Migrating from Vault to Infisical - Infisical

This guide helps you migrate from HashiCorp Vault to Infisical. Whether you're moving a single application or your entire secrets infrastructure, Infisical provides tooling to make the transition smooth.

Our in-platform migration tooling lets you set up a connection to your Vault instance once, then import specific resources as needed throughout Infisical. Think of it as creating a "bridge" between Vault and Infisical that you can use repeatedly.

What you can migrate:

KV v1 and KV v2 secrets
Kubernetes auth method configurations (translated to Machine Identities in Infisical)
Kubernetes secrets engine roles (translated to Dynamic Secrets in Infisical)
Vault policies (translated to Infisical project roles)

<Warning> Importing from Vault requires the `Connect` action on `App Connections` and the `Create` action on the relevant subjects — for example, the `Create` action on the `Secrets` subject at the target environment and folder path for KV imports, or the equivalent permission for Machine Identities, Dynamic Secrets, and Roles. </Warning>

Set Up Your Vault Connection

Before importing anything, you need to establish a secure connection between Infisical and your Vault instance. This is a one-time setup.

<Steps> <Step title="Create a Vault policy"> In your Vault instance, create a policy that allows Infisical to read your secrets, policies, and authentication configurations. This policy grants read-only access and doesn't allow Infisical to modify or create resources within your Vault instance.

<Accordion title="View the complete policy">
```hcl
# System endpoints - for listing namespaces, policies, mounts, and auth methods
path "sys/namespaces" {
  capabilities = ["list"]
}

path "sys/policy" {
  capabilities = ["read", "list"]
}

path "sys/policy/*" {
  capabilities = ["read"]
}

path "sys/mounts" {
  capabilities = ["read"]
}

path "sys/auth" {
  capabilities = ["read"]
}

# KV v2 secrets - for listing and reading secrets
# Replace '+' with your actual KV v2 mount paths (e.g., "secret", "kv")
path "+/metadata/*" {
  capabilities = ["list", "read"]
}

path "+/data/*" {
  capabilities = ["read"]
}

# KV v1 secrets - for listing and reading secrets
# Replace '+' with your actual KV v1 mount paths (e.g., "secret", "kv-v1")
# WARNING: This is broad - ideally specify exact mount names
path "+/*" {
  capabilities = ["list", "read"]
}

# Kubernetes auth - for reading auth configuration and roles
path "auth/+/config" {
  capabilities = ["read"]
}

path "auth/+/role" {
  capabilities = ["list"]
}

path "auth/+/role/*" {
  capabilities = ["read"]
}

# Kubernetes secrets engine - for reading secrets engine configuration and roles
path "+/config" {
  capabilities = ["read"]
}

path "+/roles" {
  capabilities = ["list"]
}

path "+/roles/*" {
  capabilities = ["read"]
}
```
</Accordion>

Save this policy in Vault with the name `infisical-in-platform-migration`.

</Step> <Step title="Create a HashiCorp Vault App Connection in Infisical"> In Infisical, create a new App Connection of type **HashiCorp Vault** in one of two places:

- **Project > Integrations > App Connections** — the connection is only visible inside that project.
- **Organization Settings > App Connections** — the connection is visible across every project in the organization.

Follow the [HashiCorp Vault App Connection documentation](/integrations/app-connections/hashicorp-vault) for detailed setup instructions. When configuring authentication (Token or AppRole), make sure the credential uses the `infisical-in-platform-migration` policy you created in the previous step.

<Note>
  You can create more than one connection if you need to migrate from several Vault instances. The Vault namespace is not part of the connection — you pick it inline each time you import a resource.
</Note>

</Step> </Steps>

Migrate Your Resources

Once your Vault connection is configured, you'll see import options throughout Infisical wherever relevant. The sections below cover each type of resource you can migrate.

<Tip> **Migration Strategy:** We recommend migrating one application at a time. Start with a non-critical application to familiarize yourself with the process, then proceed to more important services. </Tip>

Migrating KV Secrets

KV secrets are imported into a specific environment (e.g., Development, Staging, Production) within a project. If you're coming from Vault, think of a project as similar to a KV secret engine dedicated to one application.

<Info> **First time?** You'll need to [create a project](/documentation/platform/project) first. A project in Infisical typically represents a single application or microservice. </Info>

To import secrets from Vault:

Navigate to your project and select a specific environment (e.g., Development, Production)
In the secrets view, click the dropdown icon (caret) next to the "+ Add Secret" button
Select "Add from HashiCorp Vault"
In the modal, pick the App Connection (project- or organization-scoped Vault connections both appear here), then the Vault namespace, then the Secrets Engine (KV mount), and finally one or more Vault secret paths to import (for example, secret/app/prod). Keys are copied using their names from Vault.
<Note>

If you select multiple paths and the same key name exists in more than one of them, the import aborts and no secrets are saved. </Note>

Click "Import Secrets"

The secrets will be imported into your current environment and folder path. If your Vault path has nested paths, you can create folders in Infisical to maintain a similar structure.

Migrating Kubernetes Auth Method

If you're using Vault's Kubernetes auth method to authenticate your pods, you can migrate this configuration to Infisical's Machine Identities. In Vault, you define Kubernetes roles that specify which service accounts can authenticate. In Infisical, this maps to a Machine Identity with Kubernetes authentication enabled.

