Skip to content
Latchkey

vault login Command Reference

Authenticate to Vault and obtain a usable token.

vault login authenticates against an auth method and stores the resulting token. In CI you prefer a JWT/OIDC method so the runner trades a short-lived identity token for a scoped Vault token.

What it does

vault login authenticates using a chosen method (token, userpass, approle, jwt, oidc) and caches the returned token for subsequent commands. The jwt method lets a CI runner exchange its OIDC token for a Vault token with no long-lived secret.

Common flags and usage

  • -method=jwt: authenticate with a CI OIDC/JWT token
  • -method=approle: authenticate with a role id and secret id
  • role=NAME jwt=TOKEN: parameters for the jwt method
  • -token-only: print just the token (avoid storing it on disk)
  • -no-store: do not persist the token to the helper
  • requires VAULT_ADDR to point at the Vault server

Example

shell
- name: Vault login via OIDC
  env:
    VAULT_ADDR: https://vault.internal:8200
  run: |
    VAULT_TOKEN=$(vault login -method=jwt -token-only \
      role=ci-deploy jwt="${{ secrets.GITHUB_TOKEN }}")
    echo "::add-mask::${VAULT_TOKEN}"
    echo "VAULT_TOKEN=${VAULT_TOKEN}" >> "$GITHUB_ENV"

In CI

Prefer -method=jwt with the runners OIDC token over committing a static VAULT_TOKEN, so credentials are short-lived and bound to the workflow. Use -token-only with ::add-mask:: to capture and hide the token, then reads like vault kv get use it from the environment.

Key takeaways

  • vault login authenticates and returns a token for later commands.
  • Prefer the jwt/OIDC method so CI never stores a long-lived Vault token.
  • Capture the token with -token-only and mask it before exporting.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →