HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

hcp connect

Authenticate users or machines to HCP then cache the connection token and address locally.

$ vault hcp connect [options]
$ vault hcp connect [-help | -h]

Description

Use hcp connect to authenticate with explicit credentials or interactive browser login. By default, hcp connect uses interactive authentication that requires users to log into the HashiCorp Cloud Platform with a browser.

Non-interactive login requires a service principal credential that was previously generated through the HCP portal. The service principal must have access to the requested organization, project, and HCP Vault Dedicated cluster.

If authentication succeeds, the Vault CLI saves the returned HCP token and HCP Vault address in the local cache.

Command arguments

None.

Command options

None.

Command flags


-client-id (string : "")

Client ID belonging to a service principal credential generated in the HCP Portal. Required for non-interactive authentication.

Example: -client-id "sp-739987@d79db23f-54f6-41c1-bc48-f870542c0ae1"



-project-id (string : "")

ID of the desired HCP Vault Dedicated cluster. If cluster-id is empty and the user is associated with multiple HCP clusters, the CLI prompts the user to select from a list of available clusters.

Example: -cluster-id "cluster-name"



-organization-id (string : "")

ID of the desired HCP organization. If organization-id is empty and the user is associated with multiple HCP organizations, the CLI prompts the user to select from a list of available organizations.

Example: -organization-id "80wdc133-3eb3-4d57-a244-1rt43b67nui9"



-project-id (string : "")

ID of the desired HCP project. If project-id is empty and the user is associated with more than one HCP project, the CLI prompts the user to select from a list of available projects.

Example: -project-id "d79cs87e-54f6-41w1-bc48-f870542c0av1"



-secret-id (string "")

Secret ID belonging to a service principal credential previously generated in the HCP Portal. Required for non-interactive authentication.

Example: -secret-id "secret-id-value"

Standard flags


[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

  • CLI flag: -address "https://mydomain/vault:8200"
  • Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"


[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

  • CLI flag: -agent-address "https://mydomain/vault-agent:8200"
  • Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"


[-ca-cert | VAULT_CACERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

  • CLI flag: -ca-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CACERT="/path/to/certs/mycert.pem"


[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

  • CLI flag: -ca-path "/path/to/certs/dir"
  • Environment variable: export VAULT_CAPATH="/path/to/certs/dir"


[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-cert.

Examples:

  • CLI flag: -client-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"


[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

  • CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
  • Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"


[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

  • CLI flag: -disable-redirects
  • Environment variable: export VAULT_DISABLE_REDIRECTS=1

Warning

Disabling the default redirect behavior may cause commands that redirect requests to primary cluster notes (like vault operator raft snapshot) to misbehave.



-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"



[-mfa | VAULT_MFA] (string : "") Enterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_name[:key[=value]], that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

  • CLI flag: -mfa "totp:password=12345"
  • Environment variable: export VAULT_MFA="totp:password=12345"

Note

The VAULT_MFA environment variable only accepts one MFA method specification and one credential for the specified method. To supply multiple credentials or MFA methods, use the -mfa CLI flag and repeat the flag as needed.



[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

  • CLI flag: -namespace "admin"
  • Environment variable: export VAULT_NAMESPACE="admin"


-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive



-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string



-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy



-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override



[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

  • CLI flag: -tls-server-name "hostname.domain"
  • Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"


[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

  • CLI flag: -tls-skip-verify
  • Environment variable: export VAULT_SKIP_VERIFY=1


-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"



[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

  • CLI flag: -wrap-ttl "5m"
  • Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Connect to HCP interactively:

$ vault hcp connect
The default web browser has been opened at <auth_url>. Please continue the login in the web browser.
Success!
Edit this page on GitHub