Skip to content
Latchkey

vault write: Write Data to a Vault Path

vault write PATH key=value writes data to any Vault path, the generic command behind most config and secret writes.

Many Vault operations are just writes to a path: enabling a role, configuring an auth method, or storing a generic secret. write is the lower-level tool under the kv put helpers.

What it does

vault write sends key=value pairs to a path and prints whatever the path returns. It is the generic write used to configure auth methods, create roles, and call endpoints like transit/encrypt. For KV secrets, vault kv put wraps it with the correct data path.

Common usage

Terminal
vault write auth/approle/role/ci \
  token_policies="ci" token_ttl=20m token_max_ttl=30m
# read key=value from a file with @
vault write pki/root/generate/internal @payload.json
# write JSON from stdin
echo '{"common_name":"example.com"}' | vault write pki/issue/web -

Options

FlagWhat it does
key=valueData to write; repeat for multiple keys
key=@fileRead the value for a key from a file
@file.jsonRead the entire request body from a JSON file
-Read the request body from stdin
-force / -fWrite to a path that takes no data (e.g. rotate)
-field=<key>Print only one field of the response
-format=jsonOutput the response as JSON

In CI

Pass -format=json and parse with jq when a step needs one field; or use -field=token to grab a single value with no quoting. Avoid putting secret values directly on the command line where they land in ps and CI logs; prefer @file or stdin.

Common errors in CI

"permission denied" (HTTP 403) means the token policy lacks create or update on the path. "no handler for route '<path>'" means the secrets or auth engine is not mounted at that path. "Failed to parse K=V data" means an argument has no =; quote values with spaces and use @file for JSON bodies.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →