Where HashiCorp’s Atlas External Vagrant Box Images Actually Hosted

To vigilant users, authenticity matters. Aside from checking hashes of images, you might also want to know where the box images you use in Vagrant are downloaded from. However, this information is not explicitly provided on HashiCorp’s Vagrant Cloud. Here is how you can uncover this information….


Take box centos/7 as an example. From its information page you just got an ” Externally hosted (cloud.centos.org)” label, no complete URL. In order to get the actual location of the image, the following script is used:

wget --quiet --output-document=- "https://vagrantcloud.com/centos/7" | python -m json.tool | less --chop-long-lines

In the output, you’ll see URLs to box images. At the time of writing, the default box image URL for VirtualBox provider is https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box. Choose whichever image URL depending on the version and provider you’re interested, then you can further run:

wget --server-response --spider "https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box"

In this example, you’ll find it redirects you to https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1802_01.VirtualBox.box, which is an image published on official CentOS website.


Posted in Technical.


    • Thanks for the update! I’ve made some adjustments to the article to reflect the fact that image URL may change over time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...