AgentSkillsCN

hashicorp-vault

通过 HashiCorp Vault 的 HTTP API 管理密钥并检查系统健康状况。适用于在 Vault 中读取、写入或管理密钥,检查 Vault 的健康状态,使用 KV 密钥引擎(v1 和 v2),或管理密钥元数据与版本时使用。当用户提及 HashiCorp Vault、Vault 密钥、Vault KV 引擎、密钥管理、Vault API,或需要存储/检索敏感配置数据时触发。

SKILL.md
--- frontmatter
name: hashicorp-vault
description: >
  Manage secrets and check system health via the HashiCorp Vault HTTP API. Use this
  skill when reading, writing, or managing secrets in Vault, checking Vault health
  status, working with KV secrets engines (v1 and v2), or managing secret metadata
  and versions. Trigger when the user mentions HashiCorp Vault, Vault secrets, Vault
  KV engine, secret management, Vault API, or needs to store/retrieve sensitive
  configuration data.

HashiCorp Vault HTTP API

Full access to HashiCorp Vault via REST-like HTTP API for secrets management and system health monitoring.

When to Use

  • Reading and writing secrets (KV v1 and v2 engines)
  • Checking Vault health and seal status
  • Managing secret versions (delete, undelete, destroy)
  • Working with secret metadata
  • Listing secrets at a path

Authentication

Send a client token via either header:

code
X-Vault-Token: <vault_token>
Authorization: Bearer <vault_token>

For Enterprise namespaces, include:

code
X-Vault-Namespace: admin

System Health

GET /sys/health — Returns Vault status (initialized, sealed, standby). Returns different HTTP status codes based on state (200 = active, 429 = standby, 472 = performance standby, 501 = not initialized, 503 = sealed).

KV Secrets Engine v1

Simple key-value storage without versioning:

EndpointMethodPurpose
/secret/{path}GETRead a secret
/secret/{path}POST/PUTCreate or update a secret
/secret/{path}DELETEDelete a secret
/secret/LISTList secrets at root

KV Secrets Engine v2

Versioned key-value storage with full lifecycle management:

EndpointMethodPurpose
/secret/data/{path}GETRead secret (latest or specific version)
/secret/data/{path}POSTCreate/update secret (new version)
/secret/delete/{path}POSTSoft-delete version(s)
/secret/undelete/{path}POSTRestore soft-deleted version(s)
/secret/destroy/{path}POSTPermanently destroy version(s)
/secret/metadata/{path}GETRead secret metadata
/secret/metadata/{path}POSTUpdate metadata settings
/secret/metadata/{path}DELETEDelete all versions and metadata
/secret/metadata/LISTList secrets at root

KV v2 Read Options

Use query parameters for version control:

  • version — Specific version number to read
  • Response wraps data in data.data with metadata including version, created_time, destroyed, deletion_time

Check-and-Set (CAS)

KV v2 supports optimistic locking via cas parameter in write options. Set cas to the current version number to prevent concurrent overwrites.

API Reference

For complete schema details including all endpoints, request/response bodies, error codes, and version management, read references/openapi.yml.