Can I use HashiCorp Vault as a CLI?

Yes. KosmoKrator exposes a HashiCorp Vault CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose HashiCorp Vault through MCP?

Yes. The KosmoKrator MCP gateway can expose selected HashiCorp Vault tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are HashiCorp Vault credentials stored?

HashiCorp Vault credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for HashiCorp Vault MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

HashiCorp Vault Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the HashiCorp Vault KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.vault.*. Use lua_read_doc("integrations.vault") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic HashiCorp Vault workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.vault.list_secrets({engine_path = "example_engine_path", path = "example_path"}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("vault"))' --json
kosmo integrations:lua --eval 'print(docs.read("vault.list_secrets"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local vault = app.integrations.vault
local result = vault.list_secrets({engine_path = "example_engine_path", path = "example_path"})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.vault, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.vault.default.* or app.integrations.vault.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need HashiCorp Vault, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

HashiCorp Vault — Lua API Reference

Overview

The HashiCorp Vault integration provides access to secrets management (KV v2), ACL policy management, and token introspection. All 7 tools are available under the app.integrations.vault namespace.

Every tool call accepts a single Lua table with named parameters and returns a Lua table with the API response data.

Authentication

The Vault integration authenticates via a Bearer token. The token is sent in the Authorization header on every request.

To create a token:

vault token create -policy="my-policy" -ttl="24h"

Or obtain one from your Vault administrator.

Required token capabilities depend on the tools you use:

Capability	Needed for
`list`	Listing secrets
`read`	Getting secrets, policies, token info
`create` / `update`	Creating or updating secrets
`delete`	Deleting secrets and metadata
`sudo`	Some sys operations (policies)

-- All calls use the same namespace — no per-call auth needed
local policies = app.integrations.vault.list_policies({})

Secrets (KV v2)

`app.integrations.vault.list_secrets({ engine_path, path })`

List secrets at a given path in a KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

Name	Type	Required	Description
`engine_path`	string	no	Mount path of the KV v2 engine. Default: `"secret"`
`path`	string	no	Path within the secrets engine to list. Leave empty for root.

local result = app.integrations.vault.list_secrets({
  engine_path = "secret",
  path = "myapp",
})

for _, key in ipairs(result.data.keys) do
  print(key)
end

`app.integrations.vault.get_secret({ path, engine_path, version })`

Get a secret from a KV v2 secrets engine. Returns the secret data along with metadata (version, creation time, etc.).

Name	Type	Required	Description
`path`	string	yes	Path of the secret (e.g. `"myapp/database"`)
`engine_path`	string	no	Mount path of the KV v2 engine. Default: `"secret"`
`version`	integer	no	Specific version to retrieve. Default: latest

local result = app.integrations.vault.get_secret({
  path = "myapp/database",
})

local secret = result.data.data
print("Username: " .. secret.username)
print("Password: " .. secret.password)
print("Version: " .. result.data.metadata.version)

Retrieve a specific version:

local result = app.integrations.vault.get_secret({
  path = "myapp/database",
  version = 3,
})

print("Version 3 password: " .. result.data.data.password)

`app.integrations.vault.create_secret({ path, data, engine_path })`

Create or update a secret in a KV v2 secrets engine. This creates a new version of the secret.

Name	Type	Required	Description
`path`	string	yes	Path where the secret will be stored
`data`	table	yes	Key-value pairs for the secret data
`engine_path`	string	no	Mount path of the KV v2 engine. Default: `"secret"`

local result = app.integrations.vault.create_secret({
  path = "myapp/database",
  data = {
    username = "admin",
    password = "s3cret_p@ssw0rd",
    host = "db.example.com",
    port = 5432,
  },
})

print("Created version: " .. result.data.version)

Store structured configuration:

local result = app.integrations.vault.create_secret({
  path = "myapp/config",
  data = {
    debug = false,
    log_level = "info",
    max_connections = 100,
    allowed_origins = { "https://example.com", "https://app.example.com" },
  },
})

`app.integrations.vault.delete_secret({ path, engine_path })`

Permanently delete all versions and metadata of a secret from a KV v2 secrets engine. This action is irreversible.

