Add token-only. (#2971)

command/auth.go

@@ -37,12 +37,13 @@ type AuthCommand struct {
 
 func (c *AuthCommand) Run(args []string) int {
 	var method, authPath string
-	var methods, methodHelp, noVerify, noStore bool
+	var methods, methodHelp, noVerify, noStore, tokenOnly bool
 	flags := c.Meta.FlagSet("auth", meta.FlagSetDefault)
 	flags.BoolVar(&methods, "methods", false, "")
 	flags.BoolVar(&methodHelp, "method-help", false, "")
 	flags.BoolVar(&noVerify, "no-verify", false, "")
 	flags.BoolVar(&noStore, "no-store", false, "")
+	flags.BoolVar(&tokenOnly, "token-only", false, "")
 	flags.StringVar(&method, "method", "", "method")
 	flags.StringVar(&authPath, "path", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
@@ -128,8 +129,8 @@ func (c *AuthCommand) Run(args []string) int {
 	}
 
 	// Warn if the VAULT_TOKEN environment variable is set, as that will take
-	// precedence
-	if os.Getenv("VAULT_TOKEN") != "" {
+	// precedence. Don't output on token-only since we're likely piping output.
+	if os.Getenv("VAULT_TOKEN") != "" && !tokenOnly {
 		c.Ui.Output("==> WARNING: VAULT_TOKEN environment variable set!\n")
 		c.Ui.Output("  The environment variable takes precedence over the value")
 		c.Ui.Output("  set by the auth command. Either update the value of the")
@@ -178,6 +179,11 @@ func (c *AuthCommand) Run(args []string) int {
 		return 1
 	}
 
+	if tokenOnly {
+		c.Ui.Output(token)
+		return 0
+	}
+
 	// Store the token!
 	if !noStore {
 		if err := tokenHelper.Store(token); err != nil {
@@ -393,6 +399,9 @@ Auth Options:
   -no-store         Do not store the token after creation; it will only be
                     displayed in the command output.
 
+  -token-only       Output only the token to stdout. This implies -no-verify
+                    and -no-store.
+
   -path             The path at which the auth backend is enabled. If an auth
                     backend is mounted at multiple paths, this option can be
                     used to authenticate against specific paths.