To import Kubernetes auth configuration:

First, create a Machine Identity in Infisical
Navigate to Access Control > Machine Identities and select the identity
Click "Add Authentication Method" and choose Kubernetes Auth
In the configuration modal, click "Load from Vault"
In the load modal, pick the App Connection, the Vault namespace, and the Kubernetes role
Click "Load"

The authentication settings (allowed service accounts, namespaces, TTL, etc.) will be automatically populated from your Vault configuration.

<Note> Sensitive values like service account JWTs cannot be retrieved from Vault and must be manually provided in the form after importing the configuration. </Note>

After importing: You'll need to update your Kubernetes deployments to use the Infisical Kubernetes Operator or Infisical SDK instead of the Vault agent/sidecar.

Migrating Kubernetes Secrets Engine Roles

If you're using Vault's Kubernetes secrets engine to generate short-lived Kubernetes credentials, you can migrate these roles to Infisical's Dynamic Secrets. Both platforms support generating temporary Kubernetes service account tokens or creating temporary service accounts, so the configuration is similar.

To import a Kubernetes dynamic secret configuration:

Navigate to your project and select an environment
Click "+ Add Secret" dropdown and choose "Dynamic Secret"
Select Kubernetes as the provider
Click "Load from Vault" at the top of the form
In the load modal, pick the App Connection, the Vault namespace, the Kubernetes secrets engine mount, and the role
Click "Load Configuration"

The form will be automatically populated with the role's configuration including:

Cluster URL and CA certificate
Credential type (Static or Dynamic)
Service account name or Kubernetes role settings
Allowed namespaces
Token TTL values
Token audiences

<Note> Sensitive values like cluster tokens cannot be retrieved from Vault and must be manually provided in the form after loading the configuration. </Note> <Tip> The same **Load from Vault** flow is also available on **Cassandra**, **LDAP**, and **SQL Database** dynamic secrets — pick the App Connection, Vault namespace, mount, and role to pre-fill the form. </Tip>

Learn more about how Dynamic Secrets work in Infisical in the Dynamic Secrets documentation.

Migrating Vault Policies

Infisical can translate your Vault HCL policies into Infisical project roles. The table below shows how Vault capabilities map to Infisical permissions:

Vault Capability	Infisical Permission
`read`	Read secrets
`list`	Read secrets (list is implicit with read)
`create`	Create secrets
`update`	Edit secrets
`delete`	Delete secrets

<Note> Policy translation is best-effort and provides a starting point based on your Vault configuration. The translated permissions should be reviewed and adjusted as needed since Vault and Infisical have different access control models. </Note>

To import and translate a policy:

Navigate to your project, then go to Access Control > Roles and create or edit a role
In the policy configuration, click "Add from HashiCorp Vault"
In the modal, pick the App Connection and the Vault namespace
Either choose an existing policy from the dropdown or paste your own HCL policy
Review the automatically translated Infisical permissions
Make any adjustments and save

<Tip> **How policy translation works:** - Vault path patterns are analyzed to identify KV secret engines and environments - Vault capabilities (`read`, `list`, `create`, etc.) are mapped to Infisical permissions - Wildcards in paths are converted to glob patterns - Secret paths are preserved for granular access control

Example translation:

hcl

# Vault policy
path "secret/data/app/*" {
  capabilities = ["read", "list"]
}

Becomes an Infisical role with read permission on secrets in the corresponding environment/folder path. </Tip>

One-time Bulk Import from Vault

If you want to move an entire Vault organization into Infisical in a single shot — rather than importing resources piecemeal from inside each project — use the Bulk Data Import flow. It does not require an App Connection and is intended for initial migrations only. KV Secret Engine is the only supported resource type for bulk import; other resource types (Kubernetes auth, dynamic secrets, policies) must use the per-resource flows described above.

<Warning> Bulk Data Import is restricted to **organization admins**. </Warning>

To run a bulk import:

Navigate to Organization Settings > External Migrations
Click Import and choose HCP Vault
Fill in the import form:
- Gateway (optional) — route the import through a gateway if your Vault instance is private
- Vault URL — your Vault address (e.g. https://vault.example.com)
- Vault Namespace (optional) — leave blank for the root namespace
- Vault Access Token — a token with read access to the KV mounts you want to import
- Project Mapping — how Vault resources map onto Infisical projects:
  - Key Vaults — each KV mount becomes an Infisical project. A default Production environment is created per project; secret paths become folders.
  - Namespaces — each Vault namespace becomes a project; each KV mount inside it becomes an environment; secret paths become folders.
  - Custom Migration — available on request; contact sales to discuss tailored mappings.
Submit the form. Infisical will run the import asynchronously and email you when it finishes (or if it fails). This may take up to 10 minutes.

Next Steps After Migration

Once you've imported your secrets and configurations, here's how to start using them in your applications:

<CardGroup cols={2}> <Card title="Update Your Applications" icon="code" href="/sdks/overview"> Replace Vault client libraries with Infisical SDKs in your application code </Card> <Card title="Set Up Kubernetes Integration" icon="dharmachakra" href="/integrations/platforms/kubernetes/overview"> Use the Infisical Kubernetes Operator to inject secrets into your pods </Card> </CardGroup>