Vault Mcp
What is Vault Mcp
vault-mcp is a Model Context Protocol (MCP) server implementation designed for secure secret management using HashiCorp Vault. It provides an interface for LLMs and other MCP clients to interact with Vault’s features for managing secrets and policies.
Use cases
Use cases for vault-mcp include automating secret retrieval in applications, managing access policies for different services, and enabling LLMs to securely interact with stored secrets and configurations.
How to use
To use vault-mcp, you can set it up via Docker by adding it to your Cursor MCP configuration or running it manually. For Cursor, include the provided JSON configuration. For manual setup, use the Docker run command with the appropriate environment variables for VAULT_ADDR and VAULT_TOKEN.
Key features
Key features of vault-mcp include secure secret management through a structured API, policy creation and management, resource discovery and listing, and automated policy generation.
Where to use
vault-mcp can be used in environments that require secure secret management, such as cloud applications, enterprise software, and any system that integrates with HashiCorp Vault for managing sensitive data.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Vault Mcp
vault-mcp is a Model Context Protocol (MCP) server implementation designed for secure secret management using HashiCorp Vault. It provides an interface for LLMs and other MCP clients to interact with Vault’s features for managing secrets and policies.
Use cases
Use cases for vault-mcp include automating secret retrieval in applications, managing access policies for different services, and enabling LLMs to securely interact with stored secrets and configurations.
How to use
To use vault-mcp, you can set it up via Docker by adding it to your Cursor MCP configuration or running it manually. For Cursor, include the provided JSON configuration. For manual setup, use the Docker run command with the appropriate environment variables for VAULT_ADDR and VAULT_TOKEN.
Key features
Key features of vault-mcp include secure secret management through a structured API, policy creation and management, resource discovery and listing, and automated policy generation.
Where to use
vault-mcp can be used in environments that require secure secret management, such as cloud applications, enterprise software, and any system that integrates with HashiCorp Vault for managing sensitive data.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
HashiCorp Vault MCP Server
A Model Context Protocol (MCP) server implementation that provides a secure interface to HashiCorp Vault which enables LLMs and other MCP clients to interact with Vault’s secret and policy management features.
Overview
This allows you to prompt an LLM to:
- Secure secret management through structured API
- Policy creation and management
- Resource discovery and listing
- Automated policy generation
Installation
There are multiple ways to use this server depending on your setup.
Cursor (recommended)
Add this to your Cursor MCP configuration:
{
"mcpServers": {
"Vault MCP": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"VAULT_ADDR=https://your-vault-server:8200",
"-e",
"VAULT_TOKEN=hvs.your-vault-token",
"ashgw/vault-mcp:latest"
]
}
}
}If you prefer pinning to a specific docker image build (e.g. 20250413-165732), use that tag instead of latest. Browse available versions on Docker Hub.
Once added, you can use prompts like:
“Read the secret at path
apps/myapp/configfrom Vault”
Cursor will route that request through the MCP server automatically.
Check if it works, it should be green
Docker (manual)
You can run Vault MCP manually via Docker:
docker run -d \ --name vault-mcp \ -e VAULT_ADDR=https://your-vault-server:8200 \ -e VAULT_TOKEN=hvs.your-vault-token \ -p 3000:3000 \ ashgw/vault-mcp
This uses the pre-built image published at ashgw/vault-mcp.
Repo
Clone the repository and cd into it, then build with
docker build -t vault-mcp .
Then run with
docker run --rm -e VAULT_ADDR=localhost:8200 -e VAULT_TOKEN=hsv.yourtoken vault-mcp
Environment Variables
These are required to run the MCP Vault server:
VAULT_ADDR: Your HashiCorp Vault server addressVAULT_TOKEN: A valid Vault token with read/write permissionsMCP_PORT: Optional. Defaults to 3000. Not required for Cursor.
Features in Detail
Secret Management Tools
secret_create
Creates or updates a secret at specified path.
await tool("secret_create", {
path: "apps/myapp/config",
data: {
apiKey: "secret-key-123",
environment: "production",
},
});
secret_read
Retrieves a secret from specified path.
await tool("secret_read", {
path: "apps/myapp/config",
});
secret_delete
Soft-deletes a secret (versioned delete in KV v2).
await tool("secret_delete", {
path: "apps/myapp/config",
});
Policy Management
policy_create
Creates a new Vault policy with specified permissions.
await tool("policy_create", {
name: "app-readonly",
policy: `
path "secret/data/apps/myapp/*" {
capabilities = ["read", "list"]
}
`,
});
Resources
vault://secrets
Lists all available secret paths in the KV store.
{
"keys": [
"apps/",
"databases/",
"certificates/"
]
}vault://policies
Lists all available Vault policies.
{
"policies": [
"default",
"app-readonly",
"admin"
]
}Prompts
generate_policy
Generates a Vault policy from path and capabilities.
await prompt("generate_policy", {
path: "secret/data/apps/*",
capabilities: "read,list",
});
Returns:
{
"path": {
"secret/data/apps/*": {
"capabilities": [
"read",
"list"
]
}
}
}License
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
