vault-unsealer run

Launch Vault unsealer

vault-unsealer run [flags]

Options

      --auth.k8s-ca-cert string                           PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API
      --auth.k8s-host string                              Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server
      --auth.k8s-token-reviewer-jwt string                A service account JWT used to access the TokenReview API to validate other JWTs during login. If this flag is not provided, then the value from K8S_TOKEN_REVIEWER_JWT environment variable will be used
      --aws.kms-key-id string                             The ID or ARN of the AWS KMS key to encrypt values
      --aws.ssm-key-prefix string                         The Key Prefix for SSM Parameter store
      --aws.use-secure-string                             Use secure string parameter, for more info https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-about.html#sysman-paramstore-securestring
      --azure.client-cert-password string                 The password of the client certificate for an AAD application
      --azure.client-cert-path string                     The path of a client certificate for an AAD application
      --azure.client-id string                            The ClientID for an AAD application.
      --azure.client-secret string                        The ClientSecret for an AAD application
      --azure.cloud string                                The cloud environment identifier (default "AZUREPUBLICCLOUD")
      --azure.secret-prefix string                        Prefix to use in secret name for azure key vault
      --azure.tenant-id string                            The AAD Tenant ID
      --azure.use-managed-identity                        Use managed service identity for the virtual machine
      --azure.vault-base-url string                       Azure key vault url, for example https://myvault.vault.azure.net
      --cluster-name string                               cluster name
      --google.kms-crypto-key string                      The name of the Google Cloud KMS crypto key to use
      --google.kms-key-ring string                        The name of the Google Cloud KMS key ring to use
      --google.kms-location string                        The Google Cloud KMS location to use (eg. 'global', 'europe-west1')
      --google.kms-project string                         The Google Cloud KMS project to use
      --google.storage-bucket string                      The name of the Google Cloud Storage bucket to store values in
      --google.storage-prefix string                      The prefix to use for values store in Google Cloud Storage
  -h, --help                                              help for run
      --k8s.secret-name string                            Secret name to use when creating secret containing root token and shared keys
      --key-prefix string                                 root token and unseal key prefix (default "vault")
      --mode string                                       Select the mode to use 'google-cloud-kms-gcs' => Google Cloud Storage with encryption using Google KMS; 'aws-kms-ssm' => AWS SSM parameter store using AWS KMS; 'azure-key-vault' => Azure Key Vault Secret store; 'kubernetes-secret' => Kubernetes secret to store unseal keys
      --overwrite-existing                                overwrite existing unseal keys and root tokens, possibly dangerous!
      --policy-manager.name string                        Name of the policy. A policy and a  vault kubernetes auth role will be created using this name
      --policy-manager.service-account-name string        Name of the service account
      --policy-manager.service-account-namespace string   Namespace of the service account
      --retry-period duration                             How often to attempt to unseal the vault instance (default 10s)
      --secret-shares int                                 Total count of secret shares that exist (default 5)
      --secret-threshold int                              Minimum required secret shares to unseal (default 3)
      --store-root-token                                  should the root token be stored in the key store (default true)
      --vault.address string                              Specifies the vault address. Address form : scheme://host:port (default "https://127.0.0.1:8200")
      --vault.ca-cert string                              Specifies the CA cert that will be used to verify self signed vault server certificate
      --vault.insecure-skip-tls-verify                    To skip tls verification when communicating with vault server

Options inherited from parent commands

      --use-kubeapiserver-fqdn-for-aks   if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)

SEE ALSO

  • vault-unsealer - Automates initialisation and unsealing of Hashicorp Vault