From 742011ca864d10726385b7d86ae7e78fd78a7b7c Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Tue, 20 Jan 2026 23:45:04 +0100 Subject: [PATCH] Add detailed documentation for identity entities and environment variables --- docs/ENV_VARS.md | 69 ++++++++++++++++++++++++++++++++++++++++++++++++ docs/Identity.md | 33 +++++++++++++++++++++++ docs/README.md | 16 ++++++++++- 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 docs/ENV_VARS.md diff --git a/docs/ENV_VARS.md b/docs/ENV_VARS.md new file mode 100644 index 0000000..ced462c --- /dev/null +++ b/docs/ENV_VARS.md @@ -0,0 +1,69 @@ +# Environment Variables + +> Note: This list was generated by an AI Agent from a limited code search of the repository and may be incomplete. +> +> For the full code search results, see: https://github.com/hashicorp/vault/search?q=VAULT_&type=code. + +| Environment Variable | Purpose (short) | +|-------------------------------------------|-------------------------------------------------------------------------| +| `VAULT_ADDR` | Client/server address (API target) | +| `VAULT_AGENT_ADDR` | Agent address (deprecated usage/const) | +| `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` | Allow Pending Removal builtins to be mounted | +| `VAULT_CACERT_BYTES` | CA certificate bytes provided via env | +| `VAULT_CACERT` | CA certificate file for TLS verification | +| `VAULT_CAPATH` | CA path for TLS verification | +| `VAULT_CLI_NO_COLOR` | Toggle colored CLI output | +| `VAULT_CLIENT_CERT` | Client TLS certificate path | +| `VAULT_CLIENT_KEY` | Client TLS key path | +| `VAULT_CLIENT_TIMEOUT` | Client timeout configuration | +| `VAULT_CLUSTER_ADDR` | Cluster address for inter-node comms | +| `VAULT_CLUSTER_INTERFACE` | Interface name used to derive VAULT_CLUSTER_ADDR | +| `VAULT_DETAILED` | Output detailed CLI information | +| `VAULT_DEV_LISTEN_ADDRESS` | Dev-mode listen address (entrypoint default) | +| `VAULT_DEV_ROOT_TOKEN_ID` | Dev-mode root token ID (used by entrypoint) | +| `VAULT_DISABLE_FILE_PERMISSIONS_CHECK` | Disable strict file permission checks (OpenShift/UBI entrypoint) | +| `VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES` | Disable entities for local auth mounts via env | +| `VAULT_DISABLE_REDIRECTS` | Disable HTTP redirects for client | +| `VAULT_DISABLE_RSA_DRBG` | Disable RSA DRBG path in cryptoutil (feature flag) | +| `VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING` | Enable audit logging for rate-limited rejections | +| `VAULT_EXPERIMENTS` | Comma-separated experiments enabled on startup | +| `VAULT_FORMAT` | CLI output format | +| `VAULT_HEADERS` | Additional headers for API client | +| `VAULT_HTTP_PROXY` | HTTP proxy configuration for client | +| `VAULT_LDAP_PASSWORD` | LDAP password fallback for CLI LDAP credential provider | +| `VAULT_LICENSE_CI` | CI license helper for tests | +| `VAULT_LICENSE_PATH` | Path to enterprise license file | +| `VAULT_LICENSE` | Provide enterprise license blob | +| `VAULT_LOCAL_CONFIG` | Pass Vault JSON config via env (entrypoint writes to config dir) | +| `VAULT_LOG_FORMAT` | Control logger format (standard/json) | +| `VAULT_LOG_LEVEL` | Logging level for Vault | +| `VAULT_MAX_RETRIES` | Max retries for client operations | +| `VAULT_MESSAGE_TYPE` | Serialization format for forwarded requests (json/json_compress/proto3) | +| `VAULT_MFA` | MFA selection for client | +| `VAULT_MYSQL_PASSWORD` | MySQL password override for physical MySQL backend | +| `VAULT_MYSQL_USERNAME` | MySQL username override for physical MySQL backend | +| `VAULT_NAMESPACE` | Default namespace header for client requests | +| `VAULT_PLUGIN_AUTOMTLS_ENABLED` | Enable plugin AutoMTLS (plugin