Can I use HashiCorp Vault as a CLI?

Yes. KosmoKrator exposes a HashiCorp Vault CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose HashiCorp Vault through MCP?

Yes. The KosmoKrator MCP gateway can expose selected HashiCorp Vault tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are HashiCorp Vault credentials stored?

HashiCorp Vault credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for HashiCorp Vault MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

HashiCorp Vault MCP Integration for OpenAI Agents SDK

Connect HashiCorp Vault to OpenAI Agents SDK through the local KosmoKrator MCP gateway with scoped tools, credentials, and write policy.

7 functions 5 read 2 write API token auth

Submit HashiCorp Vault feedback View package source

Connect HashiCorp Vault to OpenAI Agents SDK

Attach KosmoKrator integration tools to OpenAI Agents SDK workflows through a local MCP gateway.

Start the KosmoKrator MCP gateway locally and point the OpenAI Agents SDK MCP tool at that process or wrapper. The gateway is local, scoped to this integration, and starts with --write=deny so OpenAI Agents can inspect read-capable tools without receiving write access by default.

HashiCorp Vault MCP Config for OpenAI Agents SDK

Use headless JSON commands for CI-style execution and MCP for agent tool discovery.

{
  "mcpServers": {
    "kosmokrator-vault": {
      "type": "stdio",
      "command": "kosmo",
      "args": [
        "mcp:serve",
        "--integration=vault",
        "--write=deny"
      ]
    }
  }
}

Run the Gateway Manually

kosmokrator mcp:serve --integration=vault --write=deny

Why Use KosmoKrator Here

Scoped tools

Expose only HashiCorp Vault instead of a broad multi-service tool list.

Local credentials

Reuse credentials already configured for the KosmoKrator CLI and Lua runtime.

Write policy

Start read-only, then opt into ask or allow for trusted workspaces.

HashiCorp Vault Tools Visible to OpenAI Agents

OpenAI Agents sees stable MCP tool names generated from the HashiCorp Vault integration catalog.

MCP tool	Source function	Type	Description
`integration__vault__vault_list_secrets`	`vault.vault_list_secrets`	Read	List secrets at a given path in a HashiCorp Vault KV v2 secrets engine. Returns the keys (directory entries) at the specified path.
`integration__vault__vault_get_secret`	`vault.vault_get_secret`	Read	Get the latest version of a secret from a HashiCorp Vault KV v2 secrets engine. Optionally specify a version number to retrieve a specific version.
`integration__vault__vault_create_secret`	`vault.vault_create_secret`	Write	Create or update a secret in a HashiCorp Vault KV v2 secrets engine. Provide the secret path and a key-value data object.
`integration__vault__vault_delete_secret`	`vault.vault_delete_secret`	Write	Permanently delete all versions and metadata of a secret from a HashiCorp Vault KV v2 secrets engine. This action is irreversible.
`integration__vault__vault_list_policies`	`vault.vault_list_policies`	Read	List all ACL policies configured in HashiCorp Vault. Returns an array of policy names.
`integration__vault__vault_get_policy`	`vault.vault_get_policy`	Read	Get details of a specific ACL policy in HashiCorp Vault, including its name and HCL rules.
`integration__vault__vault_get_current_user`	`vault.vault_get_current_user`	Read	Look up the current Vault token's information, including display name, policies, TTL, and metadata.

Related HashiCorp Vault Pages

HashiCorp Vault CLIUse direct JSON commands instead of MCP discovery. HashiCorp Vault MCPFull gateway reference and MCP tool names. KosmoKrator for OpenAI AgentsClient-level gateway setup.