func (c *MountCommand) Help() string {
helpText := `
Usage: vault mount [options] type
Mount a logical backend.
This command mounts a logical backend for storing and/or generating
secrets.
General Options:
` + meta.GeneralOptionsUsage() + `
Mount Options:
-description=<desc> Human-friendly description of the purpose for
the mount. This shows up in the mounts command.
-path=<path> Mount point for the logical backend. This
defauls to the type of the mount.
-default-lease-ttl=<duration> Default lease time-to-live for this backend.
If not specified, uses the global default, or
the previously set value. Set to '0' to
explicitly set it to use the global default.
-max-lease-ttl=<duration> Max lease time-to-live for this backend.
If not specified, uses the global default, or
the previously set value. Set to '0' to
explicitly set it to use the global default.
`
return strings.TrimSpace(helpText)
}
func (c *AuditEnableCommand) Help() string {
helpText := `
Usage: vault audit-enable [options] type [config...]
Enable an audit backend.
This command enables an audit backend of type "type". Additional
options for configuring the audit backend can be specified after the
type in the same format as the "vault write" command in key/value pairs.
For example, to configure the file audit backend to write audit logs at
the path /var/log/audit.log:
$ vault audit-enable file file_path=/var/log/audit.log
For information on available configuration options, please see the
documentation.
General Options:
` + meta.GeneralOptionsUsage() + `
Audit Enable Options:
-description=<desc> A human-friendly description for the backend. This
shows up only when querying the enabled backends.
-path=<path> Specify a unique path for this audit backend. This
is purely for referencing this audit backend. By
default this will be the backend type.
`
return strings.TrimSpace(helpText)
}
func (c *UnsealCommand) Help() string {
helpText := `
Usage: vault unseal [options] [key]
Unseal the vault by entering a portion of the master key. Once all
portions are entered, the Vault will be unsealed.
Every Vault server initially starts as sealed. It cannot perform any
operation except unsealing until it is sealed. Secrets cannot be accessed
in any way until the vault is unsealed. This command allows you to enter
a portion of the master key to unseal the vault.
The unseal key can be specified via the command line, but this is
not recommended. The key may then live in your terminal history. This
only exists to assist in scripting.
General Options:
` + meta.GeneralOptionsUsage() + `
Unseal Options:
-reset Reset the unsealing process by throwing away
prior keys in process to unseal the vault.
`
return strings.TrimSpace(helpText)
}
func (c *WriteCommand) Help() string {
helpText := `
Usage: vault write [options] path [data]
Write data (secrets or configuration) into Vault.
Write sends data into Vault at the given path. The behavior of the write is
determined by the backend at the given path. For example, writing to
"aws/policy/ops" will create an "ops" IAM policy for the AWS backend
(configuration), but writing to "consul/foo" will write a value directly into
Consul at that key. Check the documentation of the logical backend you're
using for more information on key structure.
Data is sent via additional arguments in "key=value" pairs. If value begins
with an "@", then it is loaded from a file. Write expects data in the file to
be in JSON format. If you want to start the value with a literal "@", then
prefix the "@" with a slash: "\@".
General Options:
` + meta.GeneralOptionsUsage() + `
Write Options:
-f | -force Force the write to continue without any data values
specified. This allows writing to keys that do not
need or expect any fields to be specified.
-format=table The format for output. By default it is a whitespace-
delimited table. This can also be json or yaml.
-field=field If included, the raw value of the specified field
will be output raw to stdout.
`
return strings.TrimSpace(helpText)
}
func (c *MountTuneCommand) Help() string {
helpText := `
Usage: vault mount-tune [options] path
Tune configuration options for a mounted secret backend.
Example: vault mount-tune -default-lease-ttl="24h" secret
General Options:
` + meta.GeneralOptionsUsage() + `
Mount Options:
-default-lease-ttl=<duration> Default lease time-to-live for this backend.
If not specified, uses the system default, or
the previously set value. Set to 'system' to
explicitly set it to use the system default.
-max-lease-ttl=<duration> Max lease time-to-live for this backend.
