Add -dev-no-store-token to vault server command (#7104)

When starting a vault dev server the token helper is invoked to store the dev root token. This option gives the user the ability to not store the token. Storing the token can be undesirable in certain circumstances (e.g. running local tests) as the user's existing vault token is clobbered without warning. Fixes #1861
2026-05-04 20:06:27 +02:00 · 2019-07-25 02:41:07 +10:00 · 2019-07-25 02:41:07 +10:00 · fb8ce19d90
commit fb8ce19d90
parent 725b354287
2 changed files with 27 additions and 13 deletions
--- a/command/server.go
+++ b/command/server.go
@ -87,13 +87,13 @@ type ServerCommand struct {
 	reloadedCh      chan (struct{}) // for tests

 	// new stuff
-	flagConfigs        []string
-	flagLogLevel       string
-	flagLogFormat      string
-	flagDev            bool
-	flagDevRootTokenID string
-	flagDevListenAddr  string
-
+	flagConfigs         []string
+	flagLogLevel        string
+  flagLogFormat       string
+	flagDev             bool
+	flagDevRootTokenID  string
+	flagDevListenAddr   string
+	flagDevNoStoreToken bool
 	flagDevPluginDir     string
 	flagDevPluginInit    bool
 	flagDevHA            bool
@ -213,6 +213,14 @@ func (c *ServerCommand) Flags() *FlagSets {
 		EnvVar:  "VAULT_DEV_LISTEN_ADDRESS",
 		Usage:   "Address to bind to in \"dev\" mode.",
 	})
+	f.BoolVar(&BoolVar{
+		Name:    "dev-no-store-token",
+		Target:  &c.flagDevNoStoreToken,
+		Default: false,
+		Usage: "Do not persist the dev root token to the token helper " +
+			"(usually the local filesystem) for use in future requests. " +
+			"The token will only be displayed in the command output.",
+	})

 	// Internal-only flags to follow.
 	//
@ -1515,12 +1523,14 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
 	}

 	// Set the token
-	tokenHelper, err := c.TokenHelper()
-	if err != nil {
-		return nil, err
-	}
-	if err := tokenHelper.Store(init.RootToken); err != nil {
-		return nil, err
+	if !c.flagDevNoStoreToken {
+		tokenHelper, err := c.TokenHelper()
+		if err != nil {
+			return nil, err
+		}
+		if err := tokenHelper.Store(init.RootToken); err != nil {
+			return nil, err
+		}
 	}

 	kvVer := "2"
--- a/website/source/docs/commands/server.html.md
+++ b/website/source/docs/commands/server.html.md
@ -76,4 +76,8 @@ flags](/docs/commands/index.html) included on all commands.
  when running in "dev" mode. This can also be specified via the
  `VAULT_DEV_ROOT_TOKEN_ID` environment variable.

+- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
+  the token helper (usually the local filesystem) for use in future requests.
+  The token will only be displayed in the command output.
+
 - `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.