vault kv put and write: Store Secrets
vault kv put writes a secret to a KV engine and vault write posts data to any Vault path, both taking key=value pairs on the command line.
Writing to Vault comes up when a pipeline provisions a secret or exchanges credentials. kv put targets the KV engine; the lower-level vault write hits any endpoint, including auth logins and dynamic secret roles.
What it does
vault kv put <path> key=value ... writes (and versions, on KV v2) a secret. vault write <path> key=value ... sends data to any path. Both accept @file.json to read the body from a file and key=- to read a value from stdin, keeping secrets off the process list.
Common usage
vault kv put secret/ci/deploy token=abc123 user=deployer
# read a value from stdin instead of argv
printf '%s' "$TOKEN" | vault kv put secret/ci/deploy token=-
# generic write (e.g. AppRole login) reading a JSON body from a file
vault write auth/approle/login @login.jsonOptions
| Usage | What it does |
|---|---|
| key=value | Set a field to a literal value |
| key=- | Read the value for key from stdin |
| key=@file | Read the value from a file |
| @body.json | Send an entire JSON body from a file |
| -cas <n> (kv) | Check-and-set: only write if current version is n |
In CI
Pass secret values via key=- (stdin) or key=@file so they do not appear in argv or shell history. On KV v2, use -cas to avoid clobbering a concurrently updated secret. vault write (no kv) is what you use for auth logins and dynamic roles.
Common errors in CI
"permission denied" means the token policy lacks create/update on the path. "check-and-set parameter required for this call" means the mount enforces CAS; add -cas=<version>. "Failed to parse K=V data" means a value contained an = or space and was not quoted, or you meant @file. "* missing client token" means vault login was not run.