If not specified, uses the system default, or
the previously set value. Set to 'system' to
explicitly set it to use the system default.
`
return strings.TrimSpace(helpText)
}
func (c *TokenRenewCommand) Help() string {
helpText := `
Usage: vault token-renew [options] [token] [increment]
Renew an auth token, extending the amount of time it can be used. If a token
is given to the command, '/auth/token/renew' will be called with the given
token; otherwise, '/auth/token/renew-self' will be called with the client
token.
This command is similar to "renew", but "renew" is only for leases; this
command is only for tokens.
An optional increment can be given to request a certain number of seconds to
increment the lease. This request is advisory; Vault may not adhere to it at
all. If a token is being passed in on the command line, the increment can as
well; otherwise it must be passed in via the '-increment' flag.
General Options:
` + meta.GeneralOptionsUsage() + `
Token Renew Options:
-increment=3600 The desired increment. If not supplied, Vault will
use the default TTL. If supplied, it may still be
ignored. This can be submitted as an integer number
of seconds or a string duration (e.g. "72h").
-format=table The format for output. By default it is a whitespace-
delimited table. This can also be json or yaml.
`
return strings.TrimSpace(helpText)
}
func (c *RevokeCommand) Help() string {
helpText := `
Usage: vault revoke [options] id
Revoke a secret by its lease ID.
This command revokes a secret by its lease ID that was returned with it. Once
the key is revoked, it is no longer valid.
With the -prefix flag, the revoke is done by prefix: any secret prefixed with
the given partial ID is revoked. Lease IDs are structured in such a way to
make revocation of prefixes useful.
With the -force flag, the lease is removed from Vault even if the revocation
fails. This is meant for certain recovery scenarios and should not be used
lightly. This option requires -prefix.
General Options:
` + meta.GeneralOptionsUsage() + `
Revoke Options:
-prefix=true Revoke all secrets with the matching prefix. This
defaults to false: an exact revocation.
-force=true Delete the lease even if the actual revocation
operation fails.
`
return strings.TrimSpace(helpText)
}
func (c *KeyStatusCommand) Help() string {
helpText := `
Usage: vault key-status [options]
Provides information about the active encryption key. Specifically,
the current key term and the key installation time.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *SSHCommand) Help() string {
helpText := `
Usage: vault ssh [options] username@ip
Establishes an SSH connection with the target machine.
This command generates a key and uses it to establish an SSH
connection with the target machine. This operation requires
that SSH backend is mounted and at least one 'role' be registed
with vault at priori.
For setting up SSH backends with one-time-passwords, installation
of agent in target machines is required.
See [https://github.com/hashicorp/vault-ssh-agent]
General Options:
` + meta.GeneralOptionsUsage() + `
SSH Options:
-role Role to be used to create the key.
Each IP is associated with a role. To see the associated
roles with IP, use "lookup" endpoint. If you are certain
that there is only one role associated with the IP, you can
skip mentioning the role. It will be chosen by default. If
there are no roles associated with the IP, register the
CIDR block of that IP using the "roles/" endpoint.
-no-exec Shows the credentials but does not establish connection.
-mount-point Mount point of SSH backend. If the backend is mounted at
'ssh', which is the default as well, this parameter can be
skipped.
-format If no-exec option is enabled, then the credentials will be
printed out and SSH connection will not be established. The
format of the output can be 'json' or 'table'. JSON output
is useful when writing scripts. Default is 'table'.
-strict-host-key-checking This option corresponds to StrictHostKeyChecking of SSH configuration.
If 'sshpass' is employed to enable automated login, then if host key
is not "known" to the client, 'vault ssh' command will fail. Set this
option to "no" to bypass the host key checking. Defaults to "ask".
Can also be specified with VAULT_SSH_STRICT_HOST_KEY_CHECKING environment
variable.
-user-known-hosts-file This option corresponds to UserKnownHostsFile of SSH configuration.
Assigns the file to use for storing the host keys. If this option is
set to "/dev/null" along with "-strict-host-key-checking=no", both
warnings and host key checking can be avoided while establishing the
connection. Defaults to "~/.ssh/known_hosts". Can also be specified
with VAULT_SSH_USER_KNOWN_HOSTS_FILE environment variable.
`
return strings.TrimSpace(helpText)
}
func (c *AuthCommand) Help() string {
helpText := `
Usage: vault auth [options] [auth-information]
Authenticate with Vault with the given token or via any supported
authentication backend.
By default, the -method is assumed to be token. If not supplied via the
command-line, a prompt for input will be shown. If the authentication
information is "-", it will be read from stdin.
The -method option allows alternative authentication methods to be used,
such as userpass, GitHub, or TLS certificates. For these, additional
values as "key=value" pairs may be required. For example, to authenticate
to the userpass auth backend:
$ vault auth -method=userpass username=my-username
Use "-method-help" to get help for a specific method.
If an auth backend is enabled at a different path, the "-method" flag
should still point to the canonical name, and the "-path" flag should be
used. If a GitHub auth backend was mounted as "github-private", one would
authenticate to this backend via:
$ vault auth -method=github -path=github-private
The value of the "-path" flag is supplied to auth providers as the "mount"
option in the payload to specify the mount point.
General Options:
` + meta.GeneralOptionsUsage() + `
Auth Options:
-method=name Outputs help for the authentication method with the given
name for the remote server. If this authentication method
is not available, exit with code 1.
-method-help If set, the help for the selected method will be shown.
-methods List the available auth methods.
-no-verify Do not verify the token after creation; avoids a use count
decrement.
-path The path at which the auth backend is enabled. If an auth
backend is mounted at multiple paths, this option can be
used to authenticate against specific paths.
`
return strings.TrimSpace(helpText)
}
func (c *InitCommand) Help() string {
helpText := `
Usage: vault init [options]
Initialize a new Vault server.
This command connects to a Vault server and initializes it for the
first time. This sets up the initial set of master keys and sets up the
backend data store structure.
This command can't be called on an already-initialized Vault.
General Options:
` + meta.GeneralOptionsUsage() + `
Init Options:
-check Don't actually initialize, just check if Vault is
already initialized. A return code of 0 means Vault
is initialized; a return code of 2 means Vault is not
initialized; a return code of 1 means an error was
encountered.
-key-shares=5 The number of key shares to split the master key
into.
-key-threshold=3 The number of key shares required to reconstruct
the master key.
-stored-shares=0 The number of unseal keys to store. This is not
normally available.
-pgp-keys If provided, must be a comma-separated list of
files on disk containing binary- or base64-format
public PGP keys, or Keybase usernames specified as
"keybase:<username>". The number of given entries
must match 'key-shares'. The output unseal keys will
be encrypted and hex-encoded, in order, with the
given public keys. If you want to use them with the
'vault unseal' command, you will need to hex decode
and decrypt; this will be the plaintext unseal key.
-recovery-shares=5 The number of key shares to split the recovery key
into. This is not normally available.
-recovery-threshold=3 The number of key shares required to reconstruct
the recovery key. This is not normally available.
-recovery-pgp-keys If provided, behaves like "pgp-keys" but for the
recovery key shares. This is not normally available.
`
return strings.TrimSpace(helpText)
}
func (c *PolicyWriteCommand) Help() string {
helpText := `
Usage: vault policy-write [options] name path
Write a policy with the given name from the contents of a file or stdin.
If the path is "-", the policy is read from stdin. Otherwise, it is
loaded from the file at the given path.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *StatusCommand) Help() string {
helpText := `
Usage: vault status [options]
Outputs the state of the Vault, sealed or unsealed and if HA is enabled.
This command outputs whether or not the Vault is sealed. The exit
code also reflects the seal status (0 unsealed, 2 sealed, 1 error).
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *UnmountCommand) Help() string {
helpText := `
Usage: vault unmount [options] path
Unmount a secret backend.
This command unmounts a secret backend. All the secrets created
by this backend will be revoked and its Vault data will be deleted.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *PolicyListCommand) Help() string {
helpText := `
Usage: vault policies [options] [name]
List the policies that are available or read a single policy.
This command lists the policies that are written to the Vault server.
