Skip to content
Latchkey

vault secrets enable: Mount a Secrets Engine

vault secrets enable mounts a secrets engine at a path, such as KV v2, transit, or PKI.

Before you can write secrets you need an engine mounted. secrets enable is the one-time setup step, often run in a bootstrap pipeline or by Terraform, that creates the mount.

What it does

vault secrets enable mounts a secrets engine of the given type at a path (default path equals the type). For KV, -version=2 selects KV v2 with versioning. Each mount is independent and governed by its own policies.

Common usage

Terminal
vault secrets enable -version=2 -path=secret kv
vault secrets enable transit
vault secrets enable -path=pki pki
# list what is mounted
vault secrets list -detailed

Options

FlagWhat it does
-path=<path>Mount path (defaults to the engine type)
-version=2KV: enable KV version 2 (versioned secrets)
-description=<text>Human description for the mount
-default-lease-ttl=<dur>Default lease TTL for the mount
-max-lease-ttl=<dur>Maximum lease TTL for the mount

Common errors in CI

"path is already in use at 'secret/'" means a mount already exists there; this makes a bootstrap script non-idempotent, so guard it with vault secrets list first or ignore the error. "permission denied" means the token lacks sys/mounts access; mounting needs an admin-level policy. A KV mount created without -version=2 is KV v1 and behaves differently (no versioning, no metadata API).

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →