This article explains the default behavior of VAULT_ADDR
environment variable and how it behaves when it is set to the Load Balancer in front of the Vault cluster.
Prerequisites
This article applies to an environment where there is a Load Balancer in front of a Vault cluster
Introduction
When VAULT_ADDR
environment variable is not set, every Vault CLI request will be sent to the localhost on port 8200.
Below is the default value for VAULT_ADDR
if not specified:
VAULT_ADDR='https://127.0.0.1:8200'
Please be advised that Vault CLI will interact with the server using TLS if this environment variable is not specified. If tls_disable
parameter is set to true in Vault configuration, you will get an error similar to below:
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
Override the VAULT_ADDR
to use http
instead of https
to avoid the above error message. export VAULT_ADDR='http://127.0.0.1:8200'
Environment with Load Balancer
In an environment where there is a Load Balancer in front of a Vault cluster, setting VAULT_ADDR
to the IP address/DNS of the Load Balancer can result in different outputs for the same request. For ex: if you run vault status
from the cli with VAULT_ADDR
set to the IP address/DNS of the load balancer, the outputs may vary based on which node received the request from the lb.
Each request from your Vault CLI to the Load Balancer can be redirected to any Vault node inside your cluster, depending on your Load Balancer configuration.
The VAULT_ADDR
is intended to be unset unless you are performing Vault function from another host. If you are performing Vault functions from a different host, we highly recommend setting VAULT_ADDR
to the direct IP address/DNS and port of the Vault node instead of the Load Balancer.