Here are some of the most commonly used environment variables related to configuring a Vault server.
Now that you have learned more about command line flags and configuration files, let's take a look at the environment variables you can use to configure Vault servers.Įnvironment variables are a fairly specialized form of configuration useful for certain circumstances as described in this section. On a Linux or macOS system, you can write the file out as vault-server.hcl to the present working directory with this command. In this example, the data will be written to /tmp/vault-data. path specifies a filesystem path where the vault process can write persisted data for the filesystem storage backend.In this case, filesystem storage is specified with file. storage - used to specify the storage backend for Vault persisted data.In production, you should always strive to operate Vault with TLS enabled. tls_disable TLS is disabled for this simplistic example so that it is readily usable without the need for generating a server certificate and private key.address configures the bind address in host+port format, where the host value can be a fully qualified domain name (FQDN) or IP address, and the port represents the Vault API port, which is 8200 by default.listener - Currently only the tcp listener is supported.ui - By default, the Vault web UI is not enabled this example enables it.
However, this option is not supported on certain platforms like macOS or Windows, so for this to be a most portable and useful example, it disables mlock(). You should always strive to have it enabled (it is enabled by default) as described in production hardening when operating Vault in production. disable_mlock - By default, Vault will use mlock() to lock its process memory pages, preventing them from being swapped to disk.Here is a line-by-line description of each option in the file: This file contains all of the actual Vault server configuration. Here is a Linux example that names one configuration file, /etc/vault/vault-server.hcl. Use the flag to name a directory of configuration files, the contents of which will be composed at runtime.Use the flag multiple times to name multiple configuration files, which will be composed at runtime.Use the flag once to name the path to a single specific configuration file.
You can use this flag three different ways to specify the full path to your Vault configuration file or files. The most common command line flag you will encounter is the -config flag. This section details some of the most commonly used flags. While there are only a small number of flags, they typically define critical configuration when used. You can always start a dev server by passing the -dev flag to the vault server command line as shown in the following example command for Linux.ĬAUTION: When using a dev mode server, and also passing in configuration via environment variables or a file, you can encounter an error condition if you attempt to configure a TCP listener that overlaps with the default dev mode listener. If you have been learning about Vault through the Getting Started collection and started a Vault dev server or you have previous Vault experience, then you might be familiar with one command line flag: -dev. If you'd like to learn more about configuring Vault, you are in the right place. This topic dives a bit deeper these configuration types, and shares some specific examples, which newcomers to Vault configuration should find helpful.
They are most helpful for special environments like Docker. Environment variables: Set in the environment for the shell of the user that executes the vault process and can only configure a limited set of options.Configuration files are read by the vault process at runtime and when reloaded by sending the process a hangup signal (SIGHUP) they are the most generally useful and most popular way to configure Vault.Command line flags are passed to the vault binary as part of the complete command line at runtime, and are limited to defining only a small subset of configuration as detailed in the command options documentation.You can think of Vault server configuration as belonging to one of these three categories, depending on how and where they are used: There are different ways to configure a Vault server depending on the server environment and your intended use case.