Using Secret management service via Vault's GUI and client

Although using Secret management service via FedCloud client is strongly recommended, the service is fully compatible with Hashicorp’s Vault and can be used via the web-based GUI or Vault's native client tool and libraries. The native client tool is more complicated but it has some functionalities not offered by FedCloud client, e.g. token renew. The compatibility also enable integration of existing services and applications that are already using Vault, to the Secret management service.

Using Secret management service via web-based GUI

Vault login via OIDC
  • Login via EGI Check-in and authorize the Vault GUI.

  • You have logged into the Vault GUI. Each user has a private secret space, a "home directory" in the secret engine secrets, with EGI Check-in ID as the folder name.

Vault main window
  • The "home directory" is not created automatically, so for the first time login, you may have to create it. In the secrets folder, click on Create secret on the right side of your screen and create a new secret with a path starting with your EGI Check-in ID (e0b6.… in the screenshot)

Vault main window
  • Your "home directory" will be created together with your first secret. Click on secrets folder, then your ID in the EGI Check-in to enter your private secret space, then browse/view/edit your secrets

Using Secret management service via Vault CLI and access token

$ export VAULT_ADDR=
  • Login to Vault using access tokens:

$ vault write auth/jwt/login jwt=$ACCESS_TOKEN
Key                  Value
---                  -----
token                s.XXXXXXXXXXXXXXXXXXXXXXX
  • The command will return a Vault’s token in the form token   s.XXXXXXXXXXXXXXXXX. Save the token to an environment variable and use it for manipulation with secrets in Vault

  • For convenience, set your Vault’s home path to an environment variable

$ export VAULT_HOME=/secrets/
  • List secrets in your "home directory". VAULT_ADDR and VAULT_TOKEN must be set:

$ vault list $VAULT_HOME
  • Create a new secret with name test in your "home directory", store value value1 in key key1:

$ vault write $VAULT_HOME/test key1=value1
  • Read your secret:

$ vault read $VAULT_HOME/test
Key                 Value
---                 -----
refresh_interval    768h
key1                value1

There are alternative commands kv put, kv get for write, read. The full list of Vault commands is available at

Using Vault via REST API or external clients

Vault has a REST API with similar inputs like the CLI. There is a long list of libraries and external clients/tools for accessing secrets in Vault. See or for more details.