# HashiCorp Vault MCP MCP

> HashiCorp Vault MCP lets you manage all your infrastructure secrets, encryption keys, and access tokens through natural conversation. Read stored credentials, generate dynamic database logins for AWS or Kubernetes, and audit system policies without leaving your AI client. It's the central control plane for modern security operations.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** secrets-management, encryption, key-management, identity-access, dynamic-credentials, security

## Description

Managing sensitive data used across development teams is a nightmare if you rely on static files or manual processes. This MCP connects directly to your HashiCorp Vault instance, giving your agent full visibility into your secrets landscape. You can read stored API keys from KV mounts, generate temporary credentials for external services like AWS and databases, or even decrypt sensitive payloads using the transit engine—all through simple commands.

It handles more than just storage; it controls identity. Need to change an access policy? Just ask. Want to check if the cluster is healthy? You can. By connecting this MCP via Vinkius, you turn complex security workflows into conversational actions, keeping your sensitive data locked down while giving developers and ops engineers what they need, exactly when they need it.

## Tools

### approle_login
Logs into Vault using AppRole authentication credentials.

### configure_aws_root
Sets up the AWS root credentials for use with Vault.

### configure_database
Configures a connection point to a specific database type.

### configure_kubernetes_auth
Sets up authentication using Kubernetes service account tokens.

### create_acl_policy
Creates or updates a specific access control list (ACL) policy for Vault resources.

### create_approle_role
Creates or modifies an AppRole role definition within the system.

### create_aws_role
Defines a new AWS IAM role that Vault can use to generate credentials.

### create_database_role
Creates a specific user or service role within a connected database system.

### create_pki_role
Establishes a new set of rules for managing PKI certificates.

### create_token
Generates and issues a brand-new, temporary Vault access token.

### create_transit_key
Creates a new cryptographic key pair for data encryption operations.

### create_userpass_user
Registers a simple user account using a username and password.

### decrypt_transit
Decrypts sensitive data that was previously encrypted using the Vault transit engine.

### delete_kv_secret
Removes the latest version of a specific secret stored in the KV v2 engine.

### enable_audit_device
Turns on a new auditing mechanism to log system activity.

### enable_auth_method
Activates an entirely new way that users can authenticate with Vault (e.g., GitHub, LDAP).

### enable_engine
Turns on a specific secret management engine (like KV or Consul) within the vault.

### encrypt_transit
Encrypts sensitive data using the Vault transit encryption engine.

### generate_approle_secret_id
Creates a new Secret ID for an existing AppRole, necessary for machine authentication.

### generate_aws_creds
Produces dynamic AWS credentials that expire after a set time.

### generate_database_creds
Creates temporary, dedicated login credentials for a specified database.

### generate_pki_root
Generates the initial root certificate authority key pair for PKI services.

### get_init_status
Checks if the Vault cluster has been correctly initialized and is ready to run.

### get_openapi_spec
Downloads an OpenAPI V3 document detailing all currently mounted backend services.

### get_system_health
Checks the overall operational status of the Vault cluster in real time.

### github_login
Allows a user to log into Vault using their GitHub personal access token.

### initialize_vault
Sets up and initializes an entirely new Vault cluster instance from scratch.

### issue_pki_cert
Generates a specific, valid PKI certificate for immediate use.

### kubernetes_login
Authenticates the user using credentials provided by Kubernetes service accounts.

### list_acl_policies
Displays all existing access control policies configured in Vault.

### list_audit_devices
Lists every enabled mechanism used for monitoring and auditing system activities.

### list_auth_methods
Shows all authentication methods (like GitHub or LDAP) that are currently active.

### list_kv_secrets
Displays a list of secret paths and metadata within the KV v2 engine.

### list_mounts
Lists all secrets engines that are currently mounted to the Vault instance.

### list_token_accessors
Displays a list of token accessors, which helps audit who has elevated privileges.

### lookup_lease
Retrieves details about a temporary lease using its unique ID.

### lookup_self_token
Looks up and displays the detailed information regarding the current Vault token used by your agent.

### map_github_team
Maps a specific GitHub team name to a predefined set of Vault policies.

### read_kv_metadata
Reads non-secret metadata about a specific key/value secret path without exposing the content.

### read_kv_secret
Retrieves the actual sensitive data stored at a specified KV v2 engine path.

### renew_lease
Extends the expiration time on an existing temporary access lease.

### renew_self_token
Resets and extends the lifespan of your current Vault token.

### revoke_lease
Immediately invalidates a specific, temporary access lease.

### revoke_pki_cert
Revokes the validity of an issued PKI certificate before its natural expiration date.

### revoke_self_token
Immediately invalidates your current Vault token, requiring re-authentication.

### rotate_transit_key
Performs a key rotation cycle on an existing transit encryption key.

### seal_vault
Temporarily seals the Vault, preventing all access to secrets until it is unsealed again.

### unseal_vault
Restores the Vault system and makes all secrets available using a key share.

### userpass_login
Logs into Vault using simple, static username and password credentials.

### write_kv_secret
Creates or updates a secret value within the KV v2 engine path for permanent storage.

## Prompt Examples

**Prompt:** 
```
Check the health and initialization status of my Vault server.
```

**Response:** 
```
I've checked the system. The Vault server is initialized and unsealed. Health check returned 200 OK with version 1.15.2.
```