Name	Type	Required	Description
`path`	string	yes	Path of the secret to delete
`engine_path`	string	no	Mount path of the KV v2 engine. Default: `"secret"`

local result = app.integrations.vault.delete_secret({
  path = "myapp/database",
})

if result.success then
  print("Secret deleted successfully")
end

Policies

`app.integrations.vault.list_policies({})`

List all ACL policies configured in Vault. Returns an array of policy names.

Name	Type	Required	Description
(none)	—	—	Takes no parameters

local result = app.integrations.vault.list_policies({})

for _, name in ipairs(result.data.policies) do
  print(name)
end

`app.integrations.vault.get_policy({ name })`

Get details of a specific ACL policy, including its name and HCL rules.

Name	Type	Required	Description
`name`	string	yes	Name of the ACL policy to retrieve

local result = app.integrations.vault.get_policy({
  name = "my-app-policy",
})

print("Policy: " .. result.data.name)
print("Rules:\n" .. result.data.rules)

Token Information

`app.integrations.vault.get_current_user({})`

Look up the current Vault token’s information, including display name, associated policies, TTL, and metadata.

Name	Type	Required	Description
(none)	—	—	Takes no parameters

local result = app.integrations.vault.get_current_user({})

local info = result.data
print("Display name: " .. info.display_name)
print("Policies: " .. table.concat(info.policies, ", "))
print("TTL: " .. info.ttl .. "s")
print("Renewable: " .. tostring(info.renewable))

Common Workflows

Store and retrieve database credentials

-- 1. Store credentials
app.integrations.vault.create_secret({
  path = "production/database",
  data = {
    username = "app_user",
    password = "generated_secure_password",
    host = "prod-db.internal",
    port = 5432,
    database = "myapp",
  },
})

-- 2. Retrieve credentials when needed
local result = app.integrations.vault.get_secret({
  path = "production/database",
})

local creds = result.data.data
local dsn = string.format("postgresql://%s:%s@%s:%d/%s",
  creds.username, creds.password, creds.host, creds.port, creds.database)
print("DSN: " .. dsn)

Rotate a secret

local path = "production/api-key"

-- 1. Read current secret (to verify it exists)
local current = app.integrations.vault.get_secret({ path = path })
print("Current version: " .. current.data.metadata.version)

-- 2. Write new secret (creates a new version)
local result = app.integrations.vault.create_secret({
  path = path,
  data = {
    api_key = "new_rotated_key_xyz",
    rotated_at = os.date("!%Y-%m-%dT%H:%M:%SZ"),
  },
})

print("New version: " .. result.data.version)

Audit policies

-- List all policies and display their rules
local result = app.integrations.vault.list_policies({})

for _, name in ipairs(result.data.policies) do
  if name ~= "root" then
    local policy = app.integrations.vault.get_policy({ name = name })
    print("=== " .. name .. " ===")
    print(policy.data.rules)
    print()
  end
end

Verify token before operations

-- Check token validity and permissions before performing operations
local result = app.integrations.vault.get_current_user({})

local info = result.data
print("Token display name: " .. info.display_name)
print("Token policies: " .. table.concat(info.policies, ", "))

if info.ttl < 300 then
  print("Warning: token expires in less than 5 minutes!")
end

Response Structure

Vault API responses follow a consistent structure:

-- Secret responses wrap data in data.data (KV v2)
local result = app.integrations.vault.get_secret({ path = "myapp/config" })
-- result.data.data        → the actual secret key-value pairs
-- result.data.metadata   → version, created_time, deletion_time, etc.

-- List responses return keys
local result = app.integrations.vault.list_secrets({ path = "myapp" })
-- result.data.keys       → array of key names

-- Policy list returns policy names
local result = app.integrations.vault.list_policies({})
-- result.data.policies   → array of policy name strings

-- Token lookup returns token metadata
local result = app.integrations.vault.get_current_user({})
-- result.data            → display_name, policies, ttl, renewable, etc.

