Hashicorp Vault Sync

Prerequisites:

Set up and add secrets to Infisical Cloud
Create a Hashicorp Vault Connection

Add Sync

Navigate to Project > Integrations and select the Secret Syncs tab. Click on the Add Sync button.

Select Hashicorp Vault

Configure Source

Configure the Source from where secrets should be retrieved, then click Next.

Environment: The project environment to retrieve secrets from.
Secret Path: The folder path to retrieve secrets from.

If you need to sync secrets from multiple folder locations, check out secret imports.

Configure Destination

Configure the Destination to where secrets should be deployed.

Hashicorp Vault Connection: The Vault Connection to authenticate with.
Secrets Engine Mount: The secrets engine to sync secrets with (e.g., ‘secret’, ‘kv’).
Path: The specific path within the secrets engine where secrets will be stored.

After configuring these parameters, click the Next button to continue to the Sync Options step.

If the path you provide does not exist in Vault, it will be created.

Configure Sync Options

Configure the Sync Options to specify how secrets should be synced, then click Next.

Initial Sync Behavior: Determines how Infisical should resolve the initial sync.
- Overwrite Destination Secrets: Removes any secrets at the destination endpoint not present in Infisical.
- Import Secrets (Prioritize Infisical): Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Hashicorp Vault when keys conflict.
- Import Secrets (Prioritize Hashicorp Vault): Imports secrets from the destination endpoint before syncing, prioritizing values from Hashicorp Vault over Infisical when keys conflict.
Key Schema: Template that determines how secret names are transformed when syncing, using {{secretKey}} as a placeholder for the original secret name.

We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.

Auto-Sync Enabled: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
Disable Secret Deletion: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.

Configure Details

Configure the Details of your Hashicorp Vault Sync, then click Next.

Name: The name of your sync. Must be slug-friendly.
Description: An optional description for your sync.

Review Configuration

Review your Hashicorp Vault Sync configuration, then click Create Sync.

Sync Created

If enabled, your Hashicorp Vault Sync will begin syncing your secrets to the destination endpoint.

Add Sync

Navigate to Project > Integrations and select the Secret Syncs tab. Click on the Add Sync button.

Select Hashicorp Vault

Configure Source

Configure the Source from where secrets should be retrieved, then click Next.

Environment: The project environment to retrieve secrets from.
Secret Path: The folder path to retrieve secrets from.

If you need to sync secrets from multiple folder locations, check out secret imports.

Configure Destination

Configure the Destination to where secrets should be deployed.

Hashicorp Vault Connection: The Vault Connection to authenticate with.
Secrets Engine Mount: The secrets engine to sync secrets with (e.g., ‘secret’, ‘kv’).
Path: The specific path within the secrets engine where secrets will be stored.

After configuring these parameters, click the Next button to continue to the Sync Options step.

If the path you provide does not exist in Vault, it will be created.

Configure Sync Options

Configure the Sync Options to specify how secrets should be synced, then click Next.

Initial Sync Behavior: Determines how Infisical should resolve the initial sync.
- Overwrite Destination Secrets: Removes any secrets at the destination endpoint not present in Infisical.
- Import Secrets (Prioritize Infisical): Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Hashicorp Vault when keys conflict.
- Import Secrets (Prioritize Hashicorp Vault): Imports secrets from the destination endpoint before syncing, prioritizing values from Hashicorp Vault over Infisical when keys conflict.
Key Schema: Template that determines how secret names are transformed when syncing, using {{secretKey}} as a placeholder for the original secret name.

We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.

Auto-Sync Enabled: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
Disable Secret Deletion: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.

Configure Details

Configure the Details of your Hashicorp Vault Sync, then click Next.

Name: The name of your sync. Must be slug-friendly.
Description: An optional description for your sync.

Review Configuration

Review your Hashicorp Vault Sync configuration, then click Create Sync.

Sync Created

If enabled, your Hashicorp Vault Sync will begin syncing your secrets to the destination endpoint.

To create an Hashicorp Vault Sync, make an API request to the Create Hashicorp Vault Sync API endpoint.

Sample request

Request
curl    --request POST \
        --url https://app.infisical.com/api/v1/secret-syncs/hashicorp-vault \
        --header 'Content-Type: application/json' \
        --data '{
            "name": "my-vault-sync",
            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "description": "an example sync",
            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "environment": "dev",
            "secretPath": "/",
            "isEnabled": true,
            "syncOptions": {
                "initialSyncBehavior": "overwrite-destination"
            },
            "destinationConfig": {
                "mount": "secret",
                "path": "dev/nested"
            }
        }'

Sample response

Response
{
    "secretSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-vault-sync",
        "description": "an example sync",
        "isEnabled": true,
        "version": 1,
        "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "createdAt": "2023-11-07T05:31:56Z",
        "updatedAt": "2023-11-07T05:31:56Z",
        "syncStatus": "succeeded",
        "lastSyncJobId": "123",
        "lastSyncMessage": null,
        "lastSyncedAt": "2023-11-07T05:31:56Z",
        "importStatus": null,
        "lastImportJobId": null,
        "lastImportMessage": null,
        "lastImportedAt": null,
        "removeStatus": null,
        "lastRemoveJobId": null,
        "lastRemoveMessage": null,
        "lastRemovedAt": null,
        "syncOptions": {
            "initialSyncBehavior": "overwrite-destination"
        },
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connection": {
            "app": "hashicorp-vault",
            "name": "my-vault-connection",
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
        },
        "environment": {
            "slug": "dev",
            "name": "Development",
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
        },
        "folder": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "path": "/"
        },
        "destination": "hashicorp-vault",
        "destinationConfig": {
            "mount": "secret",
            "path": "dev/nested"
        }
    }
}

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Others

Hashicorp Vault Sync

Sample request

Sample response

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Others

​Sample request

​Sample response

Sample request

Sample response