Esempio n. 1
0
func (c *MountCommand) Help() string {
	helpText := `
Usage: vault mount [options] type

  Mount a logical backend.

  This command mounts a logical backend for storing and/or generating
  secrets.

General Options:
` + meta.GeneralOptionsUsage() + `
Mount Options:

  -description=<desc>            Human-friendly description of the purpose for
                                 the mount. This shows up in the mounts command.

  -path=<path>                   Mount point for the logical backend. This
                                 defauls to the type of the mount.

  -default-lease-ttl=<duration>  Default lease time-to-live for this backend.
                                 If not specified, uses the global default, or
                                 the previously set value. Set to '0' to
                                 explicitly set it to use the global default.

  -max-lease-ttl=<duration>      Max lease time-to-live for this backend.
                                 If not specified, uses the global default, or
                                 the previously set value. Set to '0' to
                                 explicitly set it to use the global default.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 2
0
func (c *AuditEnableCommand) Help() string {
	helpText := `
Usage: vault audit-enable [options] type [config...]

  Enable an audit backend.

  This command enables an audit backend of type "type". Additional
  options for configuring the audit backend can be specified after the
  type in the same format as the "vault write" command in key/value pairs.

  For example, to configure the file audit backend to write audit logs at
  the path /var/log/audit.log:

      $ vault audit-enable file file_path=/var/log/audit.log

  For information on available configuration options, please see the
  documentation.

General Options:
` + meta.GeneralOptionsUsage() + `
Audit Enable Options:

  -description=<desc>     A human-friendly description for the backend. This
                          shows up only when querying the enabled backends.

  -path=<path>            Specify a unique path for this audit backend. This
                          is purely for referencing this audit backend. By
                          default this will be the backend type.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 3
0
func (c *UnsealCommand) Help() string {
	helpText := `
Usage: vault unseal [options] [key]

  Unseal the vault by entering a portion of the master key. Once all
  portions are entered, the Vault will be unsealed.

  Every Vault server initially starts as sealed. It cannot perform any
  operation except unsealing until it is sealed. Secrets cannot be accessed
  in any way until the vault is unsealed. This command allows you to enter
  a portion of the master key to unseal the vault.

  The unseal key can be specified via the command line, but this is
  not recommended. The key may then live in your terminal history. This
  only exists to assist in scripting.

General Options:
` + meta.GeneralOptionsUsage() + `
Unseal Options:

  -reset                  Reset the unsealing process by throwing away
                          prior keys in process to unseal the vault.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 4
0
func (c *WriteCommand) Help() string {
	helpText := `
Usage: vault write [options] path [data]

  Write data (secrets or configuration) into Vault.

  Write sends data into Vault at the given path. The behavior of the write is
  determined by the backend at the given path. For example, writing to
  "aws/policy/ops" will create an "ops" IAM policy for the AWS backend
  (configuration), but writing to "consul/foo" will write a value directly into
  Consul at that key. Check the documentation of the logical backend you're
  using for more information on key structure.

  Data is sent via additional arguments in "key=value" pairs. If value begins
  with an "@", then it is loaded from a file. Write expects data in the file to
  be in JSON format. If you want to start the value with a literal "@", then
  prefix the "@" with a slash: "\@".

General Options:
` + meta.GeneralOptionsUsage() + `
Write Options:

  -f | -force             Force the write to continue without any data values
                          specified. This allows writing to keys that do not
                          need or expect any fields to be specified.

  -format=table           The format for output. By default it is a whitespace-
                          delimited table. This can also be json or yaml.

  -field=field            If included, the raw value of the specified field
                          will be output raw to stdout.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 5
0
func (c *MountTuneCommand) Help() string {
	helpText := `
  Usage: vault mount-tune [options] path

  Tune configuration options for a mounted secret backend.

  Example: vault mount-tune -default-lease-ttl="24h" secret

General Options:
` + meta.GeneralOptionsUsage() + `
Mount Options:

  -default-lease-ttl=<duration>  Default lease time-to-live for this backend.
                                 If not specified, uses the system default, or
                                 the previously set value. Set to 'system' to
                                 explicitly set it to use the system default.

  -max-lease-ttl=<duration>      Max lease time-to-live for this backend.
                                 If not specified, uses the system default, or
                                 the previously set value. Set to 'system' to
                                 explicitly set it to use the system default.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 6
0
func (c *TokenRenewCommand) Help() string {
	helpText := `
Usage: vault token-renew [options] [token] [increment]

  Renew an auth token, extending the amount of time it can be used. If a token
  is given to the command, '/auth/token/renew' will be called with the given
  token; otherwise, '/auth/token/renew-self' will be called with the client
  token.

  This command is similar to "renew", but "renew" is only for leases; this
  command is only for tokens.

  An optional increment can be given to request a certain number of seconds to
  increment the lease. This request is advisory; Vault may not adhere to it at
  all. If a token is being passed in on the command line, the increment can as
  well; otherwise it must be passed in via the '-increment' flag.

General Options:
` + meta.GeneralOptionsUsage() + `
Token Renew Options:

  -increment=3600         The desired increment. If not supplied, Vault will
                          use the default TTL. If supplied, it may still be
                          ignored. This can be submitted as an integer number
                          of seconds or a string duration (e.g. "72h").

  -format=table           The format for output. By default it is a whitespace-
                          delimited table. This can also be json or yaml.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 7
0
func (c *RevokeCommand) Help() string {
	helpText := `
Usage: vault revoke [options] id

  Revoke a secret by its lease ID.

  This command revokes a secret by its lease ID that was returned with it. Once
  the key is revoked, it is no longer valid.

  With the -prefix flag, the revoke is done by prefix: any secret prefixed with
  the given partial ID is revoked. Lease IDs are structured in such a way to
  make revocation of prefixes useful.

  With the -force flag, the lease is removed from Vault even if the revocation
  fails. This is meant for certain recovery scenarios and should not be used
  lightly. This option requires -prefix.

General Options:
` + meta.GeneralOptionsUsage() + `
Revoke Options:

  -prefix=true            Revoke all secrets with the matching prefix. This
                          defaults to false: an exact revocation.

  -force=true             Delete the lease even if the actual revocation
                          operation fails.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 8
0
func (c *KeyStatusCommand) Help() string {
	helpText := `
Usage: vault key-status [options]

  Provides information about the active encryption key. Specifically,
  the current key term and the key installation time.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 9
0
func (c *SSHCommand) Help() string {
	helpText := `
Usage: vault ssh [options] username@ip

  Establishes an SSH connection with the target machine.

  This command generates a key and uses it to establish an SSH
  connection with the target machine. This operation requires
  that SSH backend is mounted and at least one 'role' be registed
  with vault at priori.

  For setting up SSH backends with one-time-passwords, installation
  of agent in target machines is required. 
  See [https://github.com/hashicorp/vault-ssh-agent]

General Options:
` + meta.GeneralOptionsUsage() + `
SSH Options:

	-role				Role to be used to create the key.
					Each IP is associated with a role. To see the associated
					roles with IP, use "lookup" endpoint. If you are certain
					that there is only one role associated with the IP, you can
					skip mentioning the role. It will be chosen by default.  If
					there are no roles associated with the IP, register the
					CIDR block of that IP using the "roles/" endpoint.

	-no-exec			Shows the credentials but does not establish connection.

	-mount-point			Mount point of SSH backend. If the backend is mounted at
					'ssh', which is the default as well, this parameter can be
					skipped.

	-format				If no-exec option is enabled, then the credentials will be
					printed out and SSH connection will not be established. The
					format of the output can be 'json' or 'table'. JSON output
					is useful when writing scripts. Default is 'table'.

	-strict-host-key-checking	This option corresponds to StrictHostKeyChecking of SSH configuration.
					If 'sshpass' is employed to enable automated login, then if host key
					is not "known" to the client, 'vault ssh' command will fail. Set this
					option to "no" to bypass the host key checking. Defaults to "ask".
					Can also be specified with VAULT_SSH_STRICT_HOST_KEY_CHECKING environment
					variable.

	-user-known-hosts-file		This option corresponds to UserKnownHostsFile of SSH configuration.
					Assigns the file to use for storing the host keys. If this option is
					set to "/dev/null" along with "-strict-host-key-checking=no", both
					warnings and host key checking can be avoided while establishing the
					connection. Defaults to "~/.ssh/known_hosts". Can also be specified
					with VAULT_SSH_USER_KNOWN_HOSTS_FILE environment variable.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 10
0
func (c *AuthCommand) Help() string {
	helpText := `
Usage: vault auth [options] [auth-information]

  Authenticate with Vault with the given token or via any supported
  authentication backend.

