Vault

Vault has 6 operations in gum's generated catalog. Start with search when you know the task, use describe to inspect request fields and scopes, then dispatch through the command that matches the operation risk class.

Start here

gum search "vault"
gum describe vault.matters.get
gum read vault.matters.get --args '{"matterId":"<matterId>"}' --output json

For write-class operations, gum requires the write command and an explicit write gate:

gum describe vault.matters.close
gum write vault.matters.close --allow-write --args '{"matterId":"<matterId>"}'

For destructive operations, run the call once for a confirmation envelope, review the target, then retry with the returned token:

gum destructive vault.matters.delete --args '{"matterId":"<matterId>"}'
gum destructive vault.matters.delete --args '{"matterId":"<matterId>"}' --confirmed --token '<confirmation_token>'

Auth

Auth strategies in this service: 6 byo_oauth. Authenticate the strategy used by the operation you plan to call.

Bring-your-own OAuth

1. In Google Cloud, enable Google Vault API.
2. Configure the OAuth consent screen. Add your Google account as a test user when the app is still in testing mode.
3. Create an OAuth client ID with application type Desktop app.
4. Add the scopes this service needs to the consent screen.
5. Store the client in gum:

printf '%s' "$GOOGLE_OAUTH_CLIENT_SECRET" \
  | gum auth use-oauth-client --client-id "$GOOGLE_OAUTH_CLIENT_ID" --secret-stdin

1. Authorize this service:

gum login --service vault

1. Verify the grant before dispatch:

gum auth status --scopes ediscovery,ediscovery.readonly
gum describe vault.matters.get

Scopes used by these operations:

• https://www.googleapis.com/auth/ediscovery
• https://www.googleapis.com/auth/ediscovery.readonly

Service setup notes: Vault auth guide.

Operations

Next

• Use API workflows for search, describe, invoke, and error handling.
• Use Auth guides for service-specific Google setup.
• Use Command index for CLI flags and generated help.