Vault
plugin register
The plugin register
command registers a new plugin in Vault's plugin catalog.
The plugin's type of "auth", "database", or "secret" must be included.
Note
To register an enterprise plugin, you must register with the extracted
.zip
file, not the binary.
Refer to the Enterprise plugins section
of the plugin management page for Vault compatibility requirements.
Examples
Register a plugin binary:
$ vault plugin register \
-sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
auth my-custom-plugin
Success! Registered plugin: my-custom-plugin
Register an extracted plugin .zip
file:
Before registering Key Management secrets engine v0.16.0+ent for the linux/amd64 system that runs Vault Enterprise,
vault-plugin-secrets-keymgmt_v0.16.0+ent_linux_amd64.zip
needs to be downloaded from
https://releases.hashicorp.com/vault-plugin-secrets-keymgmt and extracted to
<plugin_directory>/vault-plugin-secrets-keymgmt_v0.16.0+ent_linux_amd64/
.
$ vault plugin register
-version=0.16.0+ent \ # version must match the plugin version on the releases page
secret \
vault-plugin-secrets-keymgmt # name must match the plugin name on the releases page
Success! Registered plugin: vault-plugin-secrets-keymgmt
Register a plugin binary with custom args:
$ vault plugin register \
-sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 \
-args=--with-glibc,--with-curl-bindings \
auth my-custom-plugin
Register an extracted plugin .zip
file with custom args:
$ vault plugin register
-version=0.16.0+ent \ # version must match the plugin version on the releases page
-args=--with-glibc,--with-curl-bindings \
secret \
vault-plugin-secrets-keymgmt # name must match the plugin name on the releases page
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
sha256
(string: "")
– The SHA256 sum of a plugin binary or the OCI image. You must providesha256
to register a plugin binary, but you must leavesha256
unset to register an extracted.zip
file.-args
([]string: [])
- Argument to pass to the plugin when starting. This flag can be specified multiple times to specify multiple args.-command
(string: "")
- Specifies the command path used to execute the plugin relative to the plugin directory or OCI image directory. You must providecommand
to register a plugin binary. Vault ignorescommand
when you register with an extracted.zip
file as it already knows the associated run command.-env
([]string: [])
- Environment variables to set for the plugin when starting. This flag can be specified multiple times to specify multiple environment variables.-oci_image
(string: "")
- OCI image to run. If specified, setting-command
,-args
, and-env
will update the container's entrypoint, args, and environment variables (append-only) respectively.-runtime
(string: "")
- Vault plugin runtime to use if-oci_image
is specified.-version
(string: "")
- Semantic version of the plugin. Used as the tag when specifying-oci_image
, but any leading 'v' will automatically be trimmed. You can omit version to register a plugin binary, but you must provide an explicit version to register an extracted.zip
file.