Can I use HashiCorp Vault as a CLI?

Yes. KosmoKrator exposes a HashiCorp Vault CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose HashiCorp Vault through MCP?

Yes. The KosmoKrator MCP gateway can expose selected HashiCorp Vault tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are HashiCorp Vault credentials stored?

HashiCorp Vault credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for HashiCorp Vault MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

HashiCorp Vault CLI for AI Agents

Use the HashiCorp Vault CLI from KosmoKrator to call HashiCorp Vault tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

HashiCorp Vault CLI Setup

HashiCorp Vault can be configured headlessly with `kosmokrator integrations:configure vault`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure vault --set token="$VAULT_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor vault --json
kosmokrator integrations:status --json

Credentials

Authentication type: API token api_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`token`	`VAULT_TOKEN`	Secret `secret`	yes	Vault Token

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call vault.vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

Provider shortcut

kosmo integrations:vault vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs vault --json
kosmo integrations:docs vault.vault_list_secrets --json
kosmo integrations:schema vault.vault_list_secrets --json
kosmo integrations:search "HashiCorp Vault" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`vault.vault_list_secrets`

List secrets at a given path in a HashiCorp Vault KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

Read read

Parameters: engine_path, path

Generic call

kosmo integrations:call vault.vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

Shortcut

kosmo integrations:vault vault_list_secrets '{"engine_path":"example_engine_path","path":"example_path"}' --json

`vault.vault_get_secret`

Get the latest version of a secret from a HashiCorp Vault KV v2 secrets engine. Optionally specify a version number to retrieve a specific version.

Read read

Parameters: path, engine_path, version

Generic call

kosmo integrations:call vault.vault_get_secret '{"path":"example_path","engine_path":"example_engine_path","version":1}' --json

Shortcut

kosmo integrations:vault vault_get_secret '{"path":"example_path","engine_path":"example_engine_path","version":1}' --json

`vault.vault_create_secret`

Create or update a secret in a HashiCorp Vault KV v2 secrets engine. Provide the secret path and a key-value data object.

Write write

Parameters: path, data, engine_path

Generic call

kosmo integrations:call vault.vault_create_secret '{"path":"example_path","data":"example_data","engine_path":"example_engine_path"}' --json

Shortcut

kosmo integrations:vault vault_create_secret '{"path":"example_path","data":"example_data","engine_path":"example_engine_path"}' --json

`vault.vault_delete_secret`

Permanently delete all versions and metadata of a secret from a HashiCorp Vault KV v2 secrets engine. This action is irreversible.

Write write

Parameters: path, engine_path

Generic call

kosmo integrations:call vault.vault_delete_secret '{"path":"example_path","engine_path":"example_engine_path"}' --json

Shortcut

kosmo integrations:vault vault_delete_secret '{"path":"example_path","engine_path":"example_engine_path"}' --json

`vault.vault_list_policies`

List all ACL policies configured in HashiCorp Vault. Returns an array of policy names.

Read read

Parameters: none

Generic call

kosmo integrations:call vault.vault_list_policies '{}' --json

Shortcut

kosmo integrations:vault vault_list_policies '{}' --json

`vault.vault_get_policy`

Get details of a specific ACL policy in HashiCorp Vault, including its name and HCL rules.

Read read

Parameters: name

Generic call

kosmo integrations:call vault.vault_get_policy '{"name":"example_name"}' --json

Shortcut

kosmo integrations:vault vault_get_policy '{"name":"example_name"}' --json

`vault.vault_get_current_user`

Look up the current Vault token's information, including display name, policies, TTL, and metadata.

Read read

Parameters: none

Generic call

kosmo integrations:call vault.vault_get_current_user '{}' --json

Shortcut

kosmo integrations:vault vault_get_current_user '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

vault.vault_list_secrets 2 parameters

Schema command

kosmo integrations:schema vault.vault_list_secrets --json

Parameter	Type	Required	Description
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`path`	string	no	The path within the secrets engine to list. Leave empty for root.

vault.vault_get_secret 3 parameters

Schema command

kosmo integrations:schema vault.vault_get_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to retrieve (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`version`	integer	no	The version number to retrieve. Defaults to the latest version.

vault.vault_create_secret 3 parameters

Schema command

kosmo integrations:schema vault.vault_create_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path where the secret will be stored (e.g. "myapp/database").
`data`	object	yes	Key-value pairs for the secret data. Example: {"username": "admin", "password": "s3cret"}.
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

vault.vault_delete_secret 2 parameters

Schema command

kosmo integrations:schema vault.vault_delete_secret --json

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to delete (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

vault.vault_list_policies 0 parameters

Schema command

kosmo integrations:schema vault.vault_list_policies --json

Parameter	Type	Required	Description
No parameters.

vault.vault_get_policy 1 parameters

Schema command

kosmo integrations:schema vault.vault_get_policy --json

Parameter	Type	Required	Description
`name`	string	yes	The name of the ACL policy to retrieve.

vault.vault_get_current_user 0 parameters

Schema command

kosmo integrations:schema vault.vault_get_current_user --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.