> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Hashicorp Vault Connection

> Learn how to configure a Hashicorp Vault Connection for Infisical.

<Note>
  Infisical is compatible with Vault Self-hosted, HCP Vault Dedicated, and HCP Vault Enterprise deployments. Please note that HCP Generic Secrets are currently not supported.
</Note>

Infisical supports two methods for connecting to Hashicorp Vault.

<Tabs>
  <Tab title="App Role (Recommended)">
    <Steps>
      <Step title="Navigate to Vault Access">
        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-access.png" alt="Vault Access" />
      </Step>

      <Step title="Enable New Method">
        In the **Authentication Methods** tab, click on **Enable new method**.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-authentication-methods.png" alt="Vault Enable Method" />
      </Step>

      <Step title="Select AppRole">
        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-approle.png" alt="Vault AppRole" />
      </Step>

      <Step title="Enable Method">
        You may change the name of the method, but we suggest keeping it as `approle`.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-enable-method.png" alt="Vault Enable Method" />
      </Step>

      <Step title="Navigate to Vault Policies">
        From the home page, navigate to **Policies**.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-policies-navigate.png" alt="Vault Policies Navigate" />
      </Step>

      <Step title="Create ACL Policy">
        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-policies-page.png" alt="Vault Policies Page" />
      </Step>

      <Step title="Create Policy">
        You may name your policy whatever you want, but remember the name as it will be used in future steps.

        Depending on your use case, you may have different policy configurations:

        <Tabs>
          <Tab title="Secret Sync">
            ```hcl theme={"dark"}
            path "demo_mount/data/*" {
              capabilities = [ "create", "read", "update", "delete" ]
            }

            path "sys/mounts" {
              capabilities = ["read"]
            }
            ```

            * **demo\_mount**: The name of the target secrets engine (e.g., 'secret', 'kv').
            * **data/\***: The path within the secrets engine used for storing secrets. The wildcard (\*) grants access to all secrets within this mount point.

            <Note>
              Make sure to replace the policy path with the specific path where you intend to sync your secrets. For better security and control, it's recommended to use a more granular path instead of a wildcard (\*). You can also specify a path that doesn’t yet exist—Infisical will automatically create it for you during the sync process.
            </Note>
          </Tab>
        </Tabs>

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-create-policy.png" alt="Vault Create Policy" />
      </Step>

      <Step title="Run Shell Commands">
        **Open Vault Shell**

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-shell.png" alt="Vault Shell" />

        <Note>
          If you used custom approle or policy names in previous steps, you'll need to customize the following commands.
        </Note>

        **Create Infisical Role**

        ```hcl theme={"dark"}
        vault write auth/approle/role/infisical token_policies="infisical-policy" token_ttl=30s token_max_ttl=2m
        ```

        **Read RoleID**

        ```hcl theme={"dark"}
        vault read auth/approle/role/infisical/role-id
        ```

        **Generate New SecretID**

        ```hcl theme={"dark"}
        vault write -force auth/approle/role/infisical/secret-id
        ```

        Your shell output should look similar to the image below. Save the RoleID and SecretID values for later steps.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-shell-output.png" alt="Vault Shell Output" />
      </Step>
    </Steps>
  </Tab>

  <Tab title="Access Token">
    ## Get a Hashicorp Vault Access Token

    Open your profile dropdown and click **Copy token**. This token will be used in later steps.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-profile-token.png" alt="Vault Profile Copy Token" />
  </Tab>
</Tabs>

## Getting Vault Instance URL

<Tabs>
  <Tab title="Self Hosted">
    For self-hosted instances, locate and copy your vault's base URL (for example: `https://vault.example.com`).

    Save the URL for later steps.
  </Tab>

  <Tab title="Hashicorp Cloud Platform">
    On HCP instances, you may need to navigate to **Cluster Overview** to see your cluster URL. Save this value for later steps.

    <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-cluster-urls.png" alt="Vault Cluster URLs" />

    <Note>
      Cluster Overview is found in the HCP dashboard, not in your cluster's web UI.
    </Note>
  </Tab>
</Tabs>

## Setup Vault Connection in Infisical

<Tabs>
  <Tab title="Infisical UI">
    <Steps>
      <Step title="Navigate to App Connections">
        In your Infisical dashboard, navigate to the **Integrations** tab in the desired project, then select **App Connections**.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/general/add-connection.png" alt="App Connections Tab" />
      </Step>

      <Step title="Add Connection">
        Click the **+ Add Connection** button and select the **Hashicorp Vault Connection** option.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-infisical-connect-page.png" alt="Select Vault Connection" />
      </Step>

      <Step title="Configure Connection">
        Configure your Vault Connection using the Instance URL and credentials from the steps above. **Depending on if you chose to authenticate with an Access Token or AppRole, you may need to input different information.**

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-infisical-connect-modal.png" alt="Vault Configure Connection" />

        <Tabs>
          <Tab title="App Role">
            * **Name**: The name of the connection being created. Must be slug-friendly.
            * **Description**: An optional description to provide details about this connection.
            * **Gateway (optional):** The gateway connected to your private network. All requests made to your Vault instance will be made through the configured gateway.
            * **Instance URL**: The URL of your Hashicorp Vault instance.
            * **Namespace (optional)**: The namespace within your vault. Self-hosted and enterprise clusters may not use namespaces.
            * **Role ID**: The Role ID generated in the steps above.
            * **Secret ID**: The Secret ID generated in the steps above.
          </Tab>

          <Tab title="Access Token">
            * **Name**: The name of the connection being created. Must be slug-friendly.
            * **Description**: An optional description to provide details about this connection.
            * **Gateway (optional):** The gateway connected to your private network. All requests made to your Vault instance will be made through the configured gateway.
            * **Instance URL**: The URL of your Hashicorp Vault instance.
            * **Namespace (optional)**: The namespace within your vault. Self-hosted and enterprise clusters may not use namespaces.
            * **Access Token**: The Access Token generated in the steps above.
          </Tab>
        </Tabs>
      </Step>

      <Step title="Connection Created">
        Your Vault Connection is now available for use.

        <img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical/images/app-connections/hashicorp-vault/vault-infisical-connect-success.png" alt="Vault Connection Created" />
      </Step>
    </Steps>
  </Tab>

  <Tab title="API">
    To create a Vault Connection, make an API request to the [Create Hashicorp Vault
    Connection](/api-reference/endpoints/app-connections/hashicorp-vault/create) API endpoint.

    ### Sample request

    ```bash Request theme={"dark"}
    curl    --request POST \
            --url https://app.infisical.com/api/v1/app-connections/hashicorp-vault \
            --header 'Content-Type: application/json' \
            --data '{
                "name": "my-vault-connection",
                "method": "app-role",
                "projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
                "credentials": {
                    "instanceUrl": "https://vault.example.com",
                    "roleId": "4797c4fa-7794-71f0-c8b1-7c87759df5bf",
                    "secretId": "ad24df93-19c8-c865-9997-6b8513253d3a"
                }
            }'
    ```

    ### Sample response

    ```bash Response theme={"dark"}
    {
        "appConnection": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-vault-connection",
            "projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
            "version": 1,
            "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "createdAt": "2025-04-01T05:31:56Z",
            "updatedAt": "2025-04-01T05:31:56Z",
            "app": "hashicorp-vault",
            "method": "app-role",
            "credentials": {
                "instanceUrl": "https://vault.example.com",
                "roleId": "4797c4fa-7794-71f0-c8b1-7c87759df5bf"
            }
        }
    }
    ```
  </Tab>
</Tabs>
