Govern AI agents on HashiCorp Vault
Manage how AI agents access secrets and credentials through HashiCorp Vault. The Vault pack enforces least-privilege access, rotates credentials, and logs every secret request in the governance audit trail.
What this pack does
- Least-privilege secret access for agents
- Dynamic credential generation per agent session
- Policy enforcement on secret paths
- Audit trail of all credential access
Use cases
Issue short-lived database credentials to agents
Block agents from accessing production secrets without approval
Audit all agent secret access patterns
Quick setup
- 1Install the Vault pack: cordumctl pack install vault
- 2Configure Vault address and authentication method
- 3Define secret path policies for agents
- 4Enable the pack and test credential issuance
Frequently asked questions
How does Cordum keep agents from reading any secret they want?
Unlike the packs where reads are allowed by default, the Vault pack requires approval for secret reads by default. On top of that, the worker enforces secret-path allow and deny lists, so an agent can only resolve the paths you authorize, and a Require Approval decision is returned before the secret is fetched.
Can agents get short-lived credentials instead of static secrets?
Yes. The pack supports dynamic credential generation, so you can issue short-lived database or cloud credentials per agent session rather than handing out long-lived secrets. When the session ends the credential expires, shrinking the window of exposure.
Does the agent ever hold the Vault token?
No. The worker authenticates to Vault with its own configured method and token, and the agent simply requests a governed secret read. Credentials stay in the worker environment, never in the agent's prompt or memory.
Can we audit which secrets an agent accessed?
Yes. Every credential access and its governance decision is written to the audit trail, giving you a complete record of which agent requested which secret path and whether it was allowed, approved, or denied.
Ready to govern HashiCorp Vault?
Other integrations
Approval notifications and agent alerts in Slack channels.
Govern AI agent actions on GitHub repositories.
Govern AI agent read and write actions against the AWS API.
Governance for AI agents managing Jira workflows.
Govern AI agents responding to Kubernetes incidents.
Feed Datadog alerts into governed agent workflows.