HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

agent generate-config

Use secrets plugin data to generate a basic configuration file for running Vault Agent in process supervisor mode.

$ vault agent generate-config -type <config_file_type> [options] [<file_path>]

Description

agent generate-config composes configuration details for Vault Agent based on the configuration type and writes a local configuration file for running Vault agent in process supervisor mode.

Related API endpoints

  • None

Limitations and warnings

Limitations:

  • Plugin support limited to KV plugins.
  • Configuration type limited to environment variable templates.

Not appropriate for production

The file created by agent generate-config includes an auto_auth section configured to use the token_file authentication method.

Token files are convenient for local testing, but are not appropriates for production use. Refer to the full list of Vault Agent autoAuth methods for available production-ready authentication methods.

Arguments


file_path (string : "./agent.hcl")

The path where Vault should save the generated configuration file.

Example: "./agent/custom-config.hcl"

Options

None.

Command Flags


-exec (string : "")

Path to the command for child processes with optional arguments. Relative paths start from the current working directory when executed. Corresponds to exec.command in the Vault Agent configuration file.

Example: -exec "./my-app arg1 arg2"



-path (string : "")

Path to one or more kv secrets store. Paths that end with a wildcard (*) include all secrets under that path.

Repeat the -path flag as needed to specify the full set of target secrets.

Example: -path secret/kv/agent-keys/*



-type (enum : <required>)

The configuration file entry to create.

EnumDescription
env-templateCreate environment variable templates from JSON keys in kv plugins

Example: -type env-template

Global flags


[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

  • CLI flag: -address "https://mydomain/vault:8200"
  • Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"


[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

  • CLI flag: -agent-address "https://mydomain/vault-agent:8200"
  • Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"


[-ca-cert | VAULT_CACERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

  • CLI flag: -ca-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CACERT="/path/to/certs/mycert.pem"


[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

  • CLI flag: -ca-path "/path/to/certs/dir"
  • Environment variable: export VAULT_CAPATH="/path/to/certs/dir"


[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-key.

Examples:

  • CLI flag: -client-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"


[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

  • CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
  • Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"


[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

  • CLI flag: -disable-redirects
  • Environment variable: export VAULT_DISABLE_REDIRECTS=1

Warning

Disabling the default redirect behavior may cause commands that redirect requests to primary cluster notes (like vault operator raft snapshot) to misbehave.



-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"



[-mfa | VAULT_MFA] (string : "") Enterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_id:passcode, that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

  • CLI flag: -mfa "d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452"
  • Environment variable: export VAULT_MFA="d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452"

Note

The VAULT_MFA environment variable only accepts one MFA method specification and one credential for the specified method. To supply multiple credentials or MFA methods, use the -mfa CLI flag and repeat the flag as needed.



[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

  • CLI flag: -namespace "admin"
  • Environment variable: export VAULT_NAMESPACE="admin"


-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive



-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string



-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy



-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override



[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

  • CLI flag: -tls-server-name "hostname.domain"
  • Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"


[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

  • CLI flag: -tls-skip-verify
  • Environment variable: export VAULT_SKIP_VERIFY=1


-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"



[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

  • CLI flag: -wrap-ttl "5m"
  • Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Generate an environment variable template configuration for the foo secrets plugin:

$ vault agent generate-config  \
    -type="env-template"       \
    -exec="./my-app arg1 arg2" \
    -path="secret/foo"

Command output

Generate an environment variable template configuration for more than one secrets plugin:

$ vault agent generate-config -type="env-template" \
    -exec="./my-app arg1 arg2" \
    -path="secret/foo" \
    -path="secret/bar" \
    -path="secret/my-app/*"
Edit this page on GitHub