HashiCorp Vault MCP server
Read secrets, manage mounts, and issue PKI certificates from your AI agents.
About
Connect Tracecat to HashiCorp Vault to act on the secrets and PKI backbone for IAM, AppSec, and SRE teams responding to leaked credentials or short-lived certificate needs. You can read and write KV secrets, rotate a leaked API key from a Snyk finding, and mint a short-lived certificate from a workflow. From there, manage secret engines, issue PKI certificates from a role, and pull KV metadata during incident response without secret material ever leaving your network.
Setup
- 1
Create an access token
The HashiCorp Vault MCP server authenticates with a Vault token passed in `VAULT_TOKEN`. Token policies determine what the agent can see and change, so issue a scoped token from a role with least privilege.
- 2
Select the
HashiCorp Vaulttile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theHashiCorp Vaulttile, and paste your access token. - 3
Enable
HashiCorp Vaultin your agentIn your
ai.agentaction orAgents→toolstab, selectHashiCorp Vaultfrom theMCP integrationsdropdown.
Tools
read_secret | Read a KV v2 secret at a given path and version. |
write_secret | Write a KV v2 secret. Supports CAS for safe concurrent updates. |
list_secrets | List secret keys under a KV mount path. |
delete_secret | Delete a KV secret or a specific version. |
list_mounts | List secret engines mounted in the Vault cluster. |
create_mount | Enable a new secret engine such as KV, PKI, or transit. |
enable_pki | Configure a PKI secrets engine for certificate issuance. |
issue_pki_certificate | Issue a leaf certificate from a PKI role for a given common name. |
list_pki_roles | List PKI roles available on a mount with their constraints. |