This comprehensive guide demonstrates how to read and write secrets to HashiCorp Vault using both the Vault CLI and CURL commands. You’ll learn essential operations for Linux and macOS environments, with Windows compatibility notes included.
🔐 Prerequisites: Ensure you have authenticated against Vault before proceeding. For CURL commands, set the VAULT_TOKEN environment variable with your authentication token.
Writing Secrets to Vault
Vault provides multiple methods for storing secrets securely. Here are the primary approaches using both the Vault CLI and CURL commands.
Using Vault CLI
The most straightforward method to write secrets using the Vault command-line interface:
vault write secret/path password='mypassword'Creating random passwords securely: Generate a password without displaying it on screen:
mypass="$(openssl rand -base64 16)"
echo -n $mypass | vault write secret/test password=-
mypass=""Using CURL Commands
For API-based integration, use CURL with your Vault token:
curl -X POST -H "X-Vault-Token: $VAULT_TOKEN" \
-d '{"password":"mypassword"}' \
https://myvault.mydomain.com:8200/v1/secret/path⚠️ macOS Note: CURL on macOS does not support PEM certificates for authentication. Consider using the Vault CLI for certificate-based authentication.
Reading Secrets from Vault
Retrieving stored secrets is equally important as writing them. Here’s how to access your stored data using both methods.
Using Vault CLI
Read secrets with a simple command:
vault read secret/pathUsing CURL Commands
Retrieve secrets via HTTP GET request:
curl -X GET -H "X-Vault-Token: $VAULT_TOKEN" \
https://myvault.mydomain.com:8200/v1/secret/pathResponse Wrapping for Secure Sharing
Response wrapping provides a secure method to share secrets with team members who don’t have direct Vault access. The data is stored in Vault’s cubbyhole and accessed via a one-time token.
🔑 Security Benefit: Response wrapping allows secure secret sharing without granting Vault access to recipients. The token expires after use or TTL expiration.
Wrapping a Secret
Create a wrapped token with a 15-minute TTL:
vault read -wrap-ttl=15m secret/myapp/adminExample response token:
162fddac-3d86-9a06-06e1-04cba88b6f36
Unwrapping the Secret
Retrieve the secret using the one-time token:
vault unwrap 162fddac-3d86-9a06-06e1-04cba88b6f36After unwrapping, the secret is displayed and the token becomes invalid, ensuring one-time access security.