Notes

KV v2 only: This integration uses the KV v2 secrets engine API. Ensure your secrets engine is mounted as KV version 2.
Engine path: The default engine path is "secret". If your KV v2 engine is mounted at a different path, pass the engine_path parameter.
Versions: KV v2 maintains version history. Use the version parameter in get_secret to retrieve specific versions. delete_secret permanently removes all versions and metadata.
Token TTL: Vault tokens have a time-to-live. Use get_current_user to check remaining TTL and whether the token is renewable.
Capabilities: Ensure your token has the required capabilities (read, list, create, update, delete) for the paths you intend to access.

Multi-Account Usage

If you have multiple Vault accounts configured, use account-specific namespaces:

-- Default account (always works)
app.integrations.vault.function_name({...})

-- Explicit default (portable across setups)
app.integrations.vault.default.function_name({...})

-- Named accounts
app.integrations.vault.production.function_name({...})
app.integrations.vault.staging.function_name({...})

All functions are identical across accounts — only the credentials differ.

Raw agent markdown

# HashiCorp Vault — Lua API Reference

## Overview

The HashiCorp Vault integration provides access to secrets management (KV v2), ACL policy management, and token introspection. All 7 tools are available under the `app.integrations.vault` namespace.

Every tool call accepts a single Lua table with named parameters and returns a Lua table with the API response data.

## Authentication

The Vault integration authenticates via a **Bearer token**. The token is sent in the `Authorization` header on every request.

To create a token:

```bash
vault token create -policy="my-policy" -ttl="24h"
```

Or obtain one from your Vault administrator.

Required token capabilities depend on the tools you use:

| Capability | Needed for |
|-----------|------------|
| `list` | Listing secrets |
| `read` | Getting secrets, policies, token info |
| `create` / `update` | Creating or updating secrets |
| `delete` | Deleting secrets and metadata |
| `sudo` | Some sys operations (policies) |

```lua
-- All calls use the same namespace — no per-call auth needed
local policies = app.integrations.vault.list_policies({})
```

## Secrets (KV v2)

### `app.integrations.vault.list_secrets({ engine_path, path })`

List secrets at a given path in a KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `engine_path` | string | no | Mount path of the KV v2 engine. Default: `"secret"` |
| `path` | string | no | Path within the secrets engine to list. Leave empty for root. |

```lua
local result = app.integrations.vault.list_secrets({
  engine_path = "secret",
  path = "myapp",
})

for _, key in ipairs(result.data.keys) do
  print(key)
end
```

### `app.integrations.vault.get_secret({ path, engine_path, version })`

Get a secret from a KV v2 secrets engine. Returns the secret data along with metadata (version, creation time, etc.).

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `path` | string | yes | Path of the secret (e.g. `"myapp/database"`) |
| `engine_path` | string | no | Mount path of the KV v2 engine. Default: `"secret"` |
| `version` | integer | no | Specific version to retrieve. Default: latest |

```lua
local result = app.integrations.vault.get_secret({
  path = "myapp/database",
})

local secret = result.data.data
print("Username: " .. secret.username)
print("Password: " .. secret.password)
print("Version: " .. result.data.metadata.version)
```

Retrieve a specific version:

```lua
local result = app.integrations.vault.get_secret({
  path = "myapp/database",
  version = 3,
})

print("Version 3 password: " .. result.data.data.password)
```

### `app.integrations.vault.create_secret({ path, data, engine_path })`

Create or update a secret in a KV v2 secrets engine. This creates a new version of the secret.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `path` | string | yes | Path where the secret will be stored |
| `data` | table | yes | Key-value pairs for the secret data |
| `engine_path` | string | no | Mount path of the KV v2 engine. Default: `"secret"` |

```lua
local result = app.integrations.vault.create_secret({
  path = "myapp/database",
  data = {
    username = "admin",
    password = "s3cret_p@ssw0rd",
    host = "db.example.com",
    port = 5432,
  },
})

print("Created version: " .. result.data.version)
```

