Can I use HashiCorp Vault as a CLI?

Yes. KosmoKrator exposes a HashiCorp Vault CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose HashiCorp Vault through MCP?

Yes. The KosmoKrator MCP gateway can expose selected HashiCorp Vault tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are HashiCorp Vault credentials stored?

HashiCorp Vault credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for HashiCorp Vault MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

HashiCorp Vault CLI for AI Agents

Use the HashiCorp Vault CLI from KosmoKrator to call HashiCorp Vault tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

7 functions 5 read 2 write API token auth

Submit HashiCorp Vault feedback View package source

HashiCorp Vault CLI Setup

HashiCorp Vault can be configured headlessly with `kosmokrator integrations:configure vault`.

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure vault --set token="$VAULT_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor vault --json
kosmokrator integrations:status --json

Credentials

Authentication type: API token api_token. Configure credentials once, then use the same stored profile from scripts, coding CLIs, Lua code mode, and the MCP gateway.

Key	Env var	Type	Required	Label
`token`	`VAULT_TOKEN`	Secret `secret`	yes	Vault Token

Call HashiCorp Vault Headlessly

Use the generic call form when another coding CLI or script needs a stable universal interface.

kosmo integrations:call vault.vault_list_secrets '{
  "engine_path": "example_engine_path",
  "path": "example_path"
}' --json

Use the provider shortcut form for shorter human-facing commands.

kosmo integrations:vault vault_list_secrets '{
  "engine_path": "example_engine_path",
  "path": "example_path"
}' --json

Agent Discovery Commands

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

kosmo integrations:docs vault --json
kosmo integrations:docs vault.vault_list_secrets --json
kosmo integrations:schema vault.vault_list_secrets --json
kosmo integrations:search "HashiCorp Vault" --json
kosmo integrations:list --json

All CLI Functions

Every function below can be called headlessly. The generic form is stable across all integrations; the provider shortcut is shorter but specific to HashiCorp Vault.

`vault.vault_list_secrets`

Read read

List secrets at a given path in a HashiCorp Vault KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

Parameters: engine_path, path

Generic CLI call

kosmo integrations:call vault.vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

Provider shortcut

kosmo integrations:vault vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

`vault.vault_get_secret`

Read read

Get the latest version of a secret from a HashiCorp Vault KV v2 secrets engine. Optionally specify a version number to retrieve a specific version.

Parameters: path, engine_path, version

Generic CLI call

kosmo integrations:call vault.vault_get_secret '{"path":"example_path","engine_path":"example_engine_path","version":1}' --json

Provider shortcut

kosmo integrations:vault vault_get_secret '{"path":"example_path","engine_path":"example_engine_path","version":1}' --json

`vault.vault_create_secret`

Write write

Create or update a secret in a HashiCorp Vault KV v2 secrets engine. Provide the secret path and a key-value data object.

Parameters: path, data, engine_path

Generic CLI call

kosmo integrations:call vault.vault_create_secret '{"path":"example_path","data":"example_data","engine_path":"example_engine_path"}' --json

Provider shortcut

kosmo integrations:vault vault_create_secret '{"path":"example_path","data":"example_data","engine_path":"example_engine_path"}' --json

`vault.vault_delete_secret`

Write write

Permanently delete all versions and metadata of a secret from a HashiCorp Vault KV v2 secrets engine. This action is irreversible.

Parameters: path, engine_path

Generic CLI call

kosmo integrations:call vault.vault_delete_secret '{"path":"example_path","engine_path":"example_engine_path"}' --json

Provider shortcut

kosmo integrations:vault vault_delete_secret '{"path":"example_path","engine_path":"example_engine_path"}' --json

`vault.vault_list_policies`

Read read

List all ACL policies configured in HashiCorp Vault. Returns an array of policy names.

Parameters: none

Generic CLI call

kosmo integrations:call vault.vault_list_policies '{}' --json

Provider shortcut

kosmo integrations:vault vault_list_policies '{}' --json

`vault.vault_get_policy`

Read read

Get details of a specific ACL policy in HashiCorp Vault, including its name and HCL rules.

Parameters: name

Generic CLI call

kosmo integrations:call vault.vault_get_policy '{"name":"example_name"}' --json

Provider shortcut

kosmo integrations:vault vault_get_policy '{"name":"example_name"}' --json

`vault.vault_get_current_user`

Read read

Look up the current Vault token's information, including display name, policies, TTL, and metadata.

Parameters: none

Generic CLI call

kosmo integrations:call vault.vault_get_current_user '{}' --json

Provider shortcut

kosmo integrations:vault vault_get_current_user '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

`vault.vault_list_secrets`

List secrets at a given path in a HashiCorp Vault KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

Operation: Read read
Schema command: kosmo integrations:schema vault.vault_list_secrets --json

Parameter	Type	Required	Description
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`path`	string	no	The path within the secrets engine to list. Leave empty for root.

`vault.vault_get_secret`

Get the latest version of a secret from a HashiCorp Vault KV v2 secrets engine. Optionally specify a version number to retrieve a specific version.

Operation: Read read
Schema command: kosmo integrations:schema vault.vault_get_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to retrieve (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`version`	integer	no	The version number to retrieve. Defaults to the latest version.

`vault.vault_create_secret`

Create or update a secret in a HashiCorp Vault KV v2 secrets engine. Provide the secret path and a key-value data object.

Operation: Write write
Schema command: kosmo integrations:schema vault.vault_create_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path where the secret will be stored (e.g. "myapp/database").
`data`	object	yes	Key-value pairs for the secret data. Example: {"username": "admin", "password": "s3cret"}.
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

`vault.vault_delete_secret`

Permanently delete all versions and metadata of a secret from a HashiCorp Vault KV v2 secrets engine. This action is irreversible.

Operation: Write write
Schema command: kosmo integrations:schema vault.vault_delete_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to delete (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

`vault.vault_list_policies`

List all ACL policies configured in HashiCorp Vault. Returns an array of policy names.

Operation: Read read
Schema command: kosmo integrations:schema vault.vault_list_policies --json

Parameter	Type	Required	Description
No parameters.

`vault.vault_get_policy`

Get details of a specific ACL policy in HashiCorp Vault, including its name and HCL rules.

Operation: Read read
Schema command: kosmo integrations:schema vault.vault_get_policy --json

Parameter	Type	Required	Description
`name`	string	yes	The name of the ACL policy to retrieve.

`vault.vault_get_current_user`

Look up the current Vault token's information, including display name, policies, TTL, and metadata.

Operation: Read read
Schema command: kosmo integrations:schema vault.vault_get_current_user --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.