Skip to content

Vault CLI for AI Agents — Infrastructure Secrets by AI

Let your AI agent manage secrets, generate dynamic credentials, and control encryption across your infrastructure

Browse all CLI tools for AI agents

What your agent can do

Your application stores database credentials in environment variables. You rotate them every 90 days — manually. One missed rotation and your production database runs on a stale credential for months. Vault eliminates this entirely. Your agent runs `vault read -format=json database/creds/app-role` and gets a dynamically generated credential that expires automatically. Every request gets a fresh credential. No rotation scripts, no shared passwords.HashiCorp Vault is the infrastructure-grade secrets management platform. 35,000 GitHub stars, used by thousands of organizations for secrets storage, dynamic credential generation, encryption as a service, and certificate management. The CLI gives your AI agent direct access to all of it with `-format=json` on every command.Dynamic secrets are the core innovation. Instead of storing static passwords, Vault generates credentials on demand. `vault read aws/creds/deploy-role` creates a temporary AWS IAM user. `vault read database/creds/readonly` generates a unique database credential with a TTL. When the TTL expires, Vault automatically revokes the credential. Your agent requests credentials at runtime and they self-destruct when no longer needed.The `-field=key` flag is the agent-native shortcut. `vault kv get -field=password secret/data/db` returns just the password value — no JSON wrapping, no metadata, just the string. Pipe it into any command. For full structured data, `-format=json` returns the complete secret with version metadata, creation time, and custom metadata.

Agent-ready CLI tools

Vault CLI official
brew tap hashicorp/tap && brew install hashicorp/tap/vault
category Security
The official HashiCorp Vault CLI. Read and write secrets, generate dynamic credentials, manage encryption keys, and control access policies with structured JSON output.
35.3k

Frequently asked questions

Can AI agents manage infrastructure secrets with Vault?
Yes. Vault runs non-interactive with `VAULT_TOKEN` or AppRole authentication. Every command supports `-format=json` and `-field=key`. Dynamic secrets generate unique, time-limited credentials on demand. The Vault Agent sidecar handles automatic token renewal. Your agent manages AWS credentials, database passwords, encryption keys, and certificates without interactive prompts. Install with `brew tap hashicorp/tap && brew install hashicorp/tap/vault`.
What is the difference between Vault and 1Password CLI?
1Password is SaaS-based secrets management for teams — simple, user-friendly, focused on storing and injecting static secrets. Vault is infrastructure-grade — dynamic credential generation, encryption as a service, PKI certificate management, and database credential rotation with automatic revocation. Use 1Password for application API keys and team passwords. Use Vault when you need dynamic credentials, auto-rotation, and infrastructure-level security.
What are dynamic secrets?
Instead of storing static passwords, Vault generates unique credentials per request. `vault read aws/creds/deploy-role` creates a temporary AWS IAM user. `vault read database/creds/app` creates a temporary database login. Each credential has a TTL and is automatically revoked when it expires. No shared passwords, no rotation scripts, no stale credentials sitting in environment files.

Related software

AWS
category Cloud & Infra
tools 1 CLI tool
Let your AI agent provision infrastructure, manage services, and run your cloud
Docker
category Cloud & Infra
tools 1 CLI tool
Let your AI agent build, run, and manage containers without the juggling
Terraform
category Cloud & Infra
tools 1 CLI tool
Let your AI agent plan, deploy, and manage infrastructure across every cloud provider