Tracecat

HashiCorp Vault MCP server

Read secrets, manage mounts, and issue PKI certificates from your AI agents.

Identity
http
Official docs

About

Connect Tracecat to HashiCorp Vault to act on the secrets and PKI backbone for IAM, AppSec, and SRE teams responding to leaked credentials or short-lived certificate needs. You can read and write KV secrets, rotate a leaked API key from a Snyk finding, and mint a short-lived certificate from a workflow. From there, manage secret engines, issue PKI certificates from a role, and pull KV metadata during incident response without secret material ever leaving your network.

Setup

  1. 1

    Create an access token

    The HashiCorp Vault MCP server authenticates with a Vault token passed in `VAULT_TOKEN`. Token policies determine what the agent can see and change, so issue a scoped token from a role with least privilege.

  2. 2

    Select the HashiCorp Vault tile in the Tracecat MCP catalog

    Open the MCP catalog in your workspace, select the HashiCorp Vault tile, and paste your access token.

  3. 3

    Enable HashiCorp Vault in your agent

    In your ai.agent action or Agents tools tab, select HashiCorp Vault from the MCP integrations dropdown.

Tools

read_secret

Read a KV v2 secret at a given path and version.

write_secret

Write a KV v2 secret. Supports CAS for safe concurrent updates.

list_secrets

List secret keys under a KV mount path.

delete_secret

Delete a KV secret or a specific version.

list_mounts

List secret engines mounted in the Vault cluster.

create_mount

Enable a new secret engine such as KV, PKI, or transit.

enable_pki

Configure a PKI secrets engine for certificate issuance.

issue_pki_certificate

Issue a leaf certificate from a PKI role for a given common name.

list_pki_roles

List PKI roles available on a mount with their constraints.

Deploy the HashiCorp Vault MCP server in minutes

Connect your security agents to 50+ hosted MCP servers.

Self-host free