vault

This Vault MCP Server provides an MCP interface that integrates HashiCorp Vault for secrets management. It supports mounting KV backends (both KV v1 and KV v2), reading and writing secrets, listing mounts and secrets, and deleting mounts or keys. The server is designed to work with both stdio and HTTP transports, making it compatible with various MCP clients. To start, ensure you have a Vault server available (local or remote) and supply a Vault token with appropriate permissions. When using the HTTP mode, configure the port and host as needed and be mindful of CORS and origin restrictions.

The tooling available includes the following capabilities: create new Vault mounts, list and delete mounts, write and read secrets to KV mounts, list secrets under a path, and delete secrets at the key or path level. The server also provides a comprehensive HTTP middleware stack (CORS, Vault context, and logging) to manage requests securely and transparently. Session-based Vault client management helps maintain authenticated interactions across requests, and structured logging aids in observability and troubleshooting.

Prerequisites:

• Docker installed and running (or a local Go/Vault setup if you prefer building and running natively)
• A Vault server accessible at the configured VAULT_ADDR
• A Vault token with permissions to manage mounts and secrets

Installation options:

Option A: Run with Docker (recommended for quick setup)

1. Ensure environment variables are set or import them at runtime:
   • VAULT_ADDR: URL of your Vault server (e.g., http://127.0.0.1:8200)
   • VAULT_TOKEN: Vault token with permissions
   • VAULT_NAMESPACE: optional namespace
2. Start the MCP server via Docker: docker run -e VAULT_ADDR=http://127.0.0.1:8200
   -e VAULT_TOKEN=your-token
   -e VAULT_NAMESPACE=optional-namespace
   hashicorp/vault-mcp-server

Option B: Build and run locally (Go-based, if you prefer not to use Docker)

1. Prerequisites: Go 1.20+ and Vault installed/accessible
2. Clone the repository and navigate into it
3. Build the binary (if a build script exists, use that; otherwise use go build): go build -o vault-mcp-server ./...
4. Run the server (stdio mode by default): ./vault-mcp-server or explicitly: ./vault-mcp-server stdio
5. If you want HTTP mode, ensure your Vault and MCP_ENDPOINT are configured and run with the http flag plus port, for example: ./vault-mcp-server http --transport-port 8080

Notes:

• If you use the Docker option, you can also pass environment variables directly or via a docker-compose setup for easier management.

Environment variables and configuration tips:

• VAULT_ADDR is the Vault server address (default http://127.0.0.1:8200). Ensure this points to a reachable Vault instance.
• VAULT_TOKEN is required for authentication; avoid exposing it in logs or in client configurations.
• MCP_ALLOWED_ORIGINS can be set when using HTTP/StreamableHTTP to restrict cross-origin requests.
• MCP_ENDPOINT defines the HTTP server endpoint path (default /mcp).
• For HTTP mode, be mindful of TLS configuration using MCP_TLS_CERT_FILE and MCP_TLS_KEY_FILE if you expose the server over TLS.
• CORS, Vault context, and logging middleware are enabled by default to provide structured request handling and observability.
• In production, avoid running with default tokens and enable TLS, proper authentication, and origin restrictions.