MCP Server for HashiCorp Vault secret management

MCP Server for HashiCorp Vault secret management

By ashgw GitHub

-

hashicorp vault
Overview

What is MCP Server for HashiCorp Vault?

MCP Server for HashiCorp Vault is a Model Context Protocol (MCP) server implementation that provides a secure interface to HashiCorp Vault, enabling LLMs and other MCP clients to interact with Vault's secret and policy management features.

How to use MCP Server?

To use the MCP Server, you can run it via Docker or integrate it with Cursor MCP configuration. You need to set environment variables for your Vault server address and token.

Key features of MCP Server?

  • Secure secret management through a structured API
  • Policy creation and management
  • Resource discovery and listing
  • Automated policy generation

Use cases of MCP Server?

  1. Managing application secrets securely.
  2. Creating and managing access policies for different applications.
  3. Automating the generation of Vault policies based on user-defined parameters.

FAQ from MCP Server?

  • Can I run MCP Server without Docker?

Yes, you can clone the repository and build it manually.

  • What environment variables are required?

You need to set VAULT_ADDR and VAULT_TOKEN to run the server.

  • Is there a way to list all available secrets?

Yes, you can use the vault://secrets resource to list all available secret paths.

Content

HashiCorp Vault MCP Server

A Model Context Protocol (MCP) server implementation that provides a secure interface to HashiCorp Vault which enables LLMs and other MCP clients to interact with Vault's secret and policy management features.

Overview

This allows you to prompt an LLM to:

  • Secure secret management through structured API
  • Policy creation and management
  • Resource discovery and listing
  • Automated policy generation

Installation

There are multiple ways to use this server depending on your setup.

Add this to your Cursor MCP configuration:

{
  "mcpServers": {
    "Vault MCP": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e",
        "VAULT_ADDR=https://your-vault-server:8200",
        "-e",
        "VAULT_TOKEN=hvs.your-vault-token",
        "ashgw/vault-mcp:latest"
      ]
    }
  }
}

If you prefer pinning to a specific docker image build (e.g. 20250413-165732), use that tag instead of latest. Browse available versions on Docker Hub.

Once added, you can use prompts like:

"Read the secret at path apps/myapp/config from Vault"

Cursor will route that request through the MCP server automatically.

Check if it works, it should be green

image

Docker (manual)

You can run Vault MCP manually via Docker:

docker run -d \
  --name vault-mcp \
  -e VAULT_ADDR=https://your-vault-server:8200 \
  -e VAULT_TOKEN=hvs.your-vault-token \
  -p 3000:3000 \
  ashgw/vault-mcp

This uses the pre-built image published at ashgw/vault-mcp.

Repo

Clone the repository and cd into it, then build with

docker build -t vault-mcp .

Then run with

docker run --rm -e VAULT_ADDR=localhost:8200 -e VAULT_TOKEN=hsv.yourtoken vault-mcp

Environment Variables

These are required to run the MCP Vault server:

  • VAULT_ADDR: Your HashiCorp Vault server address
  • VAULT_TOKEN: A valid Vault token with read/write permissions
  • MCP_PORT: Optional. Defaults to 3000. Not required for Cursor.

Features in Detail

Secret Management Tools

secret/create

Creates or updates a secret at specified path.

await tool("secret/create", {
  path: "apps/myapp/config",
  data: {
    apiKey: "secret-key-123",
    environment: "production",
  },
});

secret/read

Retrieves a secret from specified path.

await tool("secret/read", {
  path: "apps/myapp/config",
});

secret/delete

Soft-deletes a secret (versioned delete in KV v2).

await tool("secret/delete", {
  path: "apps/myapp/config",
});

Policy Management

policy/create

Creates a new Vault policy with specified permissions.

await tool("policy/create", {
  name: "app-readonly",
  policy: `
    path "secret/data/apps/myapp/*" {
      capabilities = ["read", "list"]
    }
  `,
});

Resources

vault://secrets

Lists all available secret paths in the KV store.

{
  "keys": ["apps/", "databases/", "certificates/"]
}

vault://policies

Lists all available Vault policies.

{
  "policies": ["default", "app-readonly", "admin"]
}

Prompts

generate-policy

Generates a Vault policy from path and capabilities.

await prompt("generate-policy", {
  path: "secret/data/apps/*",
  capabilities: "read,list",
});

Returns:

{
  "path": {
    "secret/data/apps/*": {
      "capabilities": ["read", "list"]
    }
  }
}

License

MIT

No tools information available.
No content found.