How to write to /pki/roles with CLI using a file?

I have extracted a role definition using
vault read pki/roles/myrole format=yaml > role.yaml

I’ve changed the file and now want to write the changes back to vault:
vault write pki/roles/myrole data=@role.yaml
I always get a success message but “vault read” does not show the expected changes.
Instead the role seems to be resetted to default values.

You might need to convert the yaml to JSON. I’ve only ever used JSON, not sure what level of support yaml is given in the CLI.

Can you verify the cli call is correct ?
I tried it with json, too. Same problem.

vault read pki/roles/myrole format=json > role.json
vault write pki/roles/myrole data=@role.json

I’ve not used Mongo with Vault so I can’t really provide any insight there, sorry.

I normally don’t use the CLI for this type of activity, but rather Terraform. However, based on what I’m reading in the CLI documentation try vault write pki/roles/myrole @role.json instead to see if that works. See Commands (CLI) | Vault by HashiCorp for why I’m suggesting this.

Unfortunatelly that doesnt work either. The role is reset to standard values.

Can you provide an example of the JSON file you’re trying to apply (redact any confidential info, of course)?

“allow_any_name”: false,
“allow_bare_domains”: false,
“allow_glob_domains”: false,
“allow_ip_sans”: true,
“allow_localhost”: true,
“allow_subdomains”: true,
“allow_token_displayname”: false,
“allowed_domains”: [ “”],
“allowed_domains_template”: false,
“allowed_other_sans”: ,
“allowed_serial_numbers”: ,
“allowed_uri_sans”: ,
“basic_constraints_valid_for_non_ca”: false,
“client_flag”: true,
“code_signing_flag”: false,
“country”: ,
“email_protection_flag”: false,
“enforce_hostnames”: true,
“ext_key_usage”: ,
“ext_key_usage_oids”: ,
“generate_lease”: false,
“key_bits”: 2048,
“key_type”: “rsa”,
“key_usage”: [
“locality”: ,
“max_ttl”: 0,
“no_store”: false,
“not_before_duration”: 30,
“organization”: ,
“ou”: ,
“policy_identifiers”: ,
“postal_code”: ,
“province”: ,
“require_cn”: true,
“server_flag”: true,
“street_address”: ,
“ttl”: 0,
“use_csr_common_name”: true,
“use_csr_sans”: true

The read operation seems to add some clutter like a timestamp, which I have removed.

vault write pki/roles/myrole @role.json
now does the trick.
The issue was that the additional clutter had to be removed from the json.