Opinionlessly Express Opinions on Vault

There are some operations which don’t really fit in either the context of the data model or extraction of data.


This operation will derive an operational Vault token based on any environmental hints that aomi supports. The various mechanisms which aomi will use for authentication are described under operations. Both the --metadata and --lease options are supported.


This action can be used to easily change passwords. It can operate on both userpass users and generic secrets paths. It will ask for the password (and a confirmation). Optionally, you may pass in a password via stdin.

To modify a users password you would invoke the following

aomi set_password user:foo
Enter Password:
Again, Please:

You can also modify passwords stored in arbitary Vault paths (in this example using stdin).

aomi set_password foo/pass <<< "1234"


This action is used to render the Secretfile. It respects the --policies, --secrets, --secretfile, --extra-vars, and --extra-vars-file options in the same way as the seed operation. This operation takes a minimum of one argument, the directory to write the rendered Secretfile (and accoutrement) to.

$ aomi render /tmp/rendered

The output will be written to the specified directory, with the following structure.