If a name of a policy is specified, that policy is outputted.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *AuditListCommand) Help() string {
helpText := `
Usage: vault audit-list [options]
List the enabled audit backends.
The output lists the enabled audit backends and the options for those
backends. The options may contain sensitive information, and therefore
only a root Vault user can view this.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *RotateCommand) Help() string {
helpText := `
Usage: vault rotate [options]
Rotates the backend encryption key which is used to secure data
written to the storage backend. This is done by installing a new key
which encrypts new data, while old keys are still used to decrypt
secrets written previously. This is an online operation and is not
disruptive.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *MountsCommand) Help() string {
helpText := `
Usage: vault mounts [options]
Outputs information about the mounted backends.
This command lists the mounted backends, their mount points, the
configured TTLs, and a human-friendly description of the mount point.
A TTL of 'system' indicates that the system default is being used.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *PolicyDeleteCommand) Help() string {
helpText := `
Usage: vault policy-delete [options] name
Delete a policy with the given name.
Once the policy is deleted, all users associated with the policy will
be affected immediately. When a user is associated with a policy that
doesn't exist, it is identical to not being associated with that policy.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *AuthCommand) Help() string {
helpText := `
Usage: vault auth [options] [token or config...]
Authenticate with Vault with the given token or via any supported
authentication backend.
If no -method is specified, then the token is expected. If it is not
given on the command-line, it will be asked via user input. If the
token is "-", it will be read from stdin.
By specifying -method, alternate authentication methods can be used
such as OAuth or TLS certificates. For these, additional values for
configuration can be specified with "key=value" pairs just like
"vault write". Specify the "-method-help" flag to get help for a specific
method.
If an auth backend is enabled at a different path, such as enabling
"github" at "github-private", the "method" flag should still be "github".
The flag "-path" should be used to specify the path at which the auth
backend is enabled. For example:
"vault auth -method=github -path=github-private token=<github_token>"
The value of the "path" flag will be supplied to auth providers
as the "mount" option in the payload to specify the mount point.
See the "-method-help" for more info.
General Options:
` + meta.GeneralOptionsUsage() + `
Auth Options:
-method=name Outputs help for the authentication method with the given
name for the remote server. If this authentication method
is not available, exit with code 1.
-method-help If set, the help for the selected method will be shown.
-methods List the available auth methods.
-no-verify Do not verify the token after creation; avoids a use count
decrement.
-path The path at which the auth backend is enabled. If an auth
backend is mounted at multiple paths, this option can be
used to authenticate against specific paths.
`
return strings.TrimSpace(helpText)
}
func (c *AuthDisableCommand) Help() string {
helpText := `
Usage: vault auth-disable [options] path
Disable an already-enabled auth provider.
Once the auth provider is disabled, that path cannot be used anymore
to authenticate. All access tokens generated via the disabled auth provider
will be revoked. This command will block until all tokens are revoked.
If the command is exited early, the tokens will still be revoked.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *StepDownCommand) Help() string {
helpText := `
Usage: vault step-down [options]
Force the Vault node to step down from active duty.
This causes the indicated node to give up active status. Note that while the
affected node will have a short delay before attempting to grab the lock
again, if no other node grabs the lock beforehand, it is possible for the
same node to re-grab the lock and become active again.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *DeleteCommand) Help() string {
helpText := `
Usage: vault delete [options] path
Delete data (secrets or configuration) from Vault.
Delete sends a delete operation request to the given path. The
behavior of the delete is determined by the backend at the given
path. For example, deleting "aws/policy/ops" will delete the "ops"
policy for the AWS backend. Use "vault help" for more details on
whether delete is supported for a path and what the behavior is.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *AuditDisableCommand) Help() string {
helpText := `
Usage: vault audit-disable [options] id
Disable an audit backend.
Once the audit backend is disabled, no more audit logs will be sent to
it. The data associated with the audit backend isn't affected.
The "id" parameter should map to the id used with "audit-enable". If
no specific ID was specified, then it is the name of the backend (the
type of the backend).
