vault status: Check Seal and HA State
vault status reports whether Vault is initialized, sealed, its version, and HA leadership, with an exit code you can gate on.
status is the health probe for scripts: it does not need a token and its exit code tells you the seal state, which makes it ideal for a readiness wait in CI.
What it does
vault status prints the seal state, initialization flag, storage type, cluster info, and version. Its exit code encodes the seal state: 0 means unsealed, 2 means sealed, and 1 means an error such as not being able to reach the server.
Common usage
vault status
vault status -format=json | jq '.sealed, .version'
# wait for Vault to be unsealed in a bootstrap script
until vault status >/dev/null 2>&1; do sleep 2; doneOptions
| Item | What it does |
|---|---|
| exit 0 | Vault is initialized and unsealed |
| exit 2 | Vault is sealed |
| exit 1 | Error (e.g. cannot connect, not initialized in some versions) |
| -format=json | Machine-readable status |
In CI
status needs no authentication, so it is the right command for a readiness loop before a job tries to log in. Remember the exit codes: a script that treats only 0 as success will correctly wait through the sealed (2) state. Parse -format=json to assert a specific version or HA standby state.
Common errors in CI
"connection refused" or "http: server gave HTTP response to HTTPS client" means VAULT_ADDR has the wrong scheme; match http vs https to the listener. "x509: certificate signed by unknown authority" means the runner does not trust the Vault TLS cert; set VAULT_CACERT or VAULT_SKIP_VERIFY=true (test only). A nonzero exit in a readiness loop is normal while Vault is still sealing.