Hashicorp Vault Connection

Navigate to Vault Access

Enable New Method

In the Authentication Methods tab, click on Enable new method.

Select AppRole

Enable Method

You may change the name of the method, but we suggest keeping it as approle.

Navigate to Vault Policies

From the home page, navigate to Policies.

Create ACL Policy

Create Policy

You may name your policy whatever you want, but remember the name as it will be used in future steps.Depending on your use case, you may have different policy configurations:

• Secret Sync

Copy

Ask AI

path "demo_mount/data/*" {
  capabilities = [ "create", "read", "update" ]
}

path "sys/mounts" {
  capabilities = ["read"]
}

• demo_mount: The name of the target secrets engine (e.g., ‘secret’, ‘kv’).
• data/*: The path within the secrets engine used for storing secrets. The wildcard (*) grants access to all secrets within this mount point.

Make sure to replace the policy path with the specific path where you intend to sync your secrets. For better security and control, it’s recommended to use a more granular path instead of a wildcard (*). You can also specify a path that doesn’t yet exist—Infisical will automatically create it for you during the sync process.

Run Shell Commands

Open Vault Shell

If you used custom approle or policy names in previous steps, you’ll need to customize the following commands.

Create Infisical Role

Copy

Ask AI

vault write auth/approle/role/infisical token_policies="infisical-policy" token_ttl=30s token_max_ttl=2m

Read RoleID

Copy

Ask AI

vault read auth/approle/role/infisical/role-id

Generate New SecretID

Copy

Ask AI

vault write -force auth/approle/role/infisical/secret-id

Your shell output should look similar to the image below. Save the RoleID and SecretID values for later steps.

Navigate to App Connections

In your Infisical dashboard, navigate to the App Connections page in the desired project.

Add Connection

Click the + Add Connection button and select the Hashicorp Vault Connection option.

Configure Connection

Configure your Vault Connection using the Instance URL and credentials from the steps above. Depending on if you chose to authenticate with an Access Token or AppRole, you may need to input different information.

• App Role
• Access Token

• Name: The name of the connection being created. Must be slug-friendly.
• Description: An optional description to provide details about this connection.
• Instance URL: The URL of your Hashicorp Vault instance.
• Namespace (optional): The namespace within your vault. Self-hosted and enterprise clusters may not use namespaces.
• Role ID: The Role ID generated in the steps above.
• Secret ID: The Secret ID generated in the steps above.

Connection Created

Your Vault Connection is now available for use.