slawek/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add detailed documentation for identity entities and environment variables

Browse Source
This commit is contained in:
Sławek Koszewski
2026-01-20 23:45:04 +01:00
parent b887ade155
commit 742011ca86
3 changed files with 117 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
docs/ENV_VARS.md Normal file
View File

@@ -0,0 +1,69 @@
# Environment Variables
> Note: This list was generated by an AI Agent from a limited code search of the repository and may be incomplete.
>
> For the full code search results, see: https://github.com/hashicorp/vault/search?q=VAULT_&type=code.
| Environment Variable | Purpose (short) |
|-------------------------------------------|-------------------------------------------------------------------------|
| `VAULT_ADDR` | Client/server address (API target) |
| `VAULT_AGENT_ADDR` | Agent address (deprecated usage/const) |
| `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` | Allow Pending Removal builtins to be mounted |
| `VAULT_CACERT_BYTES` | CA certificate bytes provided via env |
| `VAULT_CACERT` | CA certificate file for TLS verification |
| `VAULT_CAPATH` | CA path for TLS verification |
| `VAULT_CLI_NO_COLOR` | Toggle colored CLI output |
| `VAULT_CLIENT_CERT` | Client TLS certificate path |
| `VAULT_CLIENT_KEY` | Client TLS key path |
| `VAULT_CLIENT_TIMEOUT` | Client timeout configuration |
| `VAULT_CLUSTER_ADDR` | Cluster address for inter-node comms |
| `VAULT_CLUSTER_INTERFACE` | Interface name used to derive VAULT_CLUSTER_ADDR |
| `VAULT_DETAILED` | Output detailed CLI information |
| `VAULT_DEV_LISTEN_ADDRESS` | Dev-mode listen address (entrypoint default) |
| `VAULT_DEV_ROOT_TOKEN_ID` | Dev-mode root token ID (used by entrypoint) |
| `VAULT_DISABLE_FILE_PERMISSIONS_CHECK` | Disable strict file permission checks (OpenShift/UBI entrypoint) |
| `VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES` | Disable entities for local auth mounts via env |
| `VAULT_DISABLE_REDIRECTS` | Disable HTTP redirects for client |
| `VAULT_DISABLE_RSA_DRBG` | Disable RSA DRBG path in cryptoutil (feature flag) |
| `VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING` | Enable audit logging for rate-limited rejections |
| `VAULT_EXPERIMENTS` | Comma-separated experiments enabled on startup |
| `VAULT_FORMAT` | CLI output format |
| `VAULT_HEADERS` | Additional headers for API client |
| `VAULT_HTTP_PROXY` | HTTP proxy configuration for client |
| `VAULT_LDAP_PASSWORD` | LDAP password fallback for CLI LDAP credential provider |
| `VAULT_LICENSE_CI` | CI license helper for tests |
| `VAULT_LICENSE_PATH` | Path to enterprise license file |
| `VAULT_LICENSE` | Provide enterprise license blob |
| `VAULT_LOCAL_CONFIG` | Pass Vault JSON config via env (entrypoint writes to config dir) |
| `VAULT_LOG_FORMAT` | Control logger format (standard/json) |
| `VAULT_LOG_LEVEL` | Logging level for Vault |
| `VAULT_MAX_RETRIES` | Max retries for client operations |
| `VAULT_MESSAGE_TYPE` | Serialization format for forwarded requests (json/json_compress/proto3) |
| `VAULT_MFA` | MFA selection for client |
| `VAULT_MYSQL_PASSWORD` | MySQL password override for physical MySQL backend |
| `VAULT_MYSQL_USERNAME` | MySQL username override for physical MySQL backend |
| `VAULT_NAMESPACE` | Default namespace header for client requests |
| `VAULT_PLUGIN_AUTOMTLS_ENABLED` | Enable plugin AutoMTLS (plugin helper) |
| `VAULT_PLUGIN_METADATA_MODE` | Control plugin metadata bootstrapping mode |
| `VAULT_PLUGIN_TMPDIR` | Folder for Unix sockets for containerized plugins |
| `VAULT_POSTUNSEAL_FUNC_CONCURRENCY` | Concurrency for post-unseal functions (sets worker count) |
| `VAULT_PROXY_ADDR` | Proxy address configuration |
| `VAULT_RAFT_DISABLE_MAP_POPULATE` | Disable MAP_POPULATE behaviour on Linux |
| `VAULT_RAFT_FREELIST_SYNC` | BoltDB freelist sync toggle |
| `VAULT_RAFT_FREELIST_TYPE` | BoltDB freelist type (array/map) |
| `VAULT_RAFT_INITIAL_MMAP_SIZE` | Initial mmap size for Bolt DB |
| `VAULT_RAFT_MAX_BATCH_ENTRIES` | Override Raft max batch entries |
| `VAULT_RAFT_MAX_BATCH_SIZE_BYTES` | Override Raft max batch size bytes |
| `VAULT_RAFT_NODE_ID` | Raft node ID from environment |
| `VAULT_RAFT_PATH` | Raft data path from environment |
| `VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER` | Join Raft as non-voter via env |
| `VAULT_RATE_LIMIT` | Configure client-side or server rate limiting |
| `VAULT_REDIRECT_ADDR` | API redirect address (can be set directly) |
| `VAULT_REDIRECT_INTERFACE` | Interface name used to derive VAULT_REDIRECT_ADDR |
| `VAULT_SKIP_LOGGING_LEASE_EXPIRATIONS` | Toggle logging of lease expirations |
| `VAULT_SKIP_VERIFY` | Skip TLS verification (insecure) |
| `VAULT_SRV_LOOKUP` | Enable SRV DNS lookup behavior |
| `VAULT_TLS_SERVER_NAME` | TLS server name for verification |
| `VAULT_TOKEN` | Default Vault token for client auth |
| `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) |
| `VAULT_WRAP_TTL` | Default wrap TTL for client operations |

33
docs/Identity.md
View File

@@ -105,3 +105,36 @@ vault read auth/userpass/users/username
## Entities and Groups
### Entities
Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity)
List entities by id:
```bash
vault list identity/entity/id
```
or by name:
```bash
vault list identity/entity/name
```
[Read entity details by id](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-id)
or [by name](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#read-entity-by-name):
```bash
vault read identity/entity/id/<entity-id>
vault read identity/entity/name/<entity-name>
```
[Create a new entity](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity#create-an-entity):
```bash
vault write identity/entity name="entity-name" policies="default" metadata=key1=value1 metadata=key2=value2
```
### Entity Aliases
Docs: [https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias](https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias)

16
docs/README.md
View File

@@ -22,4 +22,18 @@ curl -s -X LIST -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" http
because the Vault uses non-standard HTTP method `LIST` for listing resources.
---
## Environment Variables
| Environment Variable | Purpose (short) |
|-------------------------------------------|-------------------------------------------------------------------------|
| `VAULT_ADDR` | Client/server address (API target) |
| `VAULT_DETAILED` | Output detailed CLI information |
| `VAULT_FORMAT` | CLI output format |
| `VAULT_LOG_FORMAT` | Control logger format (standard/json) |
| `VAULT_LOG_LEVEL` | Logging level for Vault |
| `VAULT_TOKEN` | Default Vault token for client auth |
| `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) |
| `VAULT_WRAP_TTL` | Default wrap TTL for client operations |
> The list above is a small subset of all available environment variables, that I see most useful.
> The rest can be found in the [ENV_VARS.md](ENV_VARS.md) file.