Skip to content
Latchkey

vault status: Check Seal and HA State

vault status reports whether Vault is initialized, sealed, its version, and HA leadership, with an exit code you can gate on.

status is the health probe for scripts: it does not need a token and its exit code tells you the seal state, which makes it ideal for a readiness wait in CI.

What it does

vault status prints the seal state, initialization flag, storage type, cluster info, and version. Its exit code encodes the seal state: 0 means unsealed, 2 means sealed, and 1 means an error such as not being able to reach the server.

Common usage

Terminal
vault status
vault status -format=json | jq '.sealed, .version'
# wait for Vault to be unsealed in a bootstrap script
until vault status >/dev/null 2>&1; do sleep 2; done

Options

ItemWhat it does
exit 0Vault is initialized and unsealed
exit 2Vault is sealed
exit 1Error (e.g. cannot connect, not initialized in some versions)
-format=jsonMachine-readable status

In CI

status needs no authentication, so it is the right command for a readiness loop before a job tries to log in. Remember the exit codes: a script that treats only 0 as success will correctly wait through the sealed (2) state. Parse -format=json to assert a specific version or HA standby state.

Common errors in CI

"connection refused" or "http: server gave HTTP response to HTTPS client" means VAULT_ADDR has the wrong scheme; match http vs https to the listener. "x509: certificate signed by unknown authority" means the runner does not trust the Vault TLS cert; set VAULT_CACERT or VAULT_SKIP_VERIFY=true (test only). A nonzero exit in a readiness loop is normal while Vault is still sealing.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →