Set the administrative user’s API key
Vault always has an administrative user account that has the user name of Admin. This is referenced throughout the documentation simply as the user named Admin or the Admin user. The Admin user’s API key provides a “break the glass” mechanism that enables you to regain control of Vault when all other API keys fail (e.g., when you lose your admin API key).
Unlike other user accounts, the Admin user’s API key is set using one of these two methods:
- The environment variable
PVAULT_SERVICE_ADMIN_API_KEY - The API Set Admin API key
The Admin API key can’t be authenticated using JWT access tokens.
Set the Admin API key using the environment variable
The environment variable and, therefore, the key have a default value of pvaultauth. It’s recommended that you change the value of the Admin API key to a unique value when deploying Vault to production.
Change the API key by updating the value of the environment variable and restarting Vault.
Note that the Admin API key is not updated during startup if the ’ PVAULT_SERVICE_OVERRIDE_ADMIN_API_KEY_ON_RESTART’ environment variable is set to false. By default, it’s set to true to allow changes in the environment variable to take effect after a restart of Vault.
Set the Admin API key using the API
You can set a new Admin API key using the API call. This API is restricted to the Admin user.
The API key should meet these criteria:
- It must be at least 15 characters long.
- It must contain a combination of digits, lowercase letters, and uppercase letters.
Vault SaaS
When using the hosted version of Vault, you can change the Admin API key under the Settings page in the Vault Admin API Key Provider section.