Guide

Concepts and learning path

Troubleshooting

Failure modes and fixes

Cheatsheet

Commands to keep handy

HashiCorp Vault cheatsheet

Environment

export VAULT_ADDR='https://vault.example.com:8200' export VAULT_TOKEN='hvs....' # or use vault login export VAULT_SKIP_VERIFY=true # dev only — self-signed TLS

Status, seal, unseal

CommandDescription
vault statusSealed? HA mode? version
vault operator initFirst-time init (once per cluster)
vault operator unsealEnter unseal key shard (repeat until threshold)
vault operator sealSeal Vault (emergency / maintenance)
vault loginAuthenticate (token or method)

KV secrets (v2)

CommandDescription
vault secrets enable -path=secret kv-v2Enable KV v2 at secret/
vault kv put secret/myapp password=secret db=user:passWrite secret
vault kv get secret/myappRead secret
vault kv list secret/List keys under path
vault kv metadata get secret/myappVersions, created time

Policies and auth

vault policy write myapp - <<EOF path "secret/data/myapp/*" { capabilities = ["read", "list"] } EOF vault auth enable approle vault read auth/token/lookup-self vault token capabilities secret/data/myapp/config

Engines and mounts

CommandDescription
vault secrets listEnabled secret engines
vault auth listEnabled auth methods
vault read sys/healthHealth endpoint (HTTP)
vault audit listAudit devices

Tokens and leases

CommandDescription
vault token lookupCurrent token metadata
vault token renewExtend token TTL
vault lease renew secret/data/myappRenew secret lease
vault token revoke TOKENInvalidate token

Operator / HA

vault operator raft list-peers vault operator raft snapshot save backup.snap vault operator migrate -config=migrate.hcl # storage migration curl -s $VAULT_ADDR/v1/sys/health | jq .

Health HTTP codes

CodeMeaning
200Initialized, unsealed, active
429Unsealed but standby (not active node)
472Disaster recovery replication secondary
501Not initialized
503Sealed

Pro tips

Practice scenarios

Hands-on HashiCorp Vault scenarios on live Linux VMs: hashicorp vault