Vault
operator step-down
The operator step-down
forces the active Vault node within an HA cluster
to step down from active duty. When executed against a non-active node, i.e. a
standby or performance standby node,
the request will be forwarded to the active node. While the
affected node will have a delay before attempting to acquire
the leader lock again, if no other Vault nodes acquire the
lock beforehand, it is possible for the same node to re-acquire
the lock and become active again. Due to the locking architecture, there may be a period of time
before another node grabs the lock and finishes transitioning to active operation where the cluster has no active node. During the period where none of the nodes are active, forwarding of requests to the leader node will fail.
Examples
Force a Vault server to step down as the leader:
$ vault operator step-down
Success! Stepped down: http://127.0.0.1:8200
Usage
There are no flags beyond the standard set of flags included on all commands.
Policy requirements
You must belong to a policy with update
and sudo
permissions to use the
vault operator step-down
command:
path "sys/step-down" {
capabilities = ["update", "sudo"]
}