**Prompt:** 
```
Read the secret stored at 'secret/data/production/api-keys'.
```

**Response:** 
```
I've retrieved the secret. It contains 2 keys: `STRIPE_KEY` and `AWS_SECRET_ACCESS_KEY`. Would you like me to display the values?
```

**Prompt:** 
```
Renew my current Vault token for another hour.
```

**Response:** 
```
The token has been successfully renewed. The new lease duration is 3600 seconds.
```

## Capabilities

### Generate Dynamic Credentials
The agent creates temporary, time-limited login details for databases, AWS services, or Kubernetes clusters.

### Manage Secrets Storage
You can read, write, and list specific secrets stored within your secure key/value paths.

### Control Access Policies
The agent creates or updates access control policies (ACLs) and manages user roles for strict permission enforcement.

### Encrypt and Decrypt Data
You use the transit engine to encrypt data before storage, or decrypt it when you need to read it back safely.

### Audit System Status
The agent checks the cluster's operational health and lists all active authentication methods and mounted secrets engines.

## Use Cases

### Onboarding a new developer to a project
A developer needs access to the staging database. Instead of asking an admin for temporary credentials, they ask their agent: 'Generate dynamic credentials for the staging Postgres DB.' The agent calls `generate_database_creds` and returns valid, time-limited login details instantly.

### Performing a security audit
The Security Analyst needs to know if any service account has overly broad permissions. They prompt the agent: 'List all ACL policies.' The agent calls `list_acl_policies`, allowing them to verify that roles only have what they need.

### Fixing a forgotten API key
A service fails because an API key was rotated. The engineer asks: 'Read the secret stored at production/api-keys.' The agent calls `read_kv_secret`, retrieves the necessary data, and gets the service back online.

### Preparing for a new microservice deployment
The team needs to add a new authentication source. They ask: 'Enable GitHub as an auth method.' The agent calls `enable_auth_method` and guides them through the required setup steps.

## Benefits

- Stop juggling credentials. You can use the agent to generate dynamic AWS credentials or database logins on demand, meaning your service accounts never use static passwords.
- Full visibility into security posture. Need to know who accessed what? Use `list_token_accessors` and `read_kv_metadata` to audit access without manual dashboard reports.
- Centralized control over access policies. Instead of touching configuration files, you tell the agent to `create_acl_policy`, enforcing least privilege immediately.
- Handling sensitive data is safer than ever. You can use `encrypt_transit` and `decrypt_transit` for end-to-end protection without exposing keys anywhere in your workflow.
- Never lose track of service status. Check the cluster's health with `get_system_health`, or list all active authentication methods using `list_auth_methods` to verify connectivity.

## How It Works

The bottom line is that your entire infrastructure security setup runs through natural language commands instead of multiple dashboards.

1. First, subscribe to this MCP and provide your Vault address and security token.
2. Next, use your AI client to issue commands—for example, asking it to generate dynamic database credentials or read a specific API key.
3. The agent executes the request against your vault instance, retrieving the necessary credential or data directly for you.

## Frequently Asked Questions

**How do I check if Vault is ready to use with the `get_system_health` tool?**
The agent runs `get_system_health` and reports back a status code. You want to see '200 OK' and confirmation that the vault is unsealed before trying any other operation.

**What do I use if I need to store a new API key? Should I call `write_kv_secret`?**
Yes, you use `write_kv_secret`. This tool ensures the secret is saved in the secure KV v2 engine path and is version-controlled within Vault.

**Can I revoke a credential using `revoke_self_token`?**
No, `revoke_self_token` only invalidates your current session token. To remove an API key or temporary access right, you need to call the specific tool for that resource.

**How does `create_acl_policy` work?**
`create_acl_policy` lets you define granular rules. You specify exactly which paths can be read or written to, ensuring only authorized actions are possible.

**If I'm integrating a new service, how do I authenticate using the `approle_login` tool?**
You use AppRole credentials for machine-to-machine authentication. This requires defining specific roles and secrets within Vault first, which then allows your agent to assume those defined permissions.

**When setting up a new database connection, what do I need to know about using `configure_database`?**
You must first define the necessary backend roles and credential generation methods for that specific database. The tool handles generating temporary credentials on demand when your agent requests them.

**What kind of audit information can I gather by calling `list_token_accessors`?**
This command lists all accessors tied to a given token, helping you audit exactly which resources that specific token is allowed to interact with. It's critical for checking permissions.

**How does the `issue_pki_cert` tool work to generate new client certificates?**
This command issues a signed X.509 certificate based on your existing PKI roles and policies. You'll need to specify key details like the common name and desired expiration date.