Add -dev-no-store-token to vault server command

When starting a vault dev server the token helper is invoked to store the dev root token. This option gives the user the ability to not store the token. Storing the token can be undesirable in certain circumstances (e.g. running local tests) as the user's existing vault token is clobbered without warning. Fixes #1861
hashicorp · Jul 11, 2019 · 6b97b7b · 6b97b7b
1 parent 5253839
commit 6b97b7b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/command/server.go b/command/server.go
@@ -87,11 +87,12 @@ type ServerCommand struct {
 	reloadedCh      chan (struct{}) // for tests
 
 	// new stuff
-	flagConfigs        []string
-	flagLogLevel       string
-	flagDev            bool
-	flagDevRootTokenID string
-	flagDevListenAddr  string
+	flagConfigs         []string
+	flagLogLevel        string
+	flagDev             bool
+	flagDevRootTokenID  string
+	flagDevListenAddr   string
+	flagDevNoStoreToken bool
 
 	flagDevPluginDir     string
 	flagDevPluginInit    bool
@@ -201,6 +202,14 @@ func (c *ServerCommand) Flags() *FlagSets {
 		EnvVar:  "VAULT_DEV_LISTEN_ADDRESS",
 		Usage:   "Address to bind to in \"dev\" mode.",
 	})
+	f.BoolVar(&BoolVar{
+		Name:    "dev-no-store-token",
+		Target:  &c.flagDevNoStoreToken,
+		Default: false,
+		Usage: "Do not persist the dev root token to the token helper " +
+			"(usually the local filesystem) for use in future requests. " +
+			"The token will only be displayed in the command output.",
+	})
 
 	// Internal-only flags to follow.
 	//
@@ -1474,12 +1483,14 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
 	}
 
 	// Set the token
-	tokenHelper, err := c.TokenHelper()
-	if err != nil {
-		return nil, err
-	}
-	if err := tokenHelper.Store(init.RootToken); err != nil {
-		return nil, err
+	if !c.flagDevNoStoreToken {
+		tokenHelper, err := c.TokenHelper()
+		if err != nil {
+			return nil, err
+		}
+		if err := tokenHelper.Store(init.RootToken); err != nil {
+			return nil, err
+		}
 	}
 
 	kvVer := "2"

diff --git a/website/source/docs/commands/server.html.md b/website/source/docs/commands/server.html.md
@@ -72,4 +72,8 @@ flags](/docs/commands/index.html) included on all commands.
   when running in "dev" mode. This can also be specified via the
   `VAULT_DEV_ROOT_TOKEN_ID` environment variable.
 
+- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
+  the token helper (usually the local filesystem) for use in future requests.
+  The token will only be displayed in the command output.
+
 - `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.