
Create/update a policy from a file.
path "secret/data/app" { capabilities = ["read"] }
HCL rule — grant read on one path.
vault policy read kv-read
Print a policy body.
vault token capabilities secret/data/app
What can THIS token do on a path?
read
Dynamic database secretsAdvanced
vault secrets enable database
Enable the database secrets engine.
vault write database/config/mydb plugin_name=postgresql-database-plugin ...
Configure the connection + allowed roles.
vault write database/roles/ro db_name=mydb default_ttl=1h [email protected]
Define a role that mints short-lived DB users.
vault read database/creds/ro
Get fresh, expiring DB credentials on demand.
lease_id    database/creds/ro/AbC
username    v-token-ro-x9
password    A1b2-...
ttl         1h
vault lease renew database/creds/ro/<id>
Extend a credential lease.
vault lease revoke database/creds/ro/<id>
Revoke immediately (drops the DB user).
PKI & transitAdvanced
vault secrets enable pki
Enable Vault as a certificate authority.
vault write pki/root/generate/internal common_name=example.com ttl=8760h
Generate a root CA.
vault write pki/roles/web allowed_domains=example.com allow_subdomains=true
Define what certs a role may issue.
vault write pki/issue/web common_name=app.example.com
Issue a short-lived leaf cert + key.
certificate       -----BEGIN CERTIFICATE-----
private_key       -----BEGIN RSA...
serial_number     3a:...
vault secrets enable transit
Encryption-as-a-service (keys never leave Vault).
vault write -f transit/keys/orders
Create a named encryption key.
vault write transit/encrypt/orders plaintext=$(base64 <<< secret)
Encrypt without handling the key.
ciphertext    vault:v1:8SDd...
vault write transit/decrypt/orders ciphertext=vault:v1:8SDd...
Decrypt back to base64 plaintext.
OperateAdvanced
vault operator init
Initialize a new Vault: emits unseal keys + root token.
Unseal Key 1: ...
Unseal Key 2: ...
Initial Root Token: hvs...
vault operator unseal
Supply one unseal key share (repeat to threshold).
Unseal Progress    1/3
vault operator seal
Seal Vault (blocks all access until unsealed).
vault audit enable file file_path=/var/log/vault_audit.log
Turn on tamper-evident audit logging.
vault operator raft list-peers
Integrated-storage cluster members.
vault lease revoke -prefix database/creds
Bulk-revoke every lease under a prefix.
Go deeper
Full, hands-on DevSecOps courses
Browse courses