70 lines
7.6 KiB
Markdown
70 lines
7.6 KiB
Markdown
# Environment Variables
|
|
|
|
> Note: This list was generated by an AI Agent from a limited code search of the repository and may be incomplete.
|
|
>
|
|
> For the full code search results, see: https://github.com/hashicorp/vault/search?q=VAULT_&type=code.
|
|
|
|
| Environment Variable | Purpose (short) |
|
|
|-------------------------------------------|-------------------------------------------------------------------------|
|
|
| `VAULT_ADDR` | Client/server address (API target) |
|
|
| `VAULT_AGENT_ADDR` | Agent address (deprecated usage/const) |
|
|
| `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` | Allow Pending Removal builtins to be mounted |
|
|
| `VAULT_CACERT_BYTES` | CA certificate bytes provided via env |
|
|
| `VAULT_CACERT` | CA certificate file for TLS verification |
|
|
| `VAULT_CAPATH` | CA path for TLS verification |
|
|
| `VAULT_CLI_NO_COLOR` | Toggle colored CLI output |
|
|
| `VAULT_CLIENT_CERT` | Client TLS certificate path |
|
|
| `VAULT_CLIENT_KEY` | Client TLS key path |
|
|
| `VAULT_CLIENT_TIMEOUT` | Client timeout configuration |
|
|
| `VAULT_CLUSTER_ADDR` | Cluster address for inter-node comms |
|
|
| `VAULT_CLUSTER_INTERFACE` | Interface name used to derive VAULT_CLUSTER_ADDR |
|
|
| `VAULT_DETAILED` | Output detailed CLI information |
|
|
| `VAULT_DEV_LISTEN_ADDRESS` | Dev-mode listen address (entrypoint default) |
|
|
| `VAULT_DEV_ROOT_TOKEN_ID` | Dev-mode root token ID (used by entrypoint) |
|
|
| `VAULT_DISABLE_FILE_PERMISSIONS_CHECK` | Disable strict file permission checks (OpenShift/UBI entrypoint) |
|
|
| `VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES` | Disable entities for local auth mounts via env |
|
|
| `VAULT_DISABLE_REDIRECTS` | Disable HTTP redirects for client |
|
|
| `VAULT_DISABLE_RSA_DRBG` | Disable RSA DRBG path in cryptoutil (feature flag) |
|
|
| `VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING` | Enable audit logging for rate-limited rejections |
|
|
| `VAULT_EXPERIMENTS` | Comma-separated experiments enabled on startup |
|
|
| `VAULT_FORMAT` | CLI output format |
|
|
| `VAULT_HEADERS` | Additional headers for API client |
|
|
| `VAULT_HTTP_PROXY` | HTTP proxy configuration for client |
|
|
| `VAULT_LDAP_PASSWORD` | LDAP password fallback for CLI LDAP credential provider |
|
|
| `VAULT_LICENSE_CI` | CI license helper for tests |
|
|
| `VAULT_LICENSE_PATH` | Path to enterprise license file |
|
|
| `VAULT_LICENSE` | Provide enterprise license blob |
|
|
| `VAULT_LOCAL_CONFIG` | Pass Vault JSON config via env (entrypoint writes to config dir) |
|
|
| `VAULT_LOG_FORMAT` | Control logger format (standard/json) |
|
|
| `VAULT_LOG_LEVEL` | Logging level for Vault |
|
|
| `VAULT_MAX_RETRIES` | Max retries for client operations |
|
|
| `VAULT_MESSAGE_TYPE` | Serialization format for forwarded requests (json/json_compress/proto3) |
|
|
| `VAULT_MFA` | MFA selection for client |
|
|
| `VAULT_MYSQL_PASSWORD` | MySQL password override for physical MySQL backend |
|
|
| `VAULT_MYSQL_USERNAME` | MySQL username override for physical MySQL backend |
|
|
| `VAULT_NAMESPACE` | Default namespace header for client requests |
|
|
| `VAULT_PLUGIN_AUTOMTLS_ENABLED` | Enable plugin AutoMTLS (plugin helper) |
|
|
| `VAULT_PLUGIN_METADATA_MODE` | Control plugin metadata bootstrapping mode |
|
|
| `VAULT_PLUGIN_TMPDIR` | Folder for Unix sockets for containerized plugins |
|
|
| `VAULT_POSTUNSEAL_FUNC_CONCURRENCY` | Concurrency for post-unseal functions (sets worker count) |
|
|
| `VAULT_PROXY_ADDR` | Proxy address configuration |
|
|
| `VAULT_RAFT_DISABLE_MAP_POPULATE` | Disable MAP_POPULATE behaviour on Linux |
|
|
| `VAULT_RAFT_FREELIST_SYNC` | BoltDB freelist sync toggle |
|
|
| `VAULT_RAFT_FREELIST_TYPE` | BoltDB freelist type (array/map) |
|
|
| `VAULT_RAFT_INITIAL_MMAP_SIZE` | Initial mmap size for Bolt DB |
|
|
| `VAULT_RAFT_MAX_BATCH_ENTRIES` | Override Raft max batch entries |
|
|
| `VAULT_RAFT_MAX_BATCH_SIZE_BYTES` | Override Raft max batch size bytes |
|
|
| `VAULT_RAFT_NODE_ID` | Raft node ID from environment |
|
|
| `VAULT_RAFT_PATH` | Raft data path from environment |
|
|
| `VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER` | Join Raft as non-voter via env |
|
|
| `VAULT_RATE_LIMIT` | Configure client-side or server rate limiting |
|
|
| `VAULT_REDIRECT_ADDR` | API redirect address (can be set directly) |
|
|
| `VAULT_REDIRECT_INTERFACE` | Interface name used to derive VAULT_REDIRECT_ADDR |
|
|
| `VAULT_SKIP_LOGGING_LEASE_EXPIRATIONS` | Toggle logging of lease expirations |
|
|
| `VAULT_SKIP_VERIFY` | Skip TLS verification (insecure) |
|
|
| `VAULT_SRV_LOOKUP` | Enable SRV DNS lookup behavior |
|
|
| `VAULT_TLS_SERVER_NAME` | TLS server name for verification |
|
|
| `VAULT_TOKEN` | Default Vault token for client auth |
|
|
| `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) |
|
|
| `VAULT_WRAP_TTL` | Default wrap TTL for client operations |
|