vault/docs/ENV_VARS.md

Environment Variables

Note: This list was generated by an AI Agent from a limited code search of the repository and may be incomplete.

For the full code search results, see: https://github.com/hashicorp/vault/search?q=VAULT_&type=code.

Environment Variable	Purpose (short)
VAULT_ADDR	Client/server address (API target)
VAULT_AGENT_ADDR	Agent address (deprecated usage/const)
VAULT_ALLOW_PENDING_REMOVAL_MOUNTS	Allow Pending Removal builtins to be mounted
VAULT_CACERT_BYTES	CA certificate bytes provided via env
VAULT_CACERT	CA certificate file for TLS verification
VAULT_CAPATH	CA path for TLS verification
VAULT_CLI_NO_COLOR	Toggle colored CLI output
VAULT_CLIENT_CERT	Client TLS certificate path
VAULT_CLIENT_KEY	Client TLS key path
VAULT_CLIENT_TIMEOUT	Client timeout configuration
VAULT_CLUSTER_ADDR	Cluster address for inter-node comms
VAULT_CLUSTER_INTERFACE	Interface name used to derive VAULT_CLUSTER_ADDR
VAULT_DETAILED	Output detailed CLI information
VAULT_DEV_LISTEN_ADDRESS	Dev-mode listen address (entrypoint default)
VAULT_DEV_ROOT_TOKEN_ID	Dev-mode root token ID (used by entrypoint)
VAULT_DISABLE_FILE_PERMISSIONS_CHECK	Disable strict file permission checks (OpenShift/UBI entrypoint)
VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES	Disable entities for local auth mounts via env
VAULT_DISABLE_REDIRECTS	Disable HTTP redirects for client
VAULT_DISABLE_RSA_DRBG	Disable RSA DRBG path in cryptoutil (feature flag)
VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING	Enable audit logging for rate-limited rejections
VAULT_EXPERIMENTS	Comma-separated experiments enabled on startup
VAULT_FORMAT	CLI output format
VAULT_HEADERS	Additional headers for API client
VAULT_HTTP_PROXY	HTTP proxy configuration for client
VAULT_LDAP_PASSWORD	LDAP password fallback for CLI LDAP credential provider
VAULT_LICENSE_CI	CI license helper for tests
VAULT_LICENSE_PATH	Path to enterprise license file
VAULT_LICENSE	Provide enterprise license blob
VAULT_LOCAL_CONFIG	Pass Vault JSON config via env (entrypoint writes to config dir)
VAULT_LOG_FORMAT	Control logger format (standard/json)
VAULT_LOG_LEVEL	Logging level for Vault
VAULT_MAX_RETRIES	Max retries for client operations
VAULT_MESSAGE_TYPE	Serialization format for forwarded requests (json/json_compress/proto3)
VAULT_MFA	MFA selection for client
VAULT_MYSQL_PASSWORD	MySQL password override for physical MySQL backend
VAULT_MYSQL_USERNAME	MySQL username override for physical MySQL backend
VAULT_NAMESPACE	Default namespace header for client requests
VAULT_PLUGIN_AUTOMTLS_ENABLED	Enable plugin AutoMTLS (plugin helper)
VAULT_PLUGIN_METADATA_MODE	Control plugin metadata bootstrapping mode
VAULT_PLUGIN_TMPDIR	Folder for Unix sockets for containerized plugins
VAULT_POSTUNSEAL_FUNC_CONCURRENCY	Concurrency for post-unseal functions (sets worker count)
VAULT_PROXY_ADDR	Proxy address configuration
VAULT_RAFT_DISABLE_MAP_POPULATE	Disable MAP_POPULATE behaviour on Linux
VAULT_RAFT_FREELIST_SYNC	BoltDB freelist sync toggle
VAULT_RAFT_FREELIST_TYPE	BoltDB freelist type (array/map)
VAULT_RAFT_INITIAL_MMAP_SIZE	Initial mmap size for Bolt DB
VAULT_RAFT_MAX_BATCH_ENTRIES	Override Raft max batch entries
VAULT_RAFT_MAX_BATCH_SIZE_BYTES	Override Raft max batch size bytes
VAULT_RAFT_NODE_ID	Raft node ID from environment
VAULT_RAFT_PATH	Raft data path from environment
VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER	Join Raft as non-voter via env
VAULT_RATE_LIMIT	Configure client-side or server rate limiting
VAULT_REDIRECT_ADDR	API redirect address (can be set directly)
VAULT_REDIRECT_INTERFACE	Interface name used to derive VAULT_REDIRECT_ADDR
VAULT_SKIP_LOGGING_LEASE_EXPIRATIONS	Toggle logging of lease expirations
VAULT_SKIP_VERIFY	Skip TLS verification (insecure)
VAULT_SRV_LOOKUP	Enable SRV DNS lookup behavior
VAULT_TLS_SERVER_NAME	TLS server name for verification
VAULT_TOKEN	Default Vault token for client auth
VAULT_UNWRAP_TOKEN	Pass unwrap tokens to plugin (plugin helper)
VAULT_WRAP_TTL	Default wrap TTL for client operations