OpenSkillIndex← back to search
claude-code

Skills hashicorp-vault

install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/hashicorp-vault" ~/.claude/skills/terminalskills-skills-hashicorp-vault && rm -rf "$T"
manifest: skills/hashicorp-vault/SKILL.md
source content

HashiCorp Vault

Overview

HashiCorp Vault is a secrets management platform that provides KV storage with versioning, dynamic short-lived credentials for databases and cloud providers, PKI certificate management, Transit encryption as a service, and fine-grained HCL-based access policies. It integrates with Kubernetes via sidecar injection and CI/CD pipelines via AppRole authentication.

Instructions

  • When storing static secrets, use the KV v2 engine with versioning for API keys and configuration values, organizing secrets by application and environment paths.
  • When managing database access, use the Database secret engine to generate dynamic, short-lived credentials that automatically expire, limiting the blast radius of credential leaks.
  • When authenticating applications, use AppRole for services and CI/CD (with secret_id rotation), Kubernetes auth for pods, and JWT/OIDC for SSO integration; never hardcode tokens.
  • When encrypting data, use the Transit engine for encryption as a service so applications encrypt/decrypt data without managing keys, with support for key rotation and convergent encryption.
  • When defining access, write HCL policies with deny-by-default, granting minimum capabilities (create, read, update, delete, list) per path, and use path templating for per-user isolation.
  • When deploying in Kubernetes, use Vault Agent sidecar injector or CSI provider to inject secrets into pods as files or environment variables, so applications read secrets without a Vault SDK.

Examples

Example 1: Set up dynamic database credentials for a microservice

User request: "Configure Vault to issue short-lived PostgreSQL credentials for my API service"

Actions:

  1. Enable the Database secret engine and configure the PostgreSQL connection
  2. Create a role with a SQL statement for read-only access and a 1-hour TTL
  3. Set up AppRole authentication for the API service with a policy allowing 
    database/creds/readonly
  4. Configure Vault Agent sidecar to inject credentials into the pod and auto-renew leases

Output: A microservice that receives dynamic database credentials with automatic rotation and a 1-hour expiry.

Example 2: Add encryption as a service with Transit engine

User request: "Encrypt sensitive user data at rest using Vault Transit without managing keys"

Actions:

  1. Enable the Transit secret engine and create a named encryption key
  2. Build an API middleware that encrypts data via 
    transit/encrypt/key-name
    before database writes
  3. Add a decryption path that calls 
    transit/decrypt/key-name
    on reads
  4. Configure key rotation policy and verify old data remains decryptable

Output: Application-level encryption using Vault Transit with automatic key management and rotation.

Guidelines

  • Use dynamic secrets for databases since short-lived credentials limit the blast radius of a breach.
  • Use AppRole for services, never hardcoded tokens, since AppRole supports secret_id rotation.
  • Use Transit engine instead of application-level encryption since key management is Vault's responsibility.
  • Set TTLs as short as practical: 1 hour for database credentials and 15 minutes for CI tokens.
  • Enable audit device logging for compliance since it records who accessed what and when.
  • Use Vault Agent sidecar in Kubernetes so applications read secrets from files without needing a Vault SDK.
  • Store the root token securely and revoke it after initial setup; operators should use personal tokens.