  By default, the -method is assumed to be token. If not supplied via the
  command-line, a prompt for input will be shown. If the authentication
  information is "-", it will be read from stdin.

  The -method option allows alternative authentication methods to be used,
  such as userpass, GitHub, or TLS certificates. For these, additional
  values as "key=value" pairs may be required. For example, to authenticate
  to the userpass auth backend:

      $ vault auth -method=userpass username=my-username

  Use "-method-help" to get help for a specific method.

  If an auth backend is enabled at a different path, the "-method" flag
  should still point to the canonical name, and the "-path" flag should be
  used. If a GitHub auth backend was mounted as "github-private", one would
  authenticate to this backend via:

      $ vault auth -method=github -path=github-private

  The value of the "-path" flag is supplied to auth providers as the "mount"
  option in the payload to specify the mount point.

General Options:

  ` + meta.GeneralOptionsUsage() + `

Auth Options:

  -method=name      Outputs help for the authentication method with the given
                    name for the remote server. If this authentication method
                    is not available, exit with code 1.

  -method-help      If set, the help for the selected method will be shown.

  -methods          List the available auth methods.

  -no-verify        Do not verify the token after creation; avoids a use count
                    decrement.

  -path             The path at which the auth backend is enabled. If an auth
                    backend is mounted at multiple paths, this option can be
                    used to authenticate against specific paths.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 11
0
func (c *InitCommand) Help() string {
	helpText := `
Usage: vault init [options]

  Initialize a new Vault server.

  This command connects to a Vault server and initializes it for the
  first time. This sets up the initial set of master keys and sets up the
  backend data store structure.

  This command can't be called on an already-initialized Vault.

General Options:
` + meta.GeneralOptionsUsage() + `
Init Options:

  -check                    Don't actually initialize, just check if Vault is
                            already initialized. A return code of 0 means Vault
                            is initialized; a return code of 2 means Vault is not
                            initialized; a return code of 1 means an error was
                            encountered.

  -key-shares=5             The number of key shares to split the master key
                            into.

  -key-threshold=3          The number of key shares required to reconstruct
                            the master key.

  -stored-shares=0          The number of unseal keys to store. This is not
                            normally available.

  -pgp-keys                 If provided, must be a comma-separated list of
                            files on disk containing binary- or base64-format
                            public PGP keys, or Keybase usernames specified as
                            "keybase:<username>". The number of given entries
                            must match 'key-shares'. The output unseal keys will
                            be encrypted and hex-encoded, in order, with the
                            given public keys.  If you want to use them with the
                            'vault unseal' command, you will need to hex decode
                            and decrypt; this will be the plaintext unseal key.

  -recovery-shares=5        The number of key shares to split the recovery key
                            into. This is not normally available.

  -recovery-threshold=3     The number of key shares required to reconstruct
                            the recovery key. This is not normally available.

  -recovery-pgp-keys        If provided, behaves like "pgp-keys" but for the
                            recovery key shares. This is not normally available.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 12
0
func (c *PolicyWriteCommand) Help() string {
	helpText := `
Usage: vault policy-write [options] name path

  Write a policy with the given name from the contents of a file or stdin.

  If the path is "-", the policy is read from stdin. Otherwise, it is
  loaded from the file at the given path.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 13
0
func (c *StatusCommand) Help() string {
	helpText := `
Usage: vault status [options]

  Outputs the state of the Vault, sealed or unsealed and if HA is enabled.

  This command outputs whether or not the Vault is sealed. The exit
  code also reflects the seal status (0 unsealed, 2 sealed, 1 error).

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 14
0
func (c *UnmountCommand) Help() string {
	helpText := `
Usage: vault unmount [options] path

  Unmount a secret backend.

  This command unmounts a secret backend. All the secrets created
  by this backend will be revoked and its Vault data will be deleted.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 15
0
func (c *PolicyListCommand) Help() string {
	helpText := `
Usage: vault policies [options] [name]

  List the policies that are available or read a single policy.

  This command lists the policies that are written to the Vault server.
  If a name of a policy is specified, that policy is outputted.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 16
0
func (c *AuditListCommand) Help() string {
	helpText := `
Usage: vault audit-list [options]

  List the enabled audit backends.

  The output lists the enabled audit backends and the options for those
  backends. The options may contain sensitive information, and therefore
  only a root Vault user can view this.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 17
0
func (c *RotateCommand) Help() string {
	helpText := `
Usage: vault rotate [options]

  Rotates the backend encryption key which is used to secure data
  written to the storage backend. This is done by installing a new key
  which encrypts new data, while old keys are still used to decrypt
  secrets written previously. This is an online operation and is not
  disruptive.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 18
0
func (c *MountsCommand) Help() string {
	helpText := `
Usage: vault mounts [options]

  Outputs information about the mounted backends.

  This command lists the mounted backends, their mount points, the
  configured TTLs, and a human-friendly description of the mount point.
  A TTL of 'system' indicates that the system default is being used.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 19
0
func (c *PolicyDeleteCommand) Help() string {
	helpText := `
Usage: vault policy-delete [options] name

  Delete a policy with the given name.

  Once the policy is deleted, all users associated with the policy will
  be affected immediately. When a user is associated with a policy that
  doesn't exist, it is identical to not being associated with that policy.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 20
0
func (c *AuthCommand) Help() string {
	helpText := `
Usage: vault auth [options] [token or config...]

  Authenticate with Vault with the given token or via any supported
  authentication backend.

  If no -method is specified, then the token is expected. If it is not
  given on the command-line, it will be asked via user input. If the
  token is "-", it will be read from stdin.

  By specifying -method, alternate authentication methods can be used
  such as OAuth or TLS certificates. For these, additional values for
  configuration can be specified with "key=value" pairs just like
  "vault write". Specify the "-method-help" flag to get help for a specific
  method.

  If an auth backend is enabled at a different path, such as enabling
  "github" at "github-private", the "method" flag should still be "github".
  The flag "-path" should be used to specify the path at which the auth
  backend is enabled. For example:
  "vault auth -method=github -path=github-private token=<github_token>"
  The value of the "path" flag will be supplied to auth providers
  as the "mount" option in the payload to specify the mount point.
  See the "-method-help" for more info.

General Options:

  ` + meta.GeneralOptionsUsage() + `

Auth Options:

  -method=name      Outputs help for the authentication method with the given
                    name for the remote server. If this authentication method
                    is not available, exit with code 1.

  -method-help      If set, the help for the selected method will be shown.

  -methods          List the available auth methods.

  -no-verify        Do not verify the token after creation; avoids a use count
                    decrement.

  -path             The path at which the auth backend is enabled. If an auth
                    backend is mounted at multiple paths, this option can be
                    used to authenticate against specific paths.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 21
0
func (c *AuthDisableCommand) Help() string {
	helpText := `
Usage: vault auth-disable [options] path

  Disable an already-enabled auth provider.

  Once the auth provider is disabled, that path cannot be used anymore
  to authenticate. All access tokens generated via the disabled auth provider
  will be revoked. This command will block until all tokens are revoked.
  If the command is exited early, the tokens will still be revoked.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 22
0
func (c *StepDownCommand) Help() string {
	helpText := `
Usage: vault step-down [options]

  Force the Vault node to step down from active duty.

  This causes the indicated node to give up active status. Note that while the
  affected node will have a short delay before attempting to grab the lock
  again, if no other node grabs the lock beforehand, it is possible for the
  same node to re-grab the lock and become active again.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 23
0
func (c *DeleteCommand) Help() string {
	helpText := `
Usage: vault delete [options] path

  Delete data (secrets or configuration) from Vault.

  Delete sends a delete operation request to the given path. The
  behavior of the delete is determined by the backend at the given
  path. For example, deleting "aws/policy/ops" will delete the "ops"
  policy for the AWS backend. Use "vault help" for more details on
  whether delete is supported for a path and what the behavior is.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 24
0
func (c *AuditDisableCommand) Help() string {
	helpText := `
Usage: vault audit-disable [options] id

  Disable an audit backend.

  Once the audit backend is disabled, no more audit logs will be sent to
  it. The data associated with the audit backend isn't affected.

  The "id" parameter should map to the id used with "audit-enable". If
  no specific ID was specified, then it is the name of the backend (the
  type of the backend).

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 25
0
func (c *CapabilitiesCommand) Help() string {
	helpText := `
Usage: vault capabilities [options] [token] path

  Fetch the capabilities of a token on a given path.
  If a token is provided as an argument, the '/sys/capabilities' endpoint will be invoked
  with the given token; otherwise the '/sys/capabilities-self' endpoint will be invoked
  with the client token.

