The Vault CLI uses the HTTP API to access Vault. All API routes are prefixed with
/v1/... in the URI and it's possible translate CLI to API call by using the CLI parameter: -output-curl-string with each command in the following format:
vault <command> [arg] -output-curl-string <paths,token ... any additional data needed>
Below are some examples for demonstration.
Example 1
vault kv put -output-curl-string kv/cert1 file1=@FILE_NAME1.pfx
translates to:
curl -X PUT -H "X-Vault-Token: ${VAULT_TOKEN}" --data-binary "@FILE_NAME1.pfx" ${VAULT_ADDR}/v1/kv1/cert1
Example 2
vault auth enable -output-curl-string userpass
translates to
curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"type":"userpass","description":"","config":{"options":null,"default_lease_ttl":"0s","max_lease_ttl":"0s","force_no_cache":false},"local":false,"seal_wrap":false,"external_entropy_access":false,"options":null}' http://127.0.0.1:8200/v1/sys/auth/userpass
Example 3
vault token capabilities -output-curl-string s.xxxxxxxxxxxxxxx
translates to:
curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"path":"s.xxxxxxxxxxxxxxx","token":"s.xyzxyzxyzxyzxyzxyz"}' http://127.0.0.1:8200/v1/sys/capabilities-self
Example 4
vault auth list -output-curl-string -detailed -namespace=test
translates to:
curl -H "X-Vault-Namespace: test/" -H "X-Vault-Token: $(vault print token)" -H "X-Vault-Request: true" http://127.0.0.1:8200/v1/sys/auth
Note that these output will not run the command, rather they will only show how the CLI command can be run in API format via CURL.
For more information about Vault HTTP API: https://www.vaultproject.io/api-docs/index