HashiCorp Vault API
Vault exposes a unified HTTP API for all secrets engines and auth methods.
Overview
Base URL |
|
Auth |
Token, AppRole, LDAP, OIDC |
Format |
JSON |
CLI |
|
Key Paths
| Engine | Path | Purpose |
|---|---|---|
KV Secrets |
|
Key-value secrets storage |
PKI |
|
Certificate issuance |
SSH CA |
|
SSH certificate signing |
Auth |
|
Authentication |
Sys |
|
System operations |
Examples
Read KV Secret
# CLI
vault kv get kv/infrastructure/ise
# curl
curl -ks -H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDR/v1/kv/data/infrastructure/ise" | jq '.data.data'Write KV Secret
# CLI
vault kv put kv/infrastructure/newservice \
username="admin" \
password="secret123"
# curl
curl -ks -H "X-Vault-Token: $VAULT_TOKEN" \
-X POST "$VAULT_ADDR/v1/kv/data/infrastructure/newservice" \
-d '{"data": {"username": "admin", "password": "secret123"}}' | jqIssue Certificate
# CLI
vault write pki_int/issue/domus-client \
common_name="host.inside.domusdigitalis.dev" \
ttl=8760h
# curl
curl -ks -H "X-Vault-Token: $VAULT_TOKEN" \
-X POST "$VAULT_ADDR/v1/pki_int/issue/domus-client" \
-d '{"common_name": "host.inside.domusdigitalis.dev", "ttl": "8760h"}' | jqSign SSH Key
# CLI
vault write -field=signed_key ssh/sign/domus-client \
public_key=@~/.ssh/id_ed25519_vault.pub \
valid_principals="evanusmodestus,admin,root"
# curl
curl -ks -H "X-Vault-Token: $VAULT_TOKEN" \
-X POST "$VAULT_ADDR/v1/ssh/sign/domus-client" \
-d "{\"public_key\": \"$(cat ~/.ssh/id_ed25519_vault.pub)\", \"valid_principals\": \"evanusmodestus,admin,root\"}" \
| jq -r '.data.signed_key'AppRole Login
curl -ks -X POST "$VAULT_ADDR/v1/auth/approle/login" \
-d "{\"role_id\": \"$ROLE_ID\", \"secret_id\": \"$SECRET_ID\"}" \
| jq -r '.auth.client_token'Environment Setup
# Load from dsec
dsource d000 dev/app
# Or manually
export VAULT_ADDR="https://vault-01.inside.domusdigitalis.dev:8200"
export VAULT_TOKEN="<from vault login or approle>"Learnings
|
Vault API Gotchas
|