Skip to content
Security

Govern AI agents on HashiCorp Vault

Manage how AI agents access secrets and credentials through HashiCorp Vault. The Vault pack enforces least-privilege access, rotates credentials, and logs every secret request in the governance audit trail.

What this pack does

  • Least-privilege secret access for agents
  • Dynamic credential generation per agent session
  • Policy enforcement on secret paths
  • Audit trail of all credential access

Use cases

Issue short-lived database credentials to agents

Block agents from accessing production secrets without approval

Audit all agent secret access patterns

Quick setup

  1. 1Install the Vault pack: cordumctl pack install vault
  2. 2Configure Vault address and authentication method
  3. 3Define secret path policies for agents
  4. 4Enable the pack and test credential issuance

Frequently asked questions

How does Cordum keep agents from reading any secret they want?

Unlike the packs where reads are allowed by default, the Vault pack requires approval for secret reads by default. On top of that, the worker enforces secret-path allow and deny lists, so an agent can only resolve the paths you authorize, and a Require Approval decision is returned before the secret is fetched.

Can agents get short-lived credentials instead of static secrets?

Yes. The pack supports dynamic credential generation, so you can issue short-lived database or cloud credentials per agent session rather than handing out long-lived secrets. When the session ends the credential expires, shrinking the window of exposure.

Does the agent ever hold the Vault token?

No. The worker authenticates to Vault with its own configured method and token, and the agent simply requests a governed secret read. Credentials stay in the worker environment, never in the agent's prompt or memory.

Can we audit which secrets an agent accessed?

Yes. Every credential access and its governance decision is written to the audit trail, giving you a complete record of which agent requested which secret path and whether it was allowed, approved, or denied.

Ready to govern HashiCorp Vault?

Other integrations