Vault is a tool for securely accessing secrets: API keys, passwords, certificates, and anything else you want to tightly control access to. It provides a unified interface to any secret while enforcing access control and recording a detailed audit log, aimed at teams running modern, service-oriented systems where understanding who has access to what secret is otherwise difficult and platform-specific.
Vault fits organizations running service-oriented or microservice architectures that need a central, auditable place to manage database credentials, API keys, and inter-service secrets, especially where manual secret rotation and ad hoc access tracking have become unmanageable. Its dynamic secrets feature is particularly valuable for cloud infrastructure and databases, since credentials can be generated on demand and automatically revoked rather than living indefinitely in a config file.
It's a substantial piece of infrastructure to operate correctly. Vault requires understanding of leasing, backend storage choices, and access policies, and getting the operational model wrong (for example, mismanaging unseal keys or storage backends) can lock you out of your own secrets. For a single small application with a handful of static credentials, a simpler secrets solution may be enough; Vault's value grows with the number of services, secret types, and access boundaries you need to manage.
Vault provides both an open source edition and Vault Enterprise; check the HashiCorp website for downloads and packaged releases in most environments.
To build Vault from source for development, you'll need Go installed, with GOPATH and GOBIN configured and $GOPATH/bin on your path. Clone the repository outside your GOPATH, since Vault uses Go Modules, then bootstrap the build tools:
make bootstrap
Build a development binary with:
make dev
bin/vault
To include the UI in your development build:
make static-dist dev-ui
bin/vault
Run the test suite, which requires Docker:
make test
To scope tests to a specific package:
make test TEST=./vault
Acceptance tests exercise real secret and auth method integrations and can create, modify, or destroy actual resources, which may incur real costs; run them at your own risk, ideally in a dedicated test account:
make testacc TEST=./builtin/logical/consul
The repository also publishes two importable Go libraries, github.com/hashicorp/vault/api and github.com/hashicorp/vault/sdk, though importing the main Vault module itself into other projects is not a supported usage pattern. For programming language-specific examples of interacting with a running Vault server, see the separate vault-examples repository and the hello-vault-go sample application.