This article explains the default behavior of
VAULT_ADDR environment variable and how it behaves when it is set to the Load Balancer in front of the Vault cluster.
This article applies to an environment where there is a Load Balancer in front of a Vault cluster
VAULT_ADDR environment variable is not set, every Vault CLI request will be sent to the localhost on port 8200.
Below is the default value for
VAULT_ADDR if not specified:
Please be advised that Vault CLI will interact with the server using TLS if this environment variable is not specified. If
tls_disable parameter is set to true in Vault configuration, you will get an error similar to below:
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
VAULT_ADDR to use
http instead of
https to avoid the above error message.
Environment with Load Balancer
In an environment where there is a Load Balancer in front of a Vault cluster, setting
VAULT_ADDR to the IP address/DNS of the Load Balancer can result in different outputs for the same request. For ex: if you run
vault status from the cli with
VAULT_ADDR set to the IP address/DNS of the load balancer, the outputs may vary based on which node received the request from the lb.
Each request from your Vault CLI to the Load Balancer can be redirected to any Vault node inside your cluster, depending on your Load Balancer configuration.
VAULT_ADDR is intended to be unset unless you are performing Vault function from another host. If you are performing Vault functions from a different host, we highly recommend setting
VAULT_ADDR to the direct IP address/DNS and port of the Vault node instead of the Load Balancer.