  If a token does not have any capability on a given path, or if any of the policies
  belonging to the token explicitly have ["deny"] capability, or if the argument path
  is invalid, this command will respond with a ["deny"].

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 26
0
func (c *PathHelpCommand) Help() string {
	helpText := `
Usage: vault path-help [options] path

  Look up the help for a path.

  All endpoints in Vault from system paths, secret paths, and credential
  providers provide built-in help. This command looks up and outputs that
  help.

  The command requires that the Vault be unsealed, because otherwise
  the mount points of the backends are unknown.

General Options:
` + meta.GeneralOptionsUsage()
	return strings.TrimSpace(helpText)
}
Esempio n. 27
0
func (c *RemountCommand) Help() string {
	helpText := `
Usage: vault remount [options] from to

  Remount a mounted secret backend to a new path.

  This command remounts a secret backend that is already mounted to
  a new path. All the secrets from the old path will be revoked, but
  the Vault data associated with the backend will be preserved (such
  as configuration data).

  Example: vault remount secret/ generic/

General Options:
` + meta.GeneralOptionsUsage()

	return strings.TrimSpace(helpText)
}
Esempio n. 28
0
func (c *TokenRevokeCommand) Help() string {
	helpText := `
Usage: vault token-revoke [options] [token|accessor]

  Revoke one or more auth tokens.

  This command revokes auth tokens. Use the "revoke" command for
  revoking secrets.

  Depending on the flags used, auth tokens can be revoked in multiple ways
  depending on the "-mode" flag:

    * Without any value, the token specified and all of its children
      will be revoked.

    * With the "orphan" value, only the specific token will be revoked.
      All of its children will be orphaned.

    * With the "path" value, tokens created from the given auth path
      prefix will be deleted, along with all their children. In this case
      the "token" arg above is actually a "path". This mode does *not*
      work with token values or parts of token values.

  Token can be revoked using the token accessor. This can be done by
  setting the '-accessor' flag. Note that when '-accessor' flag is set,
  '-mode' should not be set for 'orphan' or 'path'. This is because,
  a token accessor always revokes the token along with it's child tokens.

General Options:
` + meta.GeneralOptionsUsage() + `
Token Options:

  -accessor               A boolean flag, if set, treats the argument as an accessor of the token.
                          Note that accessor can also be used for looking up the token properties
                          via '/auth/token/lookup-accessor/<accessor>' endpoint.
                          Accessor is used when there is no access to token ID.


  -mode=value             The type of revocation to do. See the documentation
                          above for more information.

`
	return strings.TrimSpace(helpText)
}
Esempio n. 29
0
func (c *ListCommand) Help() string {
	helpText :=
		`
Usage: vault list [options] path

  List data from Vault.

  Retrieve a listing of available data. The data returned, if any, is backend-
  and endpoint-specific.

General Options:
` + meta.GeneralOptionsUsage() + `
Read Options:

  -format=table           The format for output. By default it is a whitespace-
                          delimited table. This can also be json or yaml.
`
	return strings.TrimSpace(helpText)
}
Esempio n. 30
0
func (c *AuthCommand) Help() string {
	helpText := `
Usage: vault auth [options] [token or config...]

  Authenticate with Vault with the given token or via any supported
  authentication backend.

  If no -method is specified, then the token is expected. If it is not
  given on the command-line, it will be asked via user input. If the
  token is "-", it will be read from stdin.

  By specifying -method, alternate authentication methods can be used
  such as OAuth or TLS certificates. For these, additional values for
  configuration can be specified with "key=value" pairs just like
  "vault write". Specify the "-method-help" flag to get help for a specific
  method.

  If you've mounted a credential backend to a different path, such
  as mounting "github" to "github-private", the "method" flag should
  still be "github." Most credential providers support the "mount" option
  to specify the mount point. See the "-method-help" for more info.

General Options:

  ` + meta.GeneralOptionsUsage() + `

Auth Options:

  -method=name      Outputs help for the authentication method with the given
                    name for the remote server. If this authentication method
                    is not available, exit with code 1.

  -method-help      If set, the help for the selected method will be shown.

  -methods          List the available auth methods.

  -no-verify        Do not verify the token after creation; avoids a use count
                    decrement.

`
	return strings.TrimSpace(helpText)
}