Tools
Hashicorp Vault
By Hashicorp Vault native agent tools plugin for OpenClaw — vault_get, vault_put, vault_list, vault_check
Install
openclaw plugins install openclaw-hashicorp-vaultConfiguration Example
{
"plugins": {
"entries": {
"vault": {
"config": {
"address": "https://vault.example.com:8200",
"mount": "secret",
"token": "${VAULT_TOKEN}",
"tlsVerify": true,
"cacheTtlSeconds": 300
}
}
}
}
}README
# openclaw-hashicorp-vault
> Native [Hashicorp Vault](https://www.vaultproject.io/) agent tools for [OpenClaw](https://openclaw.ai).
Adds `vault_get`, `vault_put`, `vault_list`, and `vault_check` as first-class tools in the OpenClaw agent loop — no shell scripts, no skill wrappers. Your AI assistant can read and write secrets directly, with in-process caching and safe error handling.
## Tools
| Tool | Description |
|------|-------------|
| `vault_check` | Check Vault connectivity and token status (TTL, display name, expiry warnings) |
| `vault_get` | Read a secret — returns all keys or a single value; results cached in-process |
| `vault_put` | Write/update secret keys — merges with existing, never overwrites unrelated keys |
| `vault_list` | List secret keys at a path |
All tools are **optional** (require explicit allowlist) so secrets are never exposed in contexts where they aren't needed.
## Installation
```bash
openclaw plugins install openclaw-hashicorp-vault
```
Or link a local clone for development:
```bash
git clone https://github.com/jbushman/openclaw-hashicorp-vault
openclaw plugins install --link ./openclaw-hashicorp-vault
```
Restart the gateway after install:
```bash
openclaw gateway restart
```
## Configuration
Add to your `openclaw.json` (or use `openclaw config set`):
```json
{
"plugins": {
"entries": {
"vault": {
"config": {
"address": "https://vault.example.com:8200",
"mount": "secret",
"token": "${VAULT_TOKEN}",
"tlsVerify": true,
"cacheTtlSeconds": 300
}
}
}
}
}
```
Via CLI:
```bash
openclaw config set plugins.entries.vault.config.address "https://vault.example.com:8200"
openclaw config set plugins.entries.vault.config.mount "secret"
openclaw config set plugins.entries.vault.config.token "${VAULT_TOKEN}"
```
### Config reference
| Key | Required | Default | Description |
|-----|----------|---------|-------------|
| `address` | ✅ | — | Vault server URL (e.g. `https://vault.example.com:8200`) |
| `token` | ✅ | — | Vault token. Supports `${ENV_VAR}` syntax. |
| `mount` | | `secret` | KV v2 mount path |
| `cacheTtlSeconds` | | `300` | In-process secret cache TTL. Set to `0` to disable. |
| `tlsVerify` | | `true` | Verify TLS certificate. Disable for internal Vault with self-signed certs. |
## Enable tools
All tools are optional — add them to your agent's allowlist:
```json
{
"agents": {
"list": [
{
"id": "main",
"tools": {
"allow": ["vault_check", "vault_get", "vault_put", "vault_list"]
}
}
]
}
}
```
Or enable the entire plugin:
```json
"allow": ["vault"]
```
## Usage examples
Once enabled, your agent can use the tools naturally:
> "Check if Vault is reachable."
> → calls `vault_check` — returns token info and expiry
> "Get the R2 secret access key."
> → calls `vault_get` with `path: "r2", key: "secret_access_key"`
> "Update the database URL in Vault."
> → calls `vault_put` with `path: "database", data: { url: "postgres://..." }`
## Requirements
- OpenClaw (any recent version)
- Hashicorp Vault with KV v2 secrets engine
- A valid Vault token with appropriate policies
## KV v2 note
This plugin uses the **KV v2** API (`/v1/<mount>/data/<path>`). If your Vault uses KV v1, you'll need to adjust the `vaultFetch` path in `index.ts` (remove `/data/` prefix).
## Development
```bash
git clone https://github.com/jbushman/openclaw-hashicorp-vault
cd openclaw-hashicorp-vault
openclaw plugins install --link .
openclaw gateway restart
```
Logs appear in the gateway output under the `vault:` prefix.
## Contributing
PRs welcome. Please open an issue first for significant changes.
See [CONTRIBUTING.md](CONTRIBUTING.md).
## License
MIT — see [LICENSE](LICENSE).
tools
Comments
Sign in to leave a comment