Skip to content
Latchkey

vault kv put and write: Store Secrets

vault kv put writes a secret to a KV engine and vault write posts data to any Vault path, both taking key=value pairs on the command line.

Writing to Vault comes up when a pipeline provisions a secret or exchanges credentials. kv put targets the KV engine; the lower-level vault write hits any endpoint, including auth logins and dynamic secret roles.

What it does

vault kv put <path> key=value ... writes (and versions, on KV v2) a secret. vault write <path> key=value ... sends data to any path. Both accept @file.json to read the body from a file and key=- to read a value from stdin, keeping secrets off the process list.

Common usage

Terminal
vault kv put secret/ci/deploy token=abc123 user=deployer
# read a value from stdin instead of argv
printf '%s' "$TOKEN" | vault kv put secret/ci/deploy token=-
# generic write (e.g. AppRole login) reading a JSON body from a file
vault write auth/approle/login @login.json

Options

UsageWhat it does
key=valueSet a field to a literal value
key=-Read the value for key from stdin
key=@fileRead the value from a file
@body.jsonSend an entire JSON body from a file
-cas <n> (kv)Check-and-set: only write if current version is n

In CI

Pass secret values via key=- (stdin) or key=@file so they do not appear in argv or shell history. On KV v2, use -cas to avoid clobbering a concurrently updated secret. vault write (no kv) is what you use for auth logins and dynamic roles.

Common errors in CI

"permission denied" means the token policy lacks create/update on the path. "check-and-set parameter required for this call" means the mount enforces CAS; add -cas=<version>. "Failed to parse K=V data" means a value contained an = or space and was not quoted, or you meant @file. "* missing client token" means vault login was not run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →