This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

bank-vaults CLI

The bank-vaults CLI tool is to help automate the setup and management of HashiCorp Vault.


  • Initializes Vault and stores the root token and unseal keys in one of the followings:

    • AWS KMS keyring (backed by S3)
    • Azure Key Vault
    • Google Cloud KMS keyring (backed by GCS)
    • Alibaba Cloud KMS (backed by OSS)
    • Kubernetes Secrets (should be used only for development purposes)
    • Dev Mode (useful for vault server -dev dev mode Vault servers)
    • Files (backed by files, should be used only for development purposes)
  • Automatically unseals Vault with these keys

  • In addition to the standard Vault configuration, the operator and CLI can continuously configure Vault using an external YAML/JSON configuration. That way you can configure Vault declaratively using your usual automation tools and workflow.

    • If the configuration is updated, Vault will be reconfigured.
    • The external configuration supports configuring Vault secret engines, plugins, auth methods, policies, and more.

    For details, see External configuration for Vault.

The bank-vaults CLI command needs certain cloud permissions to function properly (init, unseal, configuration).