Using the Vault CLI

Draft comment:
moving to GS
IBM® Sovereign Core provides you with an in-built secrets management and cyber resilient Vault. Securely store your passwords, certificates, access control data in the protected Vault. You can access the Vault through the CLI. The Vault CLI is installed during the installation of the IBM Sovereign Core.

Make sure you have run the install.sh script for the product and it has completed successfully. For steps and more information see, Installing IBM Sovereign Core. When the installation of the product completes successfully, the Vault CLI is available to you. Use the CLI to run commands on your Vault.

Note: The binaries are automatically downloaded on landing server during deployment process.

Before you run any command in the Vault, you must log in to the cluster.

Use the following command to authenticate to the cluster:
sov-core login --token=$SOV_CORE_TOKEN --server=$CLUSTER_SERVER
Use the following information for guidance on the different commands you can run.
Vault command examples
General use guidance:
<plugin-name> vault <vault-command> -n <vault_namespace_name> -p <vault_pod_name>
Example of this usage:
sov-core -n <vault_namespace_name> -p <vault_pod_name>
List all secret keys stored under a KV path
sov-core vault kv list secret/ -n vault -p vault-0
List all configured Kubernetes authentication roles
sov-core vault list auth/kubernetes/role -n vault -p vault-0
List all existing Vault policies
sov-core vault policy list -n vault -p vault-0
Show the Vault server status
sov-core vault status -n vault -p vault-0
List Raft cluster peers
sov-core vault operator raft list-peers -n vault -p vault-0
Seal vault
sov-core vault operator seal -n vault -p vault-0
Unseal vault
sov-core vault operator unseal -n vault -p vault-0

After running the unseal command, the CLI prompts, Unseal Key (will be hidden):.

Retrieve the recovery keys from the vault-prod-init secret in the Vault namespace.

recovery_keys_b64
or,
recovery_keys_hex
Note: Important: Vault requires three distinct unseal keys to fully unseal the cluster. You must run the unseal command three times, each time providing a different unseal key.