read command reads data from Vault at the given path (wrapper command for
HTTP GET). You can use the command to read secrets, generate dynamic
credentials, get configuration details, and more.
Read entity details of a given ID:
$ vault read identity/entity/id/2f09126d-d161-abb8-2241-555886491d97
Generate dynamic AWS credentials for a
$ vault read aws/creds/my-role
Assuming that you have K/V version 2 (
kv-v2) secrets engine enabled at
secret/, the following command reads secrets at the
$ vault read secret/data/customers
This is equivalent to:
$ curl --request GET --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/secret/data/customers
Since K/V secrets engine is a commonly used feature, Vault CLI provides the
kv command. Read secrets from the
path using the
kv CLI command:
$ vault kv get secret/customers
Comparison: All three commands retrieve the same data, but display the
output in a different format. By default,
vault read prints output in
key-value format. The
curl command prints the response in JSON. Since the
kv command is designed to handle operations associated with K/V secrets
engine, it prints the output in more structured format that is easy to read.
The following flags are available in addition to the standard set of flags included on all commands.
(string: "")- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.
(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the
For a full list of examples and paths, please see the documentation that corresponds to the secrets engine in use.