vault login Command Reference
Authenticate to Vault and obtain a usable token.
vault login authenticates against an auth method and stores the resulting token. In CI you prefer a JWT/OIDC method so the runner trades a short-lived identity token for a scoped Vault token.
What it does
vault login authenticates using a chosen method (token, userpass, approle, jwt, oidc) and caches the returned token for subsequent commands. The jwt method lets a CI runner exchange its OIDC token for a Vault token with no long-lived secret.
Common flags and usage
- -method=jwt: authenticate with a CI OIDC/JWT token
- -method=approle: authenticate with a role id and secret id
- role=NAME jwt=TOKEN: parameters for the jwt method
- -token-only: print just the token (avoid storing it on disk)
- -no-store: do not persist the token to the helper
- requires VAULT_ADDR to point at the Vault server
Example
- name: Vault login via OIDC
env:
VAULT_ADDR: https://vault.internal:8200
run: |
VAULT_TOKEN=$(vault login -method=jwt -token-only \
role=ci-deploy jwt="${{ secrets.GITHUB_TOKEN }}")
echo "::add-mask::${VAULT_TOKEN}"
echo "VAULT_TOKEN=${VAULT_TOKEN}" >> "$GITHUB_ENV"In CI
Prefer -method=jwt with the runners OIDC token over committing a static VAULT_TOKEN, so credentials are short-lived and bound to the workflow. Use -token-only with ::add-mask:: to capture and hide the token, then reads like vault kv get use it from the environment.
Key takeaways
- vault login authenticates and returns a token for later commands.
- Prefer the jwt/OIDC method so CI never stores a long-lived Vault token.
- Capture the token with -token-only and mask it before exporting.