Hashicorp Vault – Reading and Writing Secrets to Vault

This article will describe how to read and write secrets to vault using the vault CLI and CURL. These instructions are assuming you are on either Linux or Mac OSX. Later we will add instructions for windows. That said, most of the Vault CLI commands should work fine on windows as well.

Before you can proceed, you need to be sure you have authenticated against vault. For details on that, you can check out one of our articles about configuring vault authentication. To use the CURL commands you also need to set an environment variable called VAULT_TOKEN and enter your vault authentication token. Or, you can simple replace $VAULT_TOKEN in each of the curl commands with a valid vault authentication token.

At the end of the article we will outline how you can use response wrapping as a way that you can securely share secrets with other members of your team who may not have access to vault.

**Note: curl on OSX does not support PEM certificates for authentication: https://curl.haxx.se/mail/archive-2014-10/0053.html

Saving Secrets

Vault Client:

vault write secret/path password=’mypassword’

create random password without seeing it:

mypass=”$(openssl rand -base64 16)”

echo -n $mypass | vault write secret/test password=-



curl -X POST -H “X-Vault-Token: $VAULT_TOKEN” -d ‘{“key”:”value”}’ https://myvault.mydomain.com:8200/v1/secret/path


curl -X POST -H “X-Vault-Token: $VAULT_TOKEN” -d ‘{“password”:”mypassword”}’ https://myvault.mydomain.com:8200/v1/secret/path

Reading Secrets

After saving secrets to vault, you obviously need to read retrieve them at some point.
vault client:

vault read secret/path


curl -X GET -H “X-Vault-Token: $VAULT_TOKEN” https://myvault.mydomain.com:8200/v1/secret/path


curl -X GET -H “X-Vault-Token: $VAULT_TOKEN” https://myvault.mydomain.com:8200/v1/secret/path


Response Wrapping

Response wrapping is where you take data you extracted out of vault, then save it in the cubby hole. When you save information to the cubby hole you get a one time token that can be used to retrieve the data. This is useful for when you want to send someone a secret, but you don’t want to actually grant them access to something in Vault. An example of how to do this can be seen below.

Information was found here:

The following command will read a secret stored at secret/myapp/admin and store it in the cubby hole. the TTL is how long the token is good for. In this example, the token will be good for 15 minutes. When the TTL expires, the token is invalidated and can no longer be used:
vault read -wrap-ttl=15m secret/myapp/admin
Response will give token, Example: 162fddac-3d86-9a06-06e1-04cba88b6f36

To Retrieve the secret, enter the following:

vault unwrap <Token Number>

vault unwrap 162fddac-3d86-9a06-06e1-04cba88b6f36

Secret stored at secret/myapp/admin will be displayed on the screen. After the secret has been retrived, the token is invalidated and cannot be used again (One time password).