Vault MCP Server
An MCP server for interacting with the HashiCorp Vault secrets management tool.
Vault MCP Server
There is now an official Vault MCP Server from Hashicorp. Therefore, the alternative third-party Vault MCP Server will continue to exist and be updated with features and fixes, but no attempt will be made to compete with the official product. The third-party Vault MCP Server can be executed locally instead of only remotely (although in many situations remote is preferable), and will continue to be available as a container image.
Due to this policy enacted because of the official product release, there will be no formal release process, versioning, or changelog. This product is also not recommended for enterprise production usage.
The MCP Server container image is hosted at Dockerhub, and it represents the code hosted here at HEAD.
Desktop Configs
These can hopefully be extrapolated and modified to fit other clients if you want to play with this server for whatever reason.
Claude
{
"mcpServers": {
"vault": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"VAULT_URL",
"-e",
"VAULT_TOKEN",
"matthewschuchard/vault-mcp-server"
],
"env": {
"VAULT_URL": "<VAULT SERVER CLUSTER URL>",
"VAULT_TOKEN": "<VAULT AUTHENTICATION TOKEN>"
}
}
}
}
VSCode
The MCP: Add Server --> Docker Image command can also streamline this configuration. The values below can be entered into the input prompts, and then the mcp.json file is automically opened within a pane afterward for further updates if necessary.
{
"servers": {
"vault": {
"type": "stdio",
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"VAULT_URL",
"-e",
"VAULT_TOKEN",
"matthewschuchard/vault-mcp-server"
],
"env": {
"VAULT_URL": "<VAULT SERVER CLUSTER URL>",
"VAULT_TOKEN": "<VAULT AUTHENTICATION TOKEN>"
}
}
}
}
Features
Resources
- Current Enabled ACL Policies
- Current Enabled Audit Devices
- Current Enabled Authentication Engines
- Current Enabled Secret Engines
Tools
- ACL Policies
- Audit Devices
- Authentication Engine: Enable/Disable/List
- Secrets Engines
- Enable/Disable/List
- KV Version 2
- PKI
- Transit
Prompts
- mcp.vault.example-acl-policy: This displays an example Vault ACL Policy in JSON string format. The displayed policy can be modified and entered as-is to the LLM (verified with Claude), and it will understand that you want to create an ACL Policy with your modified content (with an auto-generated name). However, it is probably more prudent to use it as an input to the tool instead.
- mcp.vault.generate-acl-policy: This displays a pseudo-example Vault ACL Policy in JSON string format similar to the above prompt. The primary difference is that this prompt accepts a
pathsargument inlist[str]type format, and the returned policy will contain the input paths. However, thecapabilitieswill still be boilerplate, and need to be modified for your usage.
Related Servers
Earthdata MCP Server
Interact with NASA Earth Data for efficient dataset discovery and retrieval for geospatial analysis.
CData SAP Ariba Source
An MCP server for SAP Ariba Source, powered by CData. Requires the external CData JDBC Driver for SAP Ariba Source.
Salesforce Lite
A simple and lightweight server for connecting AI assistants to Salesforce data.
Remote MCP Server on Cloudflare
A remote MCP server for Cloudflare Workers with OAuth login support, using Cloudflare KV for storage.
ThingsPanel MCP
An MCP server for interacting with the ThingsPanel IoT platform.
Cloudflare DNS
Manage Cloudflare DNS records for your domains.
Terra
Access and manage wearable and health app data through the Terra API.
Alpha Vantage
Access real-time and historical stock market data from the Alpha Vantage API.
Remote MCP Server (Authless)
A remote MCP server deployable on Cloudflare Workers without authentication.
Pangea MCP proxy
Protect any MCP server from malicious entities and confidential PII using Pangea's AI Guard and Vault.