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *CapabilitiesCommand) Help() string {
helpText := `
Usage: vault capabilities [options] [token] path
Fetch the capabilities of a token on a given path.
If a token is provided as an argument, the '/sys/capabilities' endpoint will be invoked
with the given token; otherwise the '/sys/capabilities-self' endpoint will be invoked
with the client token.
If a token does not have any capability on a given path, or if any of the policies
belonging to the token explicitly have ["deny"] capability, or if the argument path
is invalid, this command will respond with a ["deny"].
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *PathHelpCommand) Help() string {
helpText := `
Usage: vault path-help [options] path
Look up the help for a path.
All endpoints in Vault from system paths, secret paths, and credential
providers provide built-in help. This command looks up and outputs that
help.
The command requires that the Vault be unsealed, because otherwise
the mount points of the backends are unknown.
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *RemountCommand) Help() string {
helpText := `
Usage: vault remount [options] from to
Remount a mounted secret backend to a new path.
This command remounts a secret backend that is already mounted to
a new path. All the secrets from the old path will be revoked, but
the Vault data associated with the backend will be preserved (such
as configuration data).
Example: vault remount secret/ generic/
General Options:
` + meta.GeneralOptionsUsage()
return strings.TrimSpace(helpText)
}
func (c *TokenRevokeCommand) Help() string {
helpText := `
Usage: vault token-revoke [options] [token|accessor]
Revoke one or more auth tokens.
This command revokes auth tokens. Use the "revoke" command for
revoking secrets.
Depending on the flags used, auth tokens can be revoked in multiple ways
depending on the "-mode" flag:
* Without any value, the token specified and all of its children
will be revoked.
* With the "orphan" value, only the specific token will be revoked.
All of its children will be orphaned.
* With the "path" value, tokens created from the given auth path
prefix will be deleted, along with all their children. In this case
the "token" arg above is actually a "path". This mode does *not*
work with token values or parts of token values.
Token can be revoked using the token accessor. This can be done by
setting the '-accessor' flag. Note that when '-accessor' flag is set,
'-mode' should not be set for 'orphan' or 'path'. This is because,
a token accessor always revokes the token along with it's child tokens.
General Options:
` + meta.GeneralOptionsUsage() + `
Token Options:
-accessor A boolean flag, if set, treats the argument as an accessor of the token.
Note that accessor can also be used for looking up the token properties
via '/auth/token/lookup-accessor/<accessor>' endpoint.
Accessor is used when there is no access to token ID.
-mode=value The type of revocation to do. See the documentation
above for more information.
`
return strings.TrimSpace(helpText)
}
func (c *ListCommand) Help() string {
helpText :=
`
Usage: vault list [options] path
List data from Vault.
Retrieve a listing of available data. The data returned, if any, is backend-
and endpoint-specific.
General Options:
` + meta.GeneralOptionsUsage() + `
Read Options:
-format=table The format for output. By default it is a whitespace-
delimited table. This can also be json or yaml.
`
return strings.TrimSpace(helpText)
}
func (c *AuthCommand) Help() string {
helpText := `
Usage: vault auth [options] [token or config...]
Authenticate with Vault with the given token or via any supported
authentication backend.
If no -method is specified, then the token is expected. If it is not
given on the command-line, it will be asked via user input. If the
token is "-", it will be read from stdin.
By specifying -method, alternate authentication methods can be used
such as OAuth or TLS certificates. For these, additional values for
configuration can be specified with "key=value" pairs just like
"vault write". Specify the "-method-help" flag to get help for a specific
method.
If you've mounted a credential backend to a different path, such
as mounting "github" to "github-private", the "method" flag should
still be "github." Most credential providers support the "mount" option
to specify the mount point. See the "-method-help" for more info.
General Options:
` + meta.GeneralOptionsUsage() + `
Auth Options:
-method=name Outputs help for the authentication method with the given
name for the remote server. If this authentication method
is not available, exit with code 1.
-method-help If set, the help for the selected method will be shown.
-methods List the available auth methods.
-no-verify Do not verify the token after creation; avoids a use count
decrement.
`
return strings.TrimSpace(helpText)
}