HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

read

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

The read command reads data from Vault at the given path (wrapper command for HTTP GET). You can use the command to read secrets, generate dynamic credentials, get configuration details, and more.

Examples

Read entity details of a given ID:

$ vault read identity/entity/id/2f09126d-d161-abb8-2241-555886491d97

Generate dynamic AWS credentials for a my-role:

$ vault read aws/creds/my-role

API versus CLI

Assuming that you have KV version 2 (kv-v2) secrets engine enabled at secret/, the following command reads secrets at the secret/data/customers API path:

$ vault read secret/data/customers

This is equivalent to:

$ curl --request GET --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/secret/data/customers

Since KV secrets engine is a commonly used feature, Vault CLI provides the kv command. Read secrets from the secret/data/customers path using the kv CLI command:

$ vault kv get -mount=secret customers

Comparison: All three commands retrieve the same data, but display the output in a different format. By default, vault read prints output in key-value format. The curl command prints the response in JSON. Since the kv command is designed to handle operations associated with KV secrets engine, it prints the output in more structured format that is easy to read.

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Command options

  • snapshot-id (string: "") - Specifies a loaded snapshot ID to read the data from.

Output options

  • -field (string: "") - Print only the field with the given name, in the format specified in the -format directive. The result will not have a trailing newline making it ideal for piping to other processes.

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", "yaml", or "raw". This can also be specified via the VAULT_FORMAT environment variable.

For a full list of examples and paths, please see the documentation that corresponds to the secrets engine in use.

Edit this page on GitHub