Re: [vault] Can Vault be installed as a CLI tool on client's machine to interact with remote Vault server?

1,599 views
Skip to first unread message

David Adams

unread,
Jun 22, 2016, 4:12:05 AM6/22/16
to vault...@googlegroups.com
The vault binary can be deployed on client machines. In that case you wouldn't use a configuration file. Typically the only configuration that needs to be done on the client side is setting the path to the vault server, which can be done by setting the VAULT_ADDR environment variable. If you use the `vault auth` command to authenticate, the auth token will be stored in ~/.vault_token. Alternatively, if you have a vault token from some other authentication mechanism you can specify it with the VAULT_TOKEN environment variable. If you need to set TLS or other options, check out the interactive help or the docs.

On Wed, Jun 22, 2016 at 12:55 AM, Tomato_ <xqing....@gmail.com> wrote:
Hi

In auth-backend:Github page, it says "This method of authentication is most useful for humans: operators or developers using Vault directly via the CLI."

I am a little confused here, who can interact with Vault through CLI?
According to my understanding, only the user who can login the machine of Vault server can do that, right? Or Vault can be installed and configured on clients' remote machine as a CLI tool which can interact with remote Vault server? if so, how to configure it?

Thanks!

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1d8d42ab-7847-4565-98a0-0cc9ca12c29c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

vishal nayak

unread,
Jun 22, 2016, 10:09:11 AM6/22/16
to vault...@googlegroups.com
Hi,

If Vault binary is not running in "server" mode, its CLI can be used to invoke the API calls to Vault's server.
As David said, you can use VAULT_ADDR to specify a server instance of Vault.

"Login to Vault" translates to "getting a Vault token". Usually, login endpoints of Vault does not require a token to be provided. But, the token returned by successfully authenticating with Vault, using any means (github, cert, app-id, etc), can in-turn be used to interact with Vault server. This token (which is stored in ~/.vault_token), represents the capabilities of the client.

Hope this helps!

Regards,
Vishal

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAN3s8zb4xZj4VFJVevzAP5Ld1mMaa5u8vz2eVomhkgS97MB2qA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
vn
Reply all
Reply to author
Forward
0 new messages