How to Use the HashiCorp Vault MCP in CrewAI

Q: Can a CrewAI team manage the entire lifecycle of a HashiCorp Vault cluster?

Yes. You can create a crew where one agent uses initializevault, another receives the keys and uses unsealvault, and a third configures secrets engines with enableengine. It's a powerful way to automate standing up new Vault environments.

Deploy an autonomous CrewAI security team to manage HashiCorp Vault. Your agents can monitor health, rotate keys, and manage access 24/7.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect HashiCorp Vault MCP to CrewAI

Create your Vinkius account to connect HashiCorp Vault to CrewAI and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup HashiCorp Vault with CrewAI

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Build an Autonomous Security Crew

Assign specific Vault duties to different agents in your CrewAI team. A 'Monitor' agent can run `get_system_health` in a loop. If it detects that Vault is sealed, it can task a 'Responder' agent to execute an `unseal_vault` sequence. Have a 'Policy' agent that uses `list_acl_policies` to watch for changes. If a risky policy is created, it can delegate to an 'Admin' agent to revoke the associated token using `revoke_lease`. This creates a self-healing security posture.

Manage PKI and Certificates

Let a dedicated agent crew handle your Public Key Infrastructure. One agent's job is to `create_pki_role` for new services. Another agent can then `issue_pki_cert` based on requests from a service mesh or other automated systems. This is perfect for autonomous operations. If a system is compromised, a 'Security' agent can be tasked to immediately `revoke_pki_cert` to cut off access. You can even orchestrate the entire root generation process with `generate_pki_root` for setting up new environments with this MCP Server.

Run Continuous Auditing

Set up an 'Auditor' agent that continuously monitors Vault activity. It can use `list_auth_methods` and `list_mounts` to ensure the configuration matches your baseline. It can also run `list_token_accessors` to get a high-level view of all active tokens. This agent's main job is to enable and check audit logs. It can use `enable_audit_device` to make sure all actions are being logged to a file or socket. If it finds an audit device is disabled, it can re-enable it and alert the human team.

Setup guide

Set up HashiCorp Vault MCP in CrewAI

Prerequisites

Python 3.10+ installed
crewai package (pip install crewai)
Active Vinkius subscription with a valid endpoint token

1

Install CrewAI
Run pip install crewai to install the framework. MCP support is built-in via the mcps parameter.
2

Add the MCP URL to your agent
Pass your Vinkius endpoint directly to the mcps list. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. CrewAI handles tool discovery and caching automatically.
3

Kick off your crew
Create a Crew with your agent and tasks. Call crew.kickoff() — the agent will automatically invoke HashiCorp Vault tools as needed.

crew.py

from crewai import Agent, Task, Crew

agent = Agent(
    role="HashiCorp Vault Analyst",
    goal="Access and analyze HashiCorp Vault data via MCP.",
    backstory="Expert analyst with direct HashiCorp Vault access.",
    mcps=[
        "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    ],
)

task = Task(
    description="List recent HashiCorp Vault transactions",
    agent=agent,
    expected_output="A summary of recent activity",
)

crew = Crew(agents=[agent], tasks=[task])
result = crew.kickoff()
print(result)

Get your connection token →

Prerequisites

Python 3.10+ installed
crewai + crewai-tools packages
Active Vinkius subscription with a valid endpoint token

1

Install dependencies
Run pip install crewai crewai-tools. The MCPServerAdapter handles lifecycle management and tool conversion.
2

Connect with MCPServerAdapter
Use MCPServerAdapter as a context manager with SseServerParameters pointing to your Vinkius endpoint. The adapter automatically manages connection lifecycle.
3

Assign tools and run
Pass the returned mcp_tools to your agent's tools parameter. The adapter converts MCP tools to native BaseTool objects compatible with all CrewAI agents.

crew.py

from crewai import Agent, Task, Crew
from crewai_tools import MCPServerAdapter
from mcp import SseServerParameters

server_params = SseServerParameters(
    url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
)

with MCPServerAdapter(server_params) as mcp_tools:
    agent = Agent(
        role="HashiCorp Vault Analyst",
        goal="Access and analyze HashiCorp Vault data via MCP.",
        backstory="Expert analyst with direct HashiCorp Vault access.",
        tools=mcp_tools,
    )

    task = Task(
        description="List recent HashiCorp Vault transactions",
        agent=agent,
        expected_output="A summary of recent activity",
    )

    crew = Crew(agents=[agent], tasks=[task])
    result = crew.kickoff()
    print(result)

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HashiCorp Vault. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect HashiCorp Vault now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about HashiCorp Vault MCP in CrewAI

Pass the Vinkius MCP server URL to your CrewAI agent definitions. For programmatic access, you can assign an agent the task of performing `approle_login` or `kubernetes_login` and sharing the resulting Vault token with the rest of the crew.

Yes. You can create a crew where one agent uses `initialize_vault`, another receives the keys and uses `unseal_vault`, and a third configures secrets engines with `enable_engine`. It's a powerful way to automate standing up new Vault environments.

You can have a 'Provisioner' agent. When a new application is deployed, it gets a task to `create_approle_role`, `create_acl_policy` with specific permissions, and then `generate_approle_secret_id` for the app to use.

Definitely. You can have an agent that proposes a sensitive action, like running `delete_kv_secret` on a production path. The agent's process would pause and await human approval before tasking another agent to actually execute the deletion.

Vinkius never sees the unseal keys or any other secret data. The keys are passed as arguments to the `unseal_vault` tool and are handled within the ephemeral sandbox where the MCP server runs. They are not logged or stored.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript