Skip to main content

secrets

The secrets command groups subcommands for interacting with OpenBao's secrets engines. Each secrets engine behaves differently. Please see the documentation for more information.

Some secrets engines persist data, some act as data pass-through, and some generate dynamic credentials. The secrets engine will likely require configuration after it is mounted. For details on the specific configuration options, please see the secrets engine documentation.

Examples

Enable a secrets engine:

$ bao secrets enable database
Success! Enabled the database secrets engine at: database/

List all secrets engines:

$ bao secrets list
Path          Type         Description
----          ----         -----------
cubbyhole/    cubbyhole    per-token private secret storage
database/     database     n/a
secret/       kv           key/value secret storage
sys/          system       system endpoints used for control, policy and debugging

Move a secrets engine to a new path:

$ bao secrets move database/ db-prod/
Success! Moved secrets engine database/ to: db-prod/

Tune a secrets engine:

$ bao secrets tune -max-lease-ttl=30m db-prod/
Success! Tuned the secrets engine at: db-prod/

Disable a secrets engine:

$ bao secrets disable db-prod/
Success! Disabled the secrets engine (if it existed) at: db-prod/

Usage

Usage: bao secrets <subcommand> [options] [args]

  # ...

Subcommands:
    disable    Disable a secrets engine
    enable     Enable a secrets engine
    list       List enabled secrets engines
    move       Move a secrets engine to a new path
    tune       Tune a secrets engine configuration

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.