Vault
hcp connect
Authenticate users or machines to HCP then cache the connection token and address locally.
$ vault hcp connect [options]
$ vault hcp connect [-help | -h]
Description
Use hcp connect
to authenticate with explicit credentials or interactive browser login.
By default, hcp connect
uses interactive authentication that requires
users to log into the HashiCorp Cloud Platform with a browser.
Non-interactive login requires a service principal credential that was previously generated through the HCP portal. The service principal must have access to the requested organization, project, and HCP Vault Dedicated cluster.
If authentication succeeds, the Vault CLI saves the returned HCP token and HCP Vault address in the local cache.
Command arguments
None.
Command options
None.
Command flags
-client-id (string : "")
Client ID belonging to a service principal credential generated in the HCP Portal. Required for non-interactive authentication.
Example: -client-id "sp-739987@d79db23f-54f6-41c1-bc48-f870542c0ae1"
-project-id (string : "")
ID of the desired HCP Vault Dedicated cluster.
If cluster-id
is empty and the user is associated with multiple HCP clusters,
the CLI prompts the user to select from a list of available clusters.
Example: -cluster-id "cluster-name"
-organization-id (string : "")
ID of the desired HCP
organization. If organization-id
is empty and the user is associated with
multiple HCP organizations, the CLI prompts the user to select from a list
of available organizations.
Example: -organization-id "80wdc133-3eb3-4d57-a244-1rt43b67nui9"
-project-id (string : "")
ID of the desired HCP project. If
project-id
is empty and the user is associated with more than one HCP
project, the CLI prompts the user to select from a list of available projects.
Example: -project-id "d79cs87e-54f6-41w1-bc48-f870542c0av1"
-secret-id (string "")
Secret ID belonging to a service principal credential previously generated in the HCP Portal. Required for non-interactive authentication.
Example: -secret-id "secret-id-value"
Standard flags
[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')
Address of the Vault server.
Examples:
- CLI flag:
-address "https://mydomain/vault:8200"
- Environment variable:
export VAULT_ADDR="https://mydomain/vault:8200"
[-agent-address | VAULT_AGENT_ADDR] (string : "")
Address of the Vault Agent, if used.
Examples:
- CLI flag:
-agent-address "https://mydomain/vault-agent:8200"
- Environment variable:
export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"
[-ca-cert | VAULT_CACERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL
certificates for the server. Takes precedence over -ca_path
.
Examples:
- CLI flag:
-ca-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CACERT="/path/to/certs/mycert.pem"
[-ca-path | VAULT_CAPATH] (string : "")
Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.
Examples:
- CLI flag:
-ca-path "/path/to/certs/dir"
- Environment variable:
export VAULT_CAPATH="/path/to/certs/dir"
[-client-cert | VAULT_CLIENT_CERT] (string : "")
Path to a PEM-encoded CA certificate file on the local disk. Used for TLS
communication with the server. The specified certificate must match to the
private key specified with -client-cert
.
Examples:
- CLI flag:
-client-cert "/path/to/certs/mycert.pem"
- Environment variable:
export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"
[-client-key | VAULT_CLIENT_KEY] (string : "")
Path to a PEM-encoded private key that matches the client certificate set with
-client-cert
.
Examples:
- CLI flag:
-client-key "/path/to/keys/myprivatekey.pem"
- Environment variable:
export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"
[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)
Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.
Examples:
- CLI flag:
-disable-redirects
- Environment variable:
export VAULT_DISABLE_REDIRECTS=1
Warning
Disabling the default redirect behavior may cause commands that redirect
requests to primary cluster notes (like vault operator raft snapshot
) to
misbehave.
-header (string : "")
Optional HTTP header in the form "<key>=<value>"
for the CLI request. Repeat
the -header
flag as needed with one string per flag. User-defined headers
cannot start with X-Vault-
Example: -header "Cache-Control=max-age=0"
[-mfa | VAULT_MFA] (string : "")
Enterprise
A multi-factor authentication (MFA) credential, in the format
mfa_method_name[:key[=value]]
, that the CLI should use to authenticate to
Vault. The CLI adds MFA credentials to the X-Vault-MFA
header when calling the
underlying API endpoint.
Examples:
- CLI flag:
-mfa "totp:password=12345"
- Environment variable:
export VAULT_MFA="totp:password=12345"
Note
The VAULT_MFA
environment variable only accepts one MFA method specification
and one credential for the specified method. To supply multiple credentials or
MFA methods, use the -mfa
CLI flag and repeat the flag as needed.
[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)
Root namespace for the CLI command. Setting a default namespace allow relative mount paths.
Examples:
- CLI flag:
-namespace "admin"
- Environment variable:
export VAULT_NAMESPACE="admin"
-non-interactive (bool : false)
Prevent the CLI from asking users for input through the terminal.
Example: -non-interactive
-output-curl-string (bool : false)
Print the API call(s) required to execute the CLI command as cURL
strings
then exit without running the command.
Example: -output-curl-string
-output-policy (bool : false)
Print the Vault policy required to execute the CLI command as HCL then exit without running the command.
Example: -output-policy
-policy-override (bool : false)
Overrides any Sentinel policy where enforcement_level
is "soft-mandatory".
Example: -policy-override
[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")
Name of the SNI host for TLS handshake resolution for TLS connections to Vault.
Examples:
- CLI flag:
-tls-server-name "hostname.domain"
- Environment variable:
export VAULT_TLS_SERVER_NAME="hostname.domain"
[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)
Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.
Examples:
- CLI flag:
-tls-skip-verify
- Environment variable:
export VAULT_SKIP_VERIFY=1
-unlock-key (string : <unset>)
Plaintext key that unlocks the underlying API endpoint for a given namespace.
Example: -unlock-key "7oXtdlmvRQ"
[-wrap-ttl | VAULT_WRAP_TTL] (string : "")
Default time-to-live in <number>[s|m|h|d]
format for the Cubbyhole token used
to wrap CLI responses. You must use vault unwrap
to view response data before
the duration expires. Leave wrap_ttl
unset to leave CLI responses unwrapped.
Examples:
- CLI flag:
-wrap-ttl "5m"
- Environment variable:
export VAULT_WRAP_TTL="5m"
Examples
Connect to HCP interactively:
$ vault hcp connect
The default web browser has been opened at <auth_url>. Please continue the login in the web browser.
Success!