vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Issues with `vault operator generate-root` CLI help message

Open maxb opened this issue 3 years ago • 1 comments

This part of the CLI help message is incorrect: https://github.com/hashicorp/vault/blob/967b2987e5a17a82f9b46b6d0b4f93b42fd550cd/command/operator_generate_root.go#L80-L82

The -otp flag is not needed or used, when providing an unseal key shard. It is only for use in conjunction with -init or -decode.

This earlier part of the CLI help message could be made more useful - it documents that you must use a multi-step process to begin an OTP-based root token generation:

  • vault operator generate-root -generate-otp
  • vault operator generate-root -init -otp="..."

In fact you can use just: vault operator generate-root -init as shorthand for both steps in one command.

It would be nice to list this workflow option first, as it is the most simple and convenient for someone reading the help message with an immediate need to generate a root token. The other workflows are more relevant to someone implementing a more complex and pre-planned key ceremony.

maxb avatar May 01 '22 13:05 maxb

Since my CLA is now sorted and I have some time, and the previous person working on this has closed their PR, I'm going to work on this myself now.

maxb avatar Dec 21 '22 16:12 maxb