docs/documentation/platform/external-migrations/vault.mdx
This guide helps you migrate from HashiCorp Vault to Infisical. Whether you're moving a single application or your entire secrets infrastructure, Infisical provides tooling to make the transition smooth.
Our in-platform migration tooling lets you set up a connection to your Vault instance once, then import specific resources as needed throughout Infisical. Think of it as creating a "bridge" between Vault and Infisical that you can use repeatedly.
What you can migrate:
Before importing anything, you need to establish a secure connection between Infisical and your Vault instance. This is a one-time setup.
<Steps> <Step title="Create a Vault policy"> In your Vault instance, create a policy that allows Infisical to read your secrets, policies, and authentication configurations. This policy grants read-only access and doesn't allow Infisical to modify or create resources within your Vault instance.<Accordion title="View the complete policy">
```hcl
# System endpoints - for listing namespaces, policies, mounts, and auth methods
path "sys/namespaces" {
capabilities = ["list"]
}
path "sys/policy" {
capabilities = ["read", "list"]
}
path "sys/policy/*" {
capabilities = ["read"]
}
path "sys/mounts" {
capabilities = ["read"]
}
path "sys/auth" {
capabilities = ["read"]
}
# KV v2 secrets - for listing and reading secrets
# Replace '+' with your actual KV v2 mount paths (e.g., "secret", "kv")
path "+/metadata/*" {
capabilities = ["list", "read"]
}
path "+/data/*" {
capabilities = ["read"]
}
# KV v1 secrets - for listing and reading secrets
# Replace '+' with your actual KV v1 mount paths (e.g., "secret", "kv-v1")
# WARNING: This is broad - ideally specify exact mount names
path "+/*" {
capabilities = ["list", "read"]
}
# Kubernetes auth - for reading auth configuration and roles
path "auth/+/config" {
capabilities = ["read"]
}
path "auth/+/role" {
capabilities = ["list"]
}
path "auth/+/role/*" {
capabilities = ["read"]
}
# Kubernetes secrets engine - for reading secrets engine configuration and roles
path "+/config" {
capabilities = ["read"]
}
path "+/roles" {
capabilities = ["list"]
}
path "+/roles/*" {
capabilities = ["read"]
}
```
</Accordion>
Save this policy in Vault with the name `infisical-in-platform-migration`.
Follow the [HashiCorp Vault App Connection documentation](/integrations/app-connections/hashicorp-vault) for detailed setup instructions. When configuring authentication (Token or AppRole), make sure it uses the `infisical-in-platform-migration` policy you created.
Under **In-Platform Migration Tooling**, click **Add configuration**. In the provider chooser, select **HashiCorp Vault**.
Configure the Vault namespace entry:
- **Namespace**: Enter your Vault namespace path (e.g., `admin/namespace1`). If you intend to use the root namespace, set the namespace value to "root".
- **Connection**: Select the App Connection you created in the previous step.
<Note>
You can add multiple Vault rows (different namespaces and/or connections) in the same table if you have several Vault instances or namespaces to migrate from.
</Note>
Once your Vault connection is configured, you'll see import options throughout Infisical wherever relevant. The sections below cover each type of resource you can migrate.
<Tip> **Migration Strategy:** We recommend migrating one application at a time. Start with a non-critical application to familiarize yourself with the process, then proceed to more important services. </Tip>KV secrets are imported into a specific environment (e.g., Development, Staging, Production) within a project. If you're coming from Vault, think of a project as similar to a KV secret engine dedicated to one application.
<Info> **First time?** You'll need to [create a project](/documentation/platform/project) first. A project in Infisical typically represents a single application or microservice. </Info>To import secrets from Vault:
Navigate to your project and select a specific environment (e.g., Development, Production)
In the secrets view, click the dropdown icon (caret) next to the "+ Add Secret" button
Select "Add from HashiCorp Vault"
Select your Vault namespace and one or more secret paths to import (for example, secret/app/prod). Keys are copied using their names from Vault.
If you select multiple paths and the same key name exists in more than one of them, the import aborts and no secrets are saved. </Note>
The secrets will be imported into your current environment and folder path. If your Vault path has nested paths, you can create folders in Infisical to maintain a similar structure.
If you're using Vault's Kubernetes auth method to authenticate your pods, you can migrate this configuration to Infisical's Machine Identities. In Vault, you define Kubernetes roles that specify which service accounts can authenticate. In Infisical, this maps to a Machine Identity with Kubernetes authentication enabled.
To import Kubernetes auth configuration:
First, create a Machine Identity in Infisical
Navigate to Access Control > Machine Identities and select the identity
Click "Add Authentication Method" and choose Kubernetes Auth
In the configuration modal, click "Load from Vault"
Select your Vault namespace and the Kubernetes role
Click "Load"
The authentication settings (allowed service accounts, namespaces, TTL, etc.) will be automatically populated from your Vault configuration.
<Note> Sensitive values like service account JWTs cannot be retrieved from Vault and must be manually provided in the form after importing the configuration. </Note>After importing: You'll need to update your Kubernetes deployments to use the Infisical Kubernetes Operator or Infisical SDK instead of the Vault agent/sidecar.
If you're using Vault's Kubernetes secrets engine to generate short-lived Kubernetes credentials, you can migrate these roles to Infisical's Dynamic Secrets. Both platforms support generating temporary Kubernetes service account tokens or creating temporary service accounts, so the configuration is similar.
To import a Kubernetes dynamic secret configuration:
Navigate to your project and select an environment
Click "+ Add Secret" dropdown and choose "Dynamic Secret"
Select Kubernetes as the provider
Click "Load from Vault" at the top of the form
Select your Vault namespace, Kubernetes secrets engine mount, and role
Click "Load Configuration"
The form will be automatically populated with the role's configuration including:
Learn more about how Dynamic Secrets work in Infisical in the Dynamic Secrets documentation.
Infisical can translate your Vault HCL policies into Infisical project roles. The table below shows how Vault capabilities map to Infisical permissions:
| Vault Capability | Infisical Permission |
|---|---|
read | Read secrets |
list | Read secrets (list is implicit with read) |
create | Create secrets |
update | Edit secrets |
delete | Delete secrets |
To import and translate a policy:
Navigate to your project, then go to Access Control > Roles and create or edit a role
In the policy configuration, click "Add from HashiCorp Vault"
Select your Vault namespace
Either choose an existing policy from the dropdown or paste your own HCL policy
Review the automatically translated Infisical permissions
Make any adjustments and save
Example translation:
# Vault policy
path "secret/data/app/*" {
capabilities = ["read", "list"]
}
Becomes an Infisical role with read permission on secrets in the corresponding environment/folder path. </Tip>
Once you've imported your secrets and configurations, here's how to start using them in your applications:
<CardGroup cols={2}> <Card title="Update Your Applications" icon="code" href="/sdks/overview"> Replace Vault client libraries with Infisical SDKs in your application code </Card> <Card title="Set Up Kubernetes Integration" icon="dharmachakra" href="/integrations/platforms/kubernetes/overview"> Use the Infisical Kubernetes Operator to inject secrets into your pods </Card> </CardGroup>