Use OpenBao command line interface

Sergei Tikhomirov

Overview

OpenBao provides two types of command line interface (CLI): OpenBao Web CLI which is available in the web UI and a local shell tool bao — a wrapper around the HTTP API which is identical to the HashiCorp Vault API. The web version is very limited in terms of the operations it can perform.

For a local shell tool, a template command looks like this:

$ bao <command> [<options>] [<path>] [<args>]

where:

  • <command> — a command from the OpenBao command list.

  • <options> — flags to specify additional parameters.

  • <path> — a secret path that is required for certain operations.

  • <args> — API arguments specific to the operation.

To see the help manual for a command, call it with the -h flag as follows:

$ bao <command> -h

OpenBao CLI tool can use environment variables to obtain certain information so that you don’t have to specify it every time you execute a command. If there’s an environment variable set for something and you specify the same parameter as a flag, the flag value will be used. You can see which variable OpenBao can read in the OpenBao documentation.

Workflow

  1. As an optional first step, you need to set the VAULT_ADDR environment variable to a host where OpenBao is running. By default, OpenBao tries to access https://127.0.0.1:8200, which is not always correct. If you omit this step, you can add the -address parameter to a command call in order to specify the host.

  2. To perform an operation on a server, you need to authenticate. The default authentication method is token, which OpenBao will prompt for if it’s not provided initially. You can choose the authentication method using the -method flag. For example, authentication with a userpass method looks as follows:

    $ bao login -method=userpass username=test_user

    Next, OpenBao will prompt you to enter the user’s password. If successful, your token will be cached to be used in further operations, and you will receive the following response:

    Success! You are now authenticated. The token information displayed below is
already stored in the token helper. You do NOT need to run "bao login" again.
Future OpenBao requests will automatically use this token.

Key                    Value
---                    -----
token                  <your_token>
token_accessor         o5mN3ud1fz1Zmb4EIamcVhve
token_duration         1h
token_renewable        true
token_policies         ["default"]
identity_policies      []
policies               ["default"]
token_meta_username    test_user

  3. Perform an operation. For example, to write some data into the cubbyhole secret engine, you can use a command as follows:

    $ bao write cubbyhole/git-credentials username="student01" password="password"

    If successful, you will receive the following response:

    Success! Data written to: cubbyhole/git-credentials

Usage examples

Write and read secrets

  1. Enable the kv secrets engine:

    $ bao secrets enable kv

  2. Write a secret into the kv engine with a kv put command:

    $ bao kv put kv/ssh-creds username="student02" password="password"

  3. List all the keys in the kv engine:

    $ bao list kv

    The command yields the following result:

    Keys
----
ssh-creds

  4. Read the ssh-creds secret in the kv engine:

    $ bao read kv/ssh-creds

    The command yields the following result:

    Key         Value
---         -----
password    password
username    student02

Create a user

  1. Create an ACL policy that controls what a user will be able to do:

    $ sudo vi admin.hcl

    You can paste the following policy that has no limitations or come up with your own:

    path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

  2. Apply the created policy:

    $ bao policy write admin admin.hcl

  3. Create a user:

    $ bao write auth/userpass/users/<username> password=<password> policies=admin

    The command should yield the following output:

    Success! Data written to: auth/userpass/users/<username>
Found a mistake? Seleсt text and press Ctrl+Enter to report it