Store structured configuration:

```lua
local result = app.integrations.vault.create_secret({
  path = "myapp/config",
  data = {
    debug = false,
    log_level = "info",
    max_connections = 100,
    allowed_origins = { "https://example.com", "https://app.example.com" },
  },
})
```

### `app.integrations.vault.delete_secret({ path, engine_path })`

Permanently delete all versions and metadata of a secret from a KV v2 secrets engine. This action is irreversible.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `path` | string | yes | Path of the secret to delete |
| `engine_path` | string | no | Mount path of the KV v2 engine. Default: `"secret"` |

```lua
local result = app.integrations.vault.delete_secret({
  path = "myapp/database",
})

if result.success then
  print("Secret deleted successfully")
end
```

## Policies

### `app.integrations.vault.list_policies({})`

List all ACL policies configured in Vault. Returns an array of policy names.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| *(none)* | — | — | Takes no parameters |

```lua
local result = app.integrations.vault.list_policies({})

for _, name in ipairs(result.data.policies) do
  print(name)
end
```

### `app.integrations.vault.get_policy({ name })`

Get details of a specific ACL policy, including its name and HCL rules.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `name` | string | yes | Name of the ACL policy to retrieve |

```lua
local result = app.integrations.vault.get_policy({
  name = "my-app-policy",
})

print("Policy: " .. result.data.name)
print("Rules:\n" .. result.data.rules)
```

## Token Information

### `app.integrations.vault.get_current_user({})`

Look up the current Vault token's information, including display name, associated policies, TTL, and metadata.

| Name | Type | Required | Description |
|------|------|----------|-------------|
| *(none)* | — | — | Takes no parameters |

```lua
local result = app.integrations.vault.get_current_user({})

local info = result.data
print("Display name: " .. info.display_name)
print("Policies: " .. table.concat(info.policies, ", "))
print("TTL: " .. info.ttl .. "s")
print("Renewable: " .. tostring(info.renewable))
```

## Common Workflows

### Store and retrieve database credentials

```lua
-- 1. Store credentials
app.integrations.vault.create_secret({
  path = "production/database",
  data = {
    username = "app_user",
    password = "generated_secure_password",
    host = "prod-db.internal",
    port = 5432,
    database = "myapp",
  },
})

-- 2. Retrieve credentials when needed
local result = app.integrations.vault.get_secret({
  path = "production/database",
})

local creds = result.data.data
local dsn = string.format("postgresql://%s:%s@%s:%d/%s",
  creds.username, creds.password, creds.host, creds.port, creds.database)
print("DSN: " .. dsn)
```

### Rotate a secret

```lua
local path = "production/api-key"

-- 1. Read current secret (to verify it exists)
local current = app.integrations.vault.get_secret({ path = path })
print("Current version: " .. current.data.metadata.version)

-- 2. Write new secret (creates a new version)
local result = app.integrations.vault.create_secret({
  path = path,
  data = {
    api_key = "new_rotated_key_xyz",
    rotated_at = os.date("!%Y-%m-%dT%H:%M:%SZ"),
  },
})

print("New version: " .. result.data.version)
```

### Audit policies

```lua
-- List all policies and display their rules
local result = app.integrations.vault.list_policies({})

for _, name in ipairs(result.data.policies) do
  if name ~= "root" then
    local policy = app.integrations.vault.get_policy({ name = name })
    print("=== " .. name .. " ===")
    print(policy.data.rules)
    print()
  end
end
```

### Verify token before operations

```lua
-- Check token validity and permissions before performing operations
local result = app.integrations.vault.get_current_user({})

local info = result.data
print("Token display name: " .. info.display_name)
print("Token policies: " .. table.concat(info.policies, ", "))

if info.ttl < 300 then
  print("Warning: token expires in less than 5 minutes!")
end
```