helper) | +| `VAULT_PLUGIN_METADATA_MODE` | Control plugin metadata bootstrapping mode | +| `VAULT_PLUGIN_TMPDIR` | Folder for Unix sockets for containerized plugins | +| `VAULT_POSTUNSEAL_FUNC_CONCURRENCY` | Concurrency for post-unseal functions (sets worker count) | +| `VAULT_PROXY_ADDR` | Proxy address configuration | +| `VAULT_RAFT_DISABLE_MAP_POPULATE` | Disable MAP_POPULATE behaviour on Linux | +| `VAULT_RAFT_FREELIST_SYNC` | BoltDB freelist sync toggle | +| `VAULT_RAFT_FREELIST_TYPE` | BoltDB freelist type (array/map) | +| `VAULT_RAFT_INITIAL_MMAP_SIZE` | Initial mmap size for Bolt DB | +| `VAULT_RAFT_MAX_BATCH_ENTRIES` | Override Raft max batch entries | +| `VAULT_RAFT_MAX_BATCH_SIZE_BYTES` | Override Raft max batch size bytes | +| `VAULT_RAFT_NODE_ID` | Raft node ID from environment | +| `VAULT_RAFT_PATH` | Raft data path from environment | +| `VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER` | Join Raft as non-voter via env | +| `VAULT_RATE_LIMIT` | Configure client-side or server rate limiting | +| `VAULT_REDIRECT_ADDR` | API redirect address (can be set directly) | +| `VAULT_REDIRECT_INTERFACE` | Interface name used to derive VAULT_REDIRECT_ADDR | +| `VAULT_SKIP_LOGGING_LEASE_EXPIRATIONS` | Toggle logging of lease expirations | +| `VAULT_SKIP_VERIFY` | Skip TLS verification (insecure) | +| `VAULT_SRV_LOOKUP` | Enable SRV DNS lookup behavior | +| `VAULT_TLS_SERVER_NAME` | TLS server name for verification | +| `VAULT_TOKEN` | Default Vault token for client auth | +| `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) | +| `VAULT_WRAP_TTL` | Default wrap TTL for client operations | diff --git a/docs/Identity.md b/docs/Identity.md index 7162470..8b6daf5 100644 --- a/docs/Identity.md +++ b/docs/Identity.md @@ -105,3 +105,36 @@ vault read auth/userpass/users/username ## Entities and Groups +### Entities + +Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity) + +List entities by id: + +```bash +vault list identity/entity/id +``` + +or by name: + +```bash +vault list identity/entity/name +``` + +[Read entity details by id](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-id) +or [by name](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-name): + +```bash +vault read identity/entity/id/ +vault read identity/entity/name/ +``` + +[Create a new entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#create-an-entity): + +```bash +vault write identity/entity name="entity-name" policies="default" metadata=key1=value1 metadata=key2=value2 +``` + +### Entity Aliases + +Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias) diff --git a/docs/README.md b/docs/README.md index 04d2616..d5751fa 100644 --- a/docs/README.md +++ b/docs/README.md @@ -22,4 +22,18 @@ curl -s -X LIST -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" http because the Vault uses non-standard HTTP method `LIST` for listing resources. ---- \ No newline at end of file +## Environment Variables + +| Environment Variable | Purpose (short) | +|-------------------------------------------|-------------------------------------------------------------------------| +| `VAULT_ADDR` | Client/server address (API target) | +| `VAULT_DETAILED` | Output detailed CLI information | +| `VAULT_FORMAT` | CLI output format | +| `VAULT_LOG_FORMAT` | Control logger format (standard/json) | +| `VAULT_LOG_LEVEL` | Logging level for Vault | +| `VAULT_TOKEN` | Default Vault token for client auth | +| `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) | +| `VAULT_WRAP_TTL` | Default wrap TTL for client operations | + +> The list above is a small subset of all available environment variables, that I see most useful. +> The rest can be found in the [ENV_VARS.md](ENV_VARS.md) file.