Skip to content

Vault MCP

This guide adds Vault MCP Server to the local unified gateway stack.

Enable Vault MCP

Vault MCP is available at:

  • http://127.0.0.1:8811/mcp

Enable the server and start the stack:

just mcp-enable vault
just mcp-up

Vault credentials

Mint Vault MCP credentials with Terraform:

  1. In terraform-hcp-bootstrap, create the backend workspace for terraform-vault-bootstrap.
  2. In terraform-vault-bootstrap, run apply against HCP Vault.
  3. Copy outputs into Bitwarden item HCP Vault Ezra using fields VAULT_ADDR, VAULT_TOKEN (from mcp_token), and VAULT_NAMESPACE (typically admin).

Hydrate Vault MCP credentials from Bitwarden:

just bw-vault-credentials-pull

Expected .env keys:

  • VAULT_ADDR
  • VAULT_TOKEN
  • VAULT_NAMESPACE (defaults to admin when omitted)

Default Bitwarden item name used by hydration:

  • HCP Vault Ezra

Validate end-to-end

Run the normal MCP validation flow:

just mcp-e2e
just mcp-smoke

If you changed stack wiring, also run:

just test
just build
just pre-commit

Notes

  • Vault MCP in Vault docs is currently marked beta.
  • This stack uses local Docker MCP runtime only; no hosted MCP endpoint is added.