hashicorp-vault

Getting Started

1. Install the skill using the command above
2. Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
3. Reference the skill in your prompt
4. The AI will use the skill's capabilities automatically

Example Prompts

• "Deploy the latest build to the staging environment and run smoke tests"
• "Check the CI pipeline status and summarize any recent failures"

Overview

HashiCorp Vault is a secrets management platform that provides KV storage with versioning, dynamic short-lived credentials for databases and cloud providers, PKI certificate management, Transit encryption as a service, and fine-grained HCL-based access policies. It integrates with Kubernetes via sidecar injection and CI/CD pipelines via AppRole authentication.

Instructions

• When storing static secrets, use the KV v2 engine with versioning for API keys and configuration values, organizing secrets by application and environment paths.
• When managing database access, use the Database secret engine to generate dynamic, short-lived credentials that automatically expire, limiting the blast radius of credential leaks.
• When authenticating applications, use AppRole for services and CI/CD (with secret_id rotation), Kubernetes auth for pods, and JWT/OIDC for SSO integration; never hardcode tokens.
• When encrypting data, use the Transit engine for encryption as a service so applications encrypt/decrypt data without managing keys, with support for key rotation and convergent encryption.
• When defining access, write HCL policies with deny-by-default, granting minimum capabilities (create, read, update, delete, list) per path, and use path templating for per-user isolation.
• When deploying in Kubernetes, use Vault Agent sidecar injector or CSI provider to inject secrets into pods as files or environment variables, so applications read secrets without a Vault SDK.

Examples

Example 1: Set up dynamic database credentials for a microservice

User request: "Configure Vault to issue short-lived PostgreSQL credentials for my API service"

Actions:

1. Enable the Database secret engine and configure the PostgreSQL connection
2. Create a role with a SQL statement for read-only access and a 1-hour TTL
3. Set up AppRole authentication for the API service with a policy allowing database/creds/readonly
4. Configure Vault Agent sidecar to inject credentials into the pod and auto-renew leases

Output: A microservice that receives dynamic database credentials with automatic rotation and a 1-hour expiry.

Example 2: Add encryption as a service with Transit engine

User request: "Encrypt sensitive user data at rest using Vault Transit without managing keys"

Actions:

1. Enable the Transit secret engine and create a named encryption key
2. Build an API middleware that encrypts data via transit/encrypt/key-name before database writes
3. Add a decryption path that calls transit/decrypt/key-name on reads
4. Configure key rotation policy and verify old data remains decryptable

Output: Application-level encryption using Vault Transit with automatic key management and rotation.

Guidelines

• Use dynamic secrets for databases since short-lived credentials limit the blast radius of a breach.
• Use AppRole for services, never hardcoded tokens, since AppRole supports secret_id rotation.
• Use Transit engine instead of application-level encryption since key management is Vault's responsibility.
• Set TTLs as short as practical: 1 hour for database credentials and 15 minutes for CI tokens.
• Enable audit device logging for compliance since it records who accessed what and when.
• Use Vault Agent sidecar in Kubernetes so applications read secrets from files without needing a Vault SDK.
• Store the root token securely and revoke it after initial setup; operators should use personal tokens.