Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

This guide helps you migrate from HashiCorp Vault to Infisical. Whether you’re moving a single application or your entire secrets infrastructure, Infisical provides tooling to make the transition smooth. Our in-platform migration tooling lets you set up a connection to your Vault instance once, then import specific resources as needed throughout Infisical. Think of it as creating a “bridge” between Vault and Infisical that you can use repeatedly. What you can migrate:
Importing from Vault requires the Connect action on App Connections and the Create action on the relevant subjects — for example, the Create action on the Secrets subject at the target environment and folder path for KV imports, or the equivalent permission for Machine Identities, Dynamic Secrets, and Roles.

Set Up Your Vault Connection

Before importing anything, you need to establish a secure connection between Infisical and your Vault instance. This is a one-time setup.
1

Create a Vault policy

In your Vault instance, create a policy that allows Infisical to read your secrets, policies, and authentication configurations. This policy grants read-only access and doesn’t allow Infisical to modify or create resources within your Vault instance.
# System endpoints - for listing namespaces, policies, mounts, and auth methods
path "sys/namespaces" {
  capabilities = ["list"]
}

path "sys/policy" {
  capabilities = ["read", "list"]
}

path "sys/policy/*" {
  capabilities = ["read"]
}

path "sys/mounts" {
  capabilities = ["read"]
}

path "sys/auth" {
  capabilities = ["read"]
}

# KV v2 secrets - for listing and reading secrets
# Replace '+' with your actual KV v2 mount paths (e.g., "secret", "kv")
path "+/metadata/*" {
  capabilities = ["list", "read"]
}

path "+/data/*" {
  capabilities = ["read"]
}

# KV v1 secrets - for listing and reading secrets
# Replace '+' with your actual KV v1 mount paths (e.g., "secret", "kv-v1")
# WARNING: This is broad - ideally specify exact mount names
path "+/*" {
  capabilities = ["list", "read"]
}

# Kubernetes auth - for reading auth configuration and roles
path "auth/+/config" {
  capabilities = ["read"]
}

path "auth/+/role" {
  capabilities = ["list"]
}

path "auth/+/role/*" {
  capabilities = ["read"]
}

# Kubernetes secrets engine - for reading secrets engine configuration and roles
path "+/config" {
  capabilities = ["read"]
}

path "+/roles" {
  capabilities = ["list"]
}

path "+/roles/*" {
  capabilities = ["read"]
}
Save this policy in Vault with the name infisical-in-platform-migration.
2

Create a HashiCorp Vault App Connection in Infisical

In Infisical, create a new App Connection of type HashiCorp Vault in one of two places:
  • Project > Integrations > App Connections — the connection is only visible inside that project.
  • Organization Settings > App Connections — the connection is visible across every project in the organization.
Follow the HashiCorp Vault App Connection documentation for detailed setup instructions. When configuring authentication (Token or AppRole), make sure the credential uses the infisical-in-platform-migration policy you created in the previous step.
You can create more than one connection if you need to migrate from several Vault instances. The Vault namespace is not part of the connection — you pick it inline each time you import a resource.

Migrate Your Resources

Once your Vault connection is configured, you’ll see import options throughout Infisical wherever relevant. The sections below cover each type of resource you can migrate.
Migration Strategy: We recommend migrating one application at a time. Start with a non-critical application to familiarize yourself with the process, then proceed to more important services.

Migrating KV Secrets

KV secrets are imported into a specific environment (e.g., Development, Staging, Production) within a project. If you’re coming from Vault, think of a project as similar to a KV secret engine dedicated to one application.
First time? You’ll need to create a project first. A project in Infisical typically represents a single application or microservice.
To import secrets from Vault:
  1. Navigate to your project and select a specific environment (e.g., Development, Production)
  2. In the secrets view, click the dropdown icon (caret) next to the ”+ Add Secret” button Add Secret Dropdown
  3. Select “Add from HashiCorp Vault” Add Secret Dropdown
  4. In the modal, pick the App Connection (project- or organization-scoped Vault connections both appear here), then the Vault namespace, then the Secrets Engine (KV mount), and finally one or more Vault secret paths to import (for example, secret/app/prod). Keys are copied using their names from Vault.
If you select multiple paths and the same key name exists in more than one of them, the import aborts and no secrets are saved.
  1. Click “Import Secrets” Import Vault Secrets
The secrets will be imported into your current environment and folder path. If your Vault path has nested paths, you can create folders in Infisical to maintain a similar structure.

Migrating Kubernetes Auth Method

If you’re using Vault’s Kubernetes auth method to authenticate your pods, you can migrate this configuration to Infisical’s Machine Identities. In Vault, you define Kubernetes roles that specify which service accounts can authenticate. In Infisical, this maps to a Machine Identity with Kubernetes authentication enabled. To import Kubernetes auth configuration:
  1. First, create a Machine Identity in Infisical
  2. Navigate to Access Control > Machine Identities and select the identity
  3. Click “Add Authentication Method” and choose Kubernetes Auth
  4. In the configuration modal, click “Load from Vault” Load Kubernetes Auth from Vault
  5. In the load modal, pick the App Connection, the Vault namespace, and the Kubernetes role
  6. Click “Load” Kubernetes Auth Form Populated
The authentication settings (allowed service accounts, namespaces, TTL, etc.) will be automatically populated from your Vault configuration.
Sensitive values like service account JWTs cannot be retrieved from Vault and must be manually provided in the form after importing the configuration.
After importing: You’ll need to update your Kubernetes deployments to use the Infisical Kubernetes Operator or Infisical SDK instead of the Vault agent/sidecar.

Migrating Kubernetes Secrets Engine Roles

If you’re using Vault’s Kubernetes secrets engine to generate short-lived Kubernetes credentials, you can migrate these roles to Infisical’s Dynamic Secrets. Both platforms support generating temporary Kubernetes service account tokens or creating temporary service accounts, so the configuration is similar. To import a Kubernetes dynamic secret configuration:
  1. Navigate to your project and select an environment
  2. Click ”+ Add Secret” dropdown and choose “Dynamic Secret”
  3. Select Kubernetes as the provider
  4. Click “Load from Vault” at the top of the form Load Kubernetes Dynamic Secret from Vault
  5. In the load modal, pick the App Connection, the Vault namespace, the Kubernetes secrets engine mount, and the role
  6. Click “Load Configuration”
The form will be automatically populated with the role’s configuration including:
  • Cluster URL and CA certificate
  • Credential type (Static or Dynamic)
  • Service account name or Kubernetes role settings
  • Allowed namespaces
  • Token TTL values
  • Token audiences
Sensitive values like cluster tokens cannot be retrieved from Vault and must be manually provided in the form after loading the configuration.
The same Load from Vault flow is also available on Cassandra, LDAP, and SQL Database dynamic secrets — pick the App Connection, Vault namespace, mount, and role to pre-fill the form.
Learn more about how Dynamic Secrets work in Infisical in the Dynamic Secrets documentation.

Migrating Vault Policies

Infisical can translate your Vault HCL policies into Infisical project roles. The table below shows how Vault capabilities map to Infisical permissions:
Vault CapabilityInfisical Permission
readRead secrets
listRead secrets (list is implicit with read)
createCreate secrets
updateEdit secrets
deleteDelete secrets
Policy translation is best-effort and provides a starting point based on your Vault configuration. The translated permissions should be reviewed and adjusted as needed since Vault and Infisical have different access control models.
To import and translate a policy:
  1. Navigate to your project, then go to Access Control > Roles and create or edit a role
  2. In the policy configuration, click “Add from HashiCorp Vault” Import Vault Policy Button
  3. In the modal, pick the App Connection and the Vault namespace
  4. Either choose an existing policy from the dropdown or paste your own HCL policy Translate Vault Policy Modal
  5. Review the automatically translated Infisical permissions
  6. Make any adjustments and save
How policy translation works:
  • Vault path patterns are analyzed to identify KV secret engines and environments
  • Vault capabilities (read, list, create, etc.) are mapped to Infisical permissions
  • Wildcards in paths are converted to glob patterns
  • Secret paths are preserved for granular access control
Example translation:
# Vault policy
path "secret/data/app/*" {
  capabilities = ["read", "list"]
}
Becomes an Infisical role with read permission on secrets in the corresponding environment/folder path.

One-time Bulk Import from Vault

If you want to move an entire Vault organization into Infisical in a single shot — rather than importing resources piecemeal from inside each project — use the Bulk Data Import flow. It does not require an App Connection and is intended for initial migrations only. KV Secret Engine is the only supported resource type for bulk import; other resource types (Kubernetes auth, dynamic secrets, policies) must use the per-resource flows described above.
Bulk Data Import is restricted to organization admins.
To run a bulk import:
  1. Navigate to Organization Settings > External Migrations
  2. Click Import and choose HCP Vault
  3. Fill in the import form:
    • Gateway (optional) — route the import through a gateway if your Vault instance is private
    • Vault URL — your Vault address (e.g. https://vault.example.com)
    • Vault Namespace (optional) — leave blank for the root namespace
    • Vault Access Token — a token with read access to the KV mounts you want to import
    • Project Mapping — how Vault resources map onto Infisical projects:
      • Key Vaults — each KV mount becomes an Infisical project. A default Production environment is created per project; secret paths become folders.
      • Namespaces — each Vault namespace becomes a project; each KV mount inside it becomes an environment; secret paths become folders.
      • Custom Migration — available on request; contact sales to discuss tailored mappings.
  4. Submit the form. Infisical will run the import asynchronously and email you when it finishes (or if it fails). This may take up to 10 minutes.

Next Steps After Migration

Once you’ve imported your secrets and configurations, here’s how to start using them in your applications:

Update Your Applications

Replace Vault client libraries with Infisical SDKs in your application code

Set Up Kubernetes Integration

Use the Infisical Kubernetes Operator to inject secrets into your pods