Overview

HashiCorp Vault Cloud, part of the HashiCorp Cloud Platform (HCP), provides a managed service for HashiCorp Vault, a tool for securing, storing, and controlling access to tokens, passwords, certificates, encryption keys, and other sensitive data. Vault aims to solve the problem of "secret sprawl" by centralizing secrets management, making it easier for organizations to manage credentials across hybrid and multi-cloud environments HashiCorp Cloud Platform Vault overview. It is designed for developers and technical buyers who need to automate the lifecycle of secrets, from creation and rotation to revocation.

Vault Cloud is particularly well-suited for scenarios requiring dynamic secret generation, where secrets are created on demand and have a limited lifespan. This capability helps reduce the attack surface by ensuring that applications and machines only have access to secrets when they need them and for a specific duration Vault dynamic secrets documentation. It supports integration with various identity providers, enabling identity-based access control to secrets rather than relying on static credentials. Use cases range from securing microservices in Kubernetes clusters to managing database credentials and API keys across multiple cloud providers like AWS, Azure, and Google Cloud.

The service targets organizations that operate complex, distributed systems and need a consistent security posture across different environments. Its architecture emphasizes auditability, allowing operations teams to track who accessed what secret and when. While the open-source version of Vault is widely adopted for self-management, HCP Vault Cloud offers a fully managed experience, reducing the operational overhead associated with deploying, scaling, and maintaining a highly available and secure Vault instance HashiCorp Vault documentation. This managed offering includes features like automated upgrades, backups, and monitoring, which are critical for production workloads. The concept of secrets management as a centralized service has gained traction due to the increasing complexity of cloud-native architectures and the need for robust security primitives The New Stack article on secrets management.

Key features

  • Secrets Management: Securely stores and manages static and dynamic secrets, including API keys, passwords, and certificates.
  • Dynamic Secrets: Generates on-demand secrets for various systems (e.g., databases, cloud providers) with a configurable Time-To-Live (TTL) Vault dynamic secrets concept.
  • Encryption as a Service: Offers data encryption and decryption capabilities without storing the encryption keys directly in the application.
  • Identity-Based Access: Integrates with identity providers (e.g., Kubernetes, AWS IAM, Azure AD, GitHub) to authenticate users and machines, granting access based on their trusted identity Vault authentication methods.
  • Audit Logging: Provides a detailed audit trail of all operations and access attempts within Vault, supporting compliance and security monitoring.
  • Secret Leasing and Revocation: Manages the lifecycle of secrets with automatic lease expiration and the ability to revoke secrets instantly.
  • Multi-Cloud Support: Designed to operate consistently across different cloud environments (AWS, Azure, Google Cloud) and on-premises infrastructure.
  • High Availability: HCP Vault Cloud is managed for high availability and disaster recovery, ensuring continuous access to secrets.

Pricing

HashiCorp Vault Cloud offers a Developer tier that is free of charge, with usage-based pricing for its Standard and Enterprise tiers. Self-managed Vault Enterprise requires custom pricing determined through direct engagement with HashiCorp.

HashiCorp Cloud Platform Vault Cloud Pricing (as of 2026-05-05)
Tier Description Pricing Model Example Usage Cost
Developer For personal use and local development. Free $0.00/hour
Standard Production workloads with usage-based billing. Usage-based (secret versions, API calls, data transfer) Starts at $0.0000000021/secret version/month (example component) HCP Vault Cloud Pricing Page
Enterprise Advanced features, higher scale, and dedicated support. Custom usage-based pricing Contact HashiCorp sales

Common integrations

  • Kubernetes: Integrates with Kubernetes to provide dynamic secrets for pods and services, often via the Vault Agent Injector Vault and Kubernetes integration.
  • Cloud Providers (AWS, Azure, GCP): Supports dynamic secret generation for cloud-specific credentials (e.g., AWS IAM roles, Azure service principals, GCP service accounts) Vault AWS secrets engine.
  • Databases: Connects to various databases (e.g., MySQL, PostgreSQL, MongoDB) to generate dynamic database credentials Vault database secrets engine.
  • Identity Providers: Authenticates users and machines through integrations with OIDC, LDAP, GitHub, and more Vault authentication methods.
  • CI/CD Pipelines: Used within CI/CD workflows (e.g., Jenkins, GitLab CI, GitHub Actions) to inject secrets securely during build and deployment processes.
  • Configuration Management Tools: Integrates with tools like Ansible, Chef, and Puppet to retrieve secrets for infrastructure configuration.

Alternatives

  • AWS Secrets Manager: A fully managed service for storing, managing, and retrieving secrets in AWS environments, offering automated rotation and fine-grained access control.
  • Azure Key Vault: Provides secure storage for cryptographic keys, certificates, and secrets in Azure, with hardware security module (HSM) backed protection.
  • Google Secret Manager: A fully managed service for storing API keys, passwords, certificates, and other sensitive data, with automatic versioning and access control in Google Cloud.
  • CyberArk Conjur: An open-source and commercial secrets management solution focused on securing machine identities and application secrets across the CI/CD pipeline and cloud.
  • Akeyless Vault: A SaaS-based secrets management platform that offers secrets management, data protection, and privileged access management (PAM) capabilities.

Getting started

To get started with HashiCorp Vault Cloud, you typically begin by setting up a Vault cluster on the HashiCorp Cloud Platform. Once provisioned, you can interact with it via the Vault CLI or API. The following example demonstrates logging in to a Vault server and writing a static secret using the Vault CLI.

# 1. Set the VAULT_ADDR environment variable to your Vault server address
export VAULT_ADDR="https://your-hcp-vault-cluster-address.hashicorp.cloud"

# 2. Log in to Vault using an appropriate authentication method (e.g., userpass, token)
#    For HCP Vault, you might use an OIDC-based login flow initially via the UI to get a token,
#    or use the HCP CLI to get temporary credentials.
#    Example using a token (replace <YOUR_VAULT_TOKEN> with your actual token):
vault login <YOUR_VAULT_TOKEN>

#    Alternatively, if userpass auth is enabled:
vault login -method=userpass username=myuser
#    (Vault will prompt for password)

# 3. Enable a K/V secrets engine (if not already enabled) - this is for storing arbitrary secrets
vault secrets enable kv

# 4. Write a secret to the K/V engine at path 'kv/my-app/config'
vault kv put kv/my-app/config username="dbuser" password="s3cur3p@ss"

# 5. Read the secret
vault kv get kv/my-app/config

# Expected output for 'vault kv get kv/my-app/config':
# ===== Data =====
# Key          Value
# ---          -----
# password     s3cur3p@ss
# username     dbuser

This basic example illustrates the process of writing and reading a static secret. For dynamic secrets, the process involves configuring a secrets engine (e.g., AWS, database) and then requesting credentials, which Vault generates on the fly Vault secrets engines overview. HashiCorp provides extensive documentation and tutorials for various integration patterns and use cases HashiCorp Developer documentation for Vault.