vault secrets enable: Mount a Secrets Engine
vault secrets enable mounts a secrets engine at a path, such as KV v2, transit, or PKI.
Before you can write secrets you need an engine mounted. secrets enable is the one-time setup step, often run in a bootstrap pipeline or by Terraform, that creates the mount.
What it does
vault secrets enable mounts a secrets engine of the given type at a path (default path equals the type). For KV, -version=2 selects KV v2 with versioning. Each mount is independent and governed by its own policies.
Common usage
vault secrets enable -version=2 -path=secret kv
vault secrets enable transit
vault secrets enable -path=pki pki
# list what is mounted
vault secrets list -detailedOptions
| Flag | What it does |
|---|---|
| -path=<path> | Mount path (defaults to the engine type) |
| -version=2 | KV: enable KV version 2 (versioned secrets) |
| -description=<text> | Human description for the mount |
| -default-lease-ttl=<dur> | Default lease TTL for the mount |
| -max-lease-ttl=<dur> | Maximum lease TTL for the mount |
Common errors in CI
"path is already in use at 'secret/'" means a mount already exists there; this makes a bootstrap script non-idempotent, so guard it with vault secrets list first or ignore the error. "permission denied" means the token lacks sys/mounts access; mounting needs an admin-level policy. A KV mount created without -version=2 is KV v1 and behaves differently (no versioning, no metadata API).