vault

HashiCorp Vault secrets management. Use for secrets.

7 stars

byG1Joshi

View on GitHub Installation ↓

Best use case

vault is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

HashiCorp Vault secrets management. Use for secrets.

Teams using vault should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/vault/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/vault/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/vault/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How vault Compares

Feature / Agent	vault	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

HashiCorp Vault secrets management. Use for secrets.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# HashiCorp Vault

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

## When to Use

- **Dynamic Secrets**: Generating temporary AWS credentials (TTL 15m) for a specific task.
- **Encryption as a Service**: Encrypting application data (Credit Cards) without the app managing the keys (Transit Engine).
- **Kubernetes Secrets**: Injecting secrets into pods securely without Etcd.

## Quick Start (Dev Mode)

```bash
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'

# Write a secret
vault kv put secret/hello foo=world

# Read a secret
vault kv get secret/hello
```

## Core Concepts

### Sealing

Vault data is encrypted at rest. When Vault starts, it is "Sealed". Unsealing requires a threshold of keys (Shamir's Secret Sharing) to reconstruct the master key.

### Engines

Modules that handle different types of secrets:

- `kv`: Key-Value storage (static).
- `aws`: Dynamic AWS IAM users.
- `pki`: Dynamic x.509 Certificates.

### Auth Methods

How you log in to Vault: Token, AppRole (Machines), Kubernetes (Pods), GitHub (Humans).

## Best Practices (2025)

**Do**:

- **Use Auto-Unseal**: Integrate with AWS KMS / Azure Key Vault to unseal automatically (Manual unsealing is painful for uptime).
- **Inject via Sidecar**: In K8s, use the Vault Agent Injector to drop secrets into `/vault/secrets/config` rather than calling the API directly.
- **Enable Audit Logs**: Essential for knowing "Who read the database password?".

**Don't**:

- **Don't use Root Token**: Generate it, configure auth methods, then revoke it.
- **Don't store huge files**: Vault is for secrets (KB), not files (MB).

## References

- [Vault Documentation](https://developer.hashicorp.com/vault/docs)
- [Vault Kubernetes Tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar)