Home/Blog/HashiCorp Vault: Reading and Writing Secrets with CLI and API
Secrets Management

HashiCorp Vault: Reading and Writing Secrets with CLI and API

Step-by-step guide to reading and writing secrets in HashiCorp Vault. Covers CLI commands, CURL API calls, JSON output, field selection, and response wrapping for secure DevOps.

HashiCorp Vault: Reading and Writing Secrets with CLI and API

🔐 Prerequisites: Ensure you have authenticated against Vault before proceeding. For CURL commands, set the VAULT_TOKEN environment variable with your authentication token.

Writing Secrets to Vault

Vault provides multiple methods for storing secrets securely. Here are the primary approaches using both the Vault CLI and CURL commands.

Using Vault CLI

The most straightforward method to write secrets using the Vault command-line interface:

vault write secret/path password='mypassword'

Creating random passwords securely: Generate a password without displaying it on screen:

mypass="$(openssl rand -base64 16)"
echo -n $mypass | vault write secret/test password=-
mypass=""

Using CURL Commands

For API-based integration, use CURL with your Vault token:

curl -X POST -H "X-Vault-Token: $VAULT_TOKEN" \
  -d '{"password":"mypassword"}' \
  https://myvault.mydomain.com:8200/v1/secret/path

⚠️ macOS Note: CURL on macOS does not support PEM certificates for authentication. Consider using the Vault CLI for certificate-based authentication.

Reading Secrets from Vault

Retrieving stored secrets is equally important as writing them. Here’s how to access your stored data using both methods.

Using Vault CLI

Read secrets with a simple command:

vault read secret/path

Using CURL Commands

Retrieve secrets via HTTP GET request:

curl -X GET -H "X-Vault-Token: $VAULT_TOKEN" \
  https://myvault.mydomain.com:8200/v1/secret/path

Response Wrapping for Secure Sharing

Response wrapping provides a secure method to share secrets with team members who don’t have direct Vault access. The data is stored in Vault’s cubbyhole and accessed via a one-time token.

🔑 Security Benefit: Response wrapping allows secure secret sharing without granting Vault access to recipients. The token expires after use or TTL expiration.

Wrapping a Secret

Create a wrapped token with a 15-minute TTL:

vault read -wrap-ttl=15m secret/myapp/admin

Example response token:

162fddac-3d86-9a06-06e1-04cba88b6f36

Unwrapping the Secret

Retrieve the secret using the one-time token:

vault unwrap 162fddac-3d86-9a06-06e1-04cba88b6f36

After unwrapping, the secret is displayed and the token becomes invalid, ensuring one-time access security.

Frequently Asked Questions

Find answers to common questions

Write a secret using 'vault kv put secret/myapp password=mysecret' for KV v2, or 'vault write secret/myapp password=mysecret' for KV v1. You can include multiple key-value pairs in a single command.

Read a secret using 'vault kv get secret/myapp' for KV v2, or 'vault read secret/myapp' for KV v1. Add '-format=json' for JSON output or '-field=password' to retrieve a specific field.

KV v1 is a simple key-value store without versioning. KV v2 adds versioning, soft delete, metadata, and check-and-set operations. Use 'vault kv' commands for v2 and 'vault read/write' for v1.

List secrets using 'vault kv list secret/' for KV v2, or 'vault list secret/' for KV v1. This shows secret names (keys) at that path, not the secret values themselves.

Delete a secret using 'vault kv delete secret/myapp' for KV v2 (soft delete), or 'vault delete secret/myapp' for KV v1. In KV v2, use 'vault kv destroy' for permanent deletion.

Use the -field flag: 'vault kv get -field=password secret/myapp'. This returns only the value without formatting, useful for scripts and automation.

Response wrapping encrypts a secret and returns a one-time token instead. Use 'vault kv get -wrap-ttl=5m secret/myapp' to share secrets securely. The recipient unwraps with 'vault unwrap '.

Write from a JSON file using 'vault kv put secret/myapp @data.json' where data.json contains your key-value pairs. You can also pipe JSON: 'cat data.json | vault kv put secret/myapp -'.

Add '-format=json' to any read command: 'vault kv get -format=json secret/myapp'. This returns structured JSON with data, metadata, and other fields, useful for parsing with jq.

Yes, include multiple pairs: 'vault kv put secret/myapp username=admin password=secret api_key=abc123'. Each pair is stored as a separate field within the same secret.

Secrets Sprawl Is a Breach Waiting to Happen

Hardcoded credentials, leaked API keys, and exposed tokens cause breaches. Our team implements enterprise secrets management.

Get Secrets AuditCloud Security Assessment

Related Articles

Vault AppRole Authentication: Complete CI/CD Integration Guide

Vault AppRole Authentication: Complete CI/CD Integration Guide

Master HashiCorp Vault AppRole authentication for CI/CD pipelines. Step-by-step setup for Jenkins, GitHub Actions, GitLab CI, and automated workflows with security best practices.

HashiCorp Vault Policies: Complete ACL and Authorization Guide

HashiCorp Vault Policies: Complete ACL and Authorization Guide

Master Vault policies and ACLs with HCL syntax, capabilities, path patterns, wildcards, and policy examples. Complete guide to Vault authorization and access control.

Vault KV v2 Secrets Engine: Complete Versioning and Management Guide

Vault KV v2 Secrets Engine: Complete Versioning and Management Guide

Master HashiCorp Vault KV v2 secrets engine with versioning, soft delete, metadata operations, and check-and-set. Complete guide for secret lifecycle management and migration from KV v1.

HashiCorp Vault: The Complete Guide to Secrets Management

HashiCorp Vault: The Complete Guide to Secrets Management

Master HashiCorp Vault from installation to production. Complete guide covering secrets management, authentication, policies, CI/CD integration, and security operations with links to 9 detailed tutorials.

HashiCorp Vault Authentication Methods: Complete Configuration Guide

HashiCorp Vault Authentication Methods: Complete Configuration Guide

Configure Vault authentication methods: LDAP, Userpass, AppRole, Certificate, and Token auth. Step-by-step setup for enterprise security and CI/CD integration.

Vault Seal, Unseal, and Rekey: Complete Security Operations Guide

Vault Seal, Unseal, and Rekey: Complete Security Operations Guide

Master HashiCorp Vault unsealing, sealing, and rekeying operations. Step-by-step commands for security management, auto-unseal configuration, and key rotation best practices.