How to Use the HashiCorp Vault MCP in Google ADK

Q: How do I restrict which HashiCorp Vault tools are visible to my Google ADK agent?

Use the toolnames filter when initializing your McpToolset in Python. This allows you to whitelist specific tools like readkvsecret while blocking administrative ones like sealvault.

Connect your Google ADK enterprise agents to our hosted HashiCorp Vault MCP server to securely manage cloud credentials.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect HashiCorp Vault MCP to Google ADK

Create your Vinkius account to connect HashiCorp Vault to Google ADK and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup HashiCorp Vault with Google ADK

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Secure BigQuery and GCP Access for Enterprise Agents

Enterprise agents running on Google ADK often need to pull data from BigQuery or write to Cloud Storage. Instead of hardcoding GCP service accounts, your agent can request temporary access tokens using `generate_aws_creds` or write metadata using `write_kv_secret`. This ensures your agent operates with short-lived permissions that expire automatically. Long-context Gemini models can process massive datasets but shouldn't hold static keys in their context window. By fetching credentials dynamically, you keep sensitive auth tokens out of the prompt history. The agent uses `read_kv_secret` only when a task requires direct database interaction.

Restrict Vault MCP Server Tools in Google ADK

You don't want an autonomous agent accidentally triggering administrative operations. When setting up the McpToolset, use the tool_names filter to expose only safe tools like `read_kv_secret` and `decrypt_transit`. This prevents the agent from invoking destructive actions like `seal_vault` or `revoke_lease`. For administrative tasks, you can spin up a separate, highly restricted agent. That agent can be granted access to `create_acl_policy` or `enable_auth_method` to manage the Vault environment safely. This separation of duties keeps your enterprise architecture clean and secure.

Automated PKI Certificate Issuance and Management

Managing SSL/TLS certificates across Google Cloud infrastructure can be an operational headache. Your agent can automate this process by calling `issue_pki_cert` to generate certificates for new services on demand. The agent can then configure the target endpoints without manual human intervention. If a service is decommissioned, the agent cleans up by running `revoke_pki_cert`. You can configure the root certificate authority using `generate_pki_root` to ensure all issued certificates trace back to a trusted, internal source.

Setup guide

Set up HashiCorp Vault MCP in Google ADK

Prerequisites

Python 3.10+ installed
google-adk package (pip install google-adk)
Active Vinkius subscription with a valid endpoint token

1

Install Google ADK

Run pip install google-adk to install the Agent Development Kit. MCP support is included via the McpToolset class.
2

Connect via SSE transport

Use McpToolset.from_server() with SseServerParams pointing to your Vinkius endpoint. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.
3

Create an LlmAgent

Pass the returned mcp_tools list directly to LlmAgent(tools=mcp_tools). The ADK maps each MCP tool to a native Gemini function call — no manual schema definitions required.
4

Run with any Gemini model

The agent works with any Gemini model (gemini-2.0-flash, gemini-2.5-pro, etc.). Copy the full example on the right to get started with HashiCorp Vault tools in your ADK agent.

agent.py

from google.adk.agents import LlmAgent
from google.adk.tools.mcp_tool.mcp_toolset import McpToolset
from google.adk.tools.mcp_tool.mcp_session_manager import SseServerParams

# Connect to the MCP via SSE
mcp_tools, exit_stack = await McpToolset.from_server(
    connection_params=SseServerParams(
        url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    )
)

# Create your agent with auto-discovered tools
agent = LlmAgent(
    name="HashiCorp Vault_agent",
    model="gemini-2.0-flash",
    instruction="You have access to HashiCorp Vault tools via MCP.",
    tools=mcp_tools,
)

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HashiCorp Vault. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect HashiCorp Vault now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about HashiCorp Vault MCP in Google ADK

Import McpToolset from the SDK and initialize it with your Vinkius server HTTP parameters. Pass the toolset directly into your LlmAgent constructor to expose the Vault tools to Gemini.

Yes, you can configure Vault to accept Google-native authentication. Your agent can then use `kubernetes_login` or a custom auth method enabled via `enable_auth_method` to establish its identity.

Use the tool_names filter when initializing your McpToolset in Python. This allows you to whitelist specific tools like `read_kv_secret` while blocking administrative ones like `seal_vault`.

Gemini can hold 1M+ tokens, but you should avoid stuffing static secrets into the context. Use `generate_database_creds` to get short-lived credentials that expire, minimizing the impact if context data is logged.

Vinkius executes the server inside an isolated, zero-trust V8 sandbox that never caches or logs your database credentials, certificates, or transit keys. All transaction payloads pass directly to your Vault cluster over TLS, keeping your enterprise data secure.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript