vault write: Write Data to a Vault Path
vault write PATH key=value writes data to any Vault path, the generic command behind most config and secret writes.
Many Vault operations are just writes to a path: enabling a role, configuring an auth method, or storing a generic secret. write is the lower-level tool under the kv put helpers.
What it does
vault write sends key=value pairs to a path and prints whatever the path returns. It is the generic write used to configure auth methods, create roles, and call endpoints like transit/encrypt. For KV secrets, vault kv put wraps it with the correct data path.
Common usage
vault write auth/approle/role/ci \
token_policies="ci" token_ttl=20m token_max_ttl=30m
# read key=value from a file with @
vault write pki/root/generate/internal @payload.json
# write JSON from stdin
echo '{"common_name":"example.com"}' | vault write pki/issue/web -Options
| Flag | What it does |
|---|---|
| key=value | Data to write; repeat for multiple keys |
| key=@file | Read the value for a key from a file |
| @file.json | Read the entire request body from a JSON file |
| - | Read the request body from stdin |
| -force / -f | Write to a path that takes no data (e.g. rotate) |
| -field=<key> | Print only one field of the response |
| -format=json | Output the response as JSON |
In CI
Pass -format=json and parse with jq when a step needs one field; or use -field=token to grab a single value with no quoting. Avoid putting secret values directly on the command line where they land in ps and CI logs; prefer @file or stdin.
Common errors in CI
"permission denied" (HTTP 403) means the token policy lacks create or update on the path. "no handler for route '<path>'" means the secrets or auth engine is not mounted at that path. "Failed to parse K=V data" means an argument has no =; quote values with spaces and use @file for JSON bodies.