Cosmicjedi/vault-mcp-server
3.3
If you are the rightful owner of vault-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The HashiCorp Vault MCP Server is a Model Context Protocol server designed to provide secure access to HashiCorp Vault for credential management and TOTP code generation.
Tools
13
Resources
0
Prompts
0
HashiCorp Vault MCP Server
A Model Context Protocol (MCP) server that provides secure access to HashiCorp Vault for credential management and TOTP code generation.
๐ Features
- Credential Management: Read, write, delete, and list secrets in KV v2 engine
- TOTP Support: Generate, import, validate TOTP codes for 2FA
- Vault Administration: Check status, enable engines, manage configurations
- Secure by Design: Token-based auth, Docker secrets, masked outputs
- Enterprise Ready: Supports namespaces for Vault Enterprise/HCP
๐ Prerequisites
- Docker Desktop with MCP Toolkit enabled
- Docker MCP CLI plugin (
docker mcpcommand) - A running HashiCorp Vault server
- Valid Vault authentication token
๐ ๏ธ Available Tools
Secret Management
check_vault_status- Check health and seal statusread_secret- Read secrets from KV v2 enginewrite_secret- Write secrets with JSON datadelete_secret- Delete specific or all versionslist_secrets- List secrets at a pathlist_secrets_engines- List enabled enginesenable_secrets_engine- Enable new engines
TOTP Management
create_totp_key- Generate new TOTP keysimport_totp_key- Import existing TOTP keysget_totp_code- Generate current codesvalidate_totp_code- Validate codeslist_totp_keys- List all TOTP keysdelete_totp_key- Remove TOTP keys
๐ฆ Installation
Step 1: Clone and Build
git clone https://github.com/Cosmicjedi/vault-mcp-server.git
cd vault-mcp-server
docker build -t vault-mcp-server .
Step 2: Configure Secrets
# Set your Vault token
docker mcp secret set VAULT_TOKEN="your-vault-token"
# Set Vault server address
docker mcp secret set VAULT_ADDR="http://your-vault-server:8200"
# Optional: For Vault Enterprise/HCP
docker mcp secret set VAULT_NAMESPACE="admin"
Step 3: Add to MCP Catalog
Create ~/.docker/mcp/catalogs/custom.yaml:
version: 2
name: custom
displayName: Custom MCP Servers
registry:
vault:
description: "HashiCorp Vault integration for secure credential and TOTP management"
title: "Vault"
type: server
dateAdded: "2025-01-24T00:00:00Z"
image: vault-mcp-server:latest
ref: ""
tools:
- name: check_vault_status
- name: read_secret
- name: write_secret
- name: delete_secret
- name: list_secrets
- name: create_totp_key
- name: import_totp_key
- name: get_totp_code
- name: validate_totp_code
- name: list_totp_keys
- name: delete_totp_key
- name: enable_secrets_engine
- name: list_secrets_engines
secrets:
- name: VAULT_TOKEN
env: VAULT_TOKEN
example: hvs.CAESIGZ3...
- name: VAULT_ADDR
env: VAULT_ADDR
example: http://127.0.0.1:8200
- name: VAULT_NAMESPACE
env: VAULT_NAMESPACE
example: admin
metadata:
category: integration
tags:
- security
- credentials
- secrets
- totp
- vault
license: MIT
owner: local
Step 4: Update Registry
Add to ~/.docker/mcp/registry.yaml under the registry: key:
registry:
# ... existing servers ...
vault:
ref: ""
Step 5: Configure Claude Desktop
Edit Claude Desktop config:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json - Linux:
~/.config/Claude/claude_desktop_config.json
Add custom catalog to args:
{
"mcpServers": {
"mcp-toolkit-gateway": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-v", "/var/run/docker.sock:/var/run/docker.sock",
"-v", "[YOUR_HOME]/.docker/mcp:/mcp",
"docker/mcp-gateway",
"--catalog=/mcp/catalogs/docker-mcp.yaml",
"--catalog=/mcp/catalogs/custom.yaml",
"--config=/mcp/config.yaml",
"--registry=/mcp/registry.yaml",
"--tools-config=/mcp/tools.yaml",
"--transport=stdio"
]
}
}
}
Step 6: Restart Claude Desktop
Quit and restart Claude Desktop to load the new tools.
๐งช Quick Test Setup
For testing, you can run Vault in dev mode:
# Start Vault in dev mode (INSECURE - testing only!)
docker run --cap-add=IPC_LOCK \
-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
-p 8200:8200 \
-d --name=vault-dev \
vault:latest
# Configure MCP secrets for dev vault
docker mcp secret set VAULT_TOKEN="root"
docker mcp secret set VAULT_ADDR="http://host.docker.internal:8200"
# Enable TOTP engine
docker exec vault-dev vault secrets enable totp
๐ฌ Usage Examples
In Claude Desktop, try these commands:
- "Check the status of my Vault server"
- "List all secrets in the secret mount"
- "Write API credentials to secret/myapp/api with data {"key": "abc123"}"
- "Read the secret at secret/myapp/api"
- "Generate a new TOTP key for GitHub with account user@example.com"
- "Get the current TOTP code for GitHub"
- "List all my TOTP keys"
- "Enable a new KV secrets engine at path myapp"
๐ Security Considerations
- All secrets stored in Docker Desktop secrets
- Never hardcode credentials
- Use least-privilege Vault policies
- Sensitive values are masked in outputs
- Runs as non-root user in container
๐ก๏ธ Required Vault Permissions
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "totp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/health" {
capabilities = ["read"]
}
path "sys/mounts/*" {
capabilities = ["read", "update"]
}
๐ Troubleshooting
Tools Not Appearing
- Verify Docker image built successfully
- Check catalog and registry files
- Ensure Claude Desktop config includes custom catalog
- Restart Claude Desktop
Authentication Errors
- Verify token with
docker mcp secret list - Ensure token has required permissions
- Check VAULT_ADDR is accessible
- For HCP Vault, ensure VAULT_NAMESPACE is set
Connection Issues
- Verify Vault is running and unsealed
- Check network connectivity
- Ensure TLS certificates are valid (if using HTTPS)
๐ Documentation
๐ License
MIT License - see LICENSE file for details.
๐ค Contributing
Contributions are welcome! Please feel free to submit issues and pull requests.
๐ค Author
Created for the MCP community to enable secure Vault integration by Cosmicjedi.