ComplianceScout.ai
Sign InFree Trial

HashiCorp Vault

Discover KV secrets from HashiCorp Vault. Populates the secrets inventory with path names, version metadata, and rotation timestamps. Secret values are never read.

Source connector

Source connector — pulls identity and access data from HashiCorp Vault into ComplianceScout where it is scored against your compliance frameworks and violation rules.

What ComplianceScout collects

After a successful sync, the following data is available in your ComplianceScout dashboard for violation detection and reporting.

  • Secret paths and names across all scanned KV mounts (values never read)
  • Secret version metadata including creation timestamp and number of versions
  • Last-accessed timestamp and access frequency (if audit log is enabled)
  • KV mount configuration and versioning settings
  • AppRole and token auth method configurations

Required credentials

These fields are collected when you add the connector in the ComplianceScout dashboard. Secrets are encrypted at rest using AES-256-GCM and are never logged.

FieldTypeRequiredNotes
Vault addressURLRequiredMust use https://. e.g. https://vault.acme.com:8200
Auth methodTextRequiredEnter "token" for a static token, or "approle" for AppRole auth.
Vault tokenSecretOptionalRequired when authMethod is "token". The token must have list+read on your KV mount(s).
AppRole role IDTextOptionalRequired when authMethod is "approle".
AppRole secret IDSecretOptionalRequired when authMethod is "approle".
KV mount pathsTextOptionalComma-separated list of KV mount names to scan. Defaults to "secret". e.g. secret,kv,infra

How to set up this connector

Follow these steps to gather the credentials above and connect HashiCorp Vault to ComplianceScout.

  1. In your Vault cluster, create a policy that allows list and read access on your KV mounts: vault policy write compliancescout-policy - (then enter the policy HCL).

  2. For token auth: vault token create -policy=compliancescout-policy -ttl=8760h. Copy the token.

  3. For AppRole auth: vault auth enable approle; vault write auth/approle/role/compliancescout policies=compliancescout-policy; vault read auth/approle/role/compliancescout/role-id; vault write -f auth/approle/role/compliancescout/secret-id.

  4. In ComplianceScout, go to Data & Secrets → Integrations → Add Connector → HashiCorp Vault, enter the Vault address and auth credentials.

  5. Specify the KV mount paths to scan (comma-separated) and click Test and Save.

Ready to connect HashiCorp Vault?

Start a free trial — your tenant is provisioned instantly and you can wire up this integration from the connectors page.

Start a free trialAdd connector →