## Response Structure

Vault API responses follow a consistent structure:

```lua
-- Secret responses wrap data in data.data (KV v2)
local result = app.integrations.vault.get_secret({ path = "myapp/config" })
-- result.data.data        → the actual secret key-value pairs
-- result.data.metadata   → version, created_time, deletion_time, etc.

-- List responses return keys
local result = app.integrations.vault.list_secrets({ path = "myapp" })
-- result.data.keys       → array of key names

-- Policy list returns policy names
local result = app.integrations.vault.list_policies({})
-- result.data.policies   → array of policy name strings

-- Token lookup returns token metadata
local result = app.integrations.vault.get_current_user({})
-- result.data            → display_name, policies, ttl, renewable, etc.
```

## Notes

- **KV v2 only**: This integration uses the KV v2 secrets engine API. Ensure your secrets engine is mounted as KV version 2.
- **Engine path**: The default engine path is `"secret"`. If your KV v2 engine is mounted at a different path, pass the `engine_path` parameter.
- **Versions**: KV v2 maintains version history. Use the `version` parameter in `get_secret` to retrieve specific versions. `delete_secret` permanently removes all versions and metadata.
- **Token TTL**: Vault tokens have a time-to-live. Use `get_current_user` to check remaining TTL and whether the token is renewable.
- **Capabilities**: Ensure your token has the required capabilities (read, list, create, update, delete) for the paths you intend to access.

---

## Multi-Account Usage

If you have multiple Vault accounts configured, use account-specific namespaces:

```lua
-- Default account (always works)
app.integrations.vault.function_name({...})

-- Explicit default (portable across setups)
app.integrations.vault.default.function_name({...})

-- Named accounts
app.integrations.vault.production.function_name({...})
app.integrations.vault.staging.function_name({...})
```

All functions are identical across accounts — only the credentials differ.

Metadata-derived Lua example

local result = app.integrations.vault.list_secrets({engine_path = "example_engine_path", path = "example_path"})
print(result)

Functions

list_secrets Read

List secrets at a given path in a HashiCorp Vault KV v2 secrets engine. Returns the keys (directory entries) at the specified path.

Lua path: app.integrations.vault.list_secrets
Full name: vault.vault_list_secrets

Parameter	Type	Required	Description
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`path`	string	no	The path within the secrets engine to list. Leave empty for root.

get_secret Read

Get the latest version of a secret from a HashiCorp Vault KV v2 secrets engine. Optionally specify a version number to retrieve a specific version.

Lua path: app.integrations.vault.get_secret
Full name: vault.vault_get_secret

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to retrieve (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.
`version`	integer	no	The version number to retrieve. Defaults to the latest version.

create_secret Write

Create or update a secret in a HashiCorp Vault KV v2 secrets engine. Provide the secret path and a key-value data object.

Lua path: app.integrations.vault.create_secret
Full name: vault.vault_create_secret

Parameter	Type	Required	Description
`path`	string	yes	The path where the secret will be stored (e.g. "myapp/database").
`data`	object	yes	Key-value pairs for the secret data. Example: {"username": "admin", "password": "s3cret"}.
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

delete_secret Write

Permanently delete all versions and metadata of a secret from a HashiCorp Vault KV v2 secrets engine. This action is irreversible.

Lua path: app.integrations.vault.delete_secret
Full name: vault.vault_delete_secret

Parameter	Type	Required	Description
`path`	string	yes	The path of the secret to delete (e.g. "myapp/database").
`engine_path`	string	no	The mount path of the KV v2 secrets engine. Default: secret.

list_policies Read

List all ACL policies configured in HashiCorp Vault. Returns an array of policy names.

Lua path: app.integrations.vault.list_policies
Full name: vault.vault_list_policies

Parameter	Type	Required	Description
No parameters.

get_policy Read

Get details of a specific ACL policy in HashiCorp Vault, including its name and HCL rules.

Lua path: app.integrations.vault.get_policy
Full name: vault.vault_get_policy

Parameter	Type	Required	Description
`name`	string	yes	The name of the ACL policy to retrieve.

get_current_user Read

Look up the current Vault token's information, including display name, policies, TTL, and metadata.

Lua path: app.integrations.vault.get_current_user
Full name: vault.vault_get_current_user

Parameter	Type	Required	Description
No parameters.