#hashi-corp #vault #client #api-client #api-key


An asynchronous Rust client library for the Hashicorp Vault API

16 releases

0.7.2 Mar 20, 2024
0.7.0 Mar 25, 2023
0.6.2 May 13, 2022
0.6.0 Mar 15, 2022
0.5.4 Sep 22, 2021

#14 in Authentication

Download history 11588/week @ 2024-02-15 13044/week @ 2024-02-22 11942/week @ 2024-02-29 13449/week @ 2024-03-07 14930/week @ 2024-03-14 13116/week @ 2024-03-21 12591/week @ 2024-03-28 14244/week @ 2024-04-04 14079/week @ 2024-04-11 14720/week @ 2024-04-18 16295/week @ 2024-04-25 18715/week @ 2024-05-02 17327/week @ 2024-05-09 14516/week @ 2024-05-16 15108/week @ 2024-05-23 12586/week @ 2024-05-30

63,209 downloads per month
Used in 7 crates

MIT license



An asynchronous Rust client library for the Hashicorp Vault API

The following features are currently supported:

See something missing? Open an issue.


First, choose one of the two TLS implementations for vaultrs' connection to Vault:

  • rustls (default) to use Rustls
  • native-tls to use rust-native-tls, which builds on your platform-specific TLS implementation.

Then, add vaultrs as a dependency to your cargo.toml:

  1. To use Rustls, import as follows:
vaultrs = "0.7.1"
  1. To use rust-native-tls, which builds on your platform-specific TLS implementation, specify:
vaultrs = { version = "0.7.1", default-features = false, features = [ "native-tls" ] }



The client is used to configure the connection to Vault and is required to be passed to all API calls for execution. Behind the scenes it uses an asynchronous client from Reqwest for communicating to Vault.

use vaultrs::client::{VaultClient, VaultClientSettingsBuilder};

// Create a client
let client = VaultClient::new(



The library currently supports all operations available for the AWS Secret Engine.

See tests/aws.rs for more examples.

use vaultrs::sys::mount;
use vaultrs::aws;
use vaultrs::api::aws::requests::{SetConfigurationRequest, CreateUpdateRoleRequest, GenerateCredentialsRequest};

// Mount AWS SE
mount::enable(&client, "aws_test", "aws", None).await?;

// Configure AWS SE
aws::config::set(&client, "aws_test", "access_key", "secret_key", Some(SetConfigurationRequest::builder()        

// Create HVault role
aws::roles::create_update(&client, "aws_test", "my_role", "assumed_role", Some(CreateUpdateRoleRequest::builder()
        .role_arns( vec!["arn:aws:iam::123456789012:role/test_role".to_string()] )

// Generate credentials
let res = aws::roles::credentials(&client, "aws_test", "my_role", Some(GenerateCredentialsRequest::builder()

let creds = res;
// creds.access_key
// creds.secret_key
// creds.security_token

Key Value v2

The library currently supports all operations available for version 2 of the key/value store.

use serde::{Deserialize, Serialize};
use vaultrs::kv2;

// Create and read secrets
#[derive(Debug, Deserialize, Serialize)]
struct MySecret {
    key: String,
    password: String,

let secret = MySecret {
    key: "super".to_string(),
    password: "secret".to_string(),

let secret: MySecret = kv2::read(&client, "secret", "mysecret").await.unwrap();
println!("{}", secret.password); // "secret"

Key Value v1

The library currently supports all operations available for version 1 of the key/value store.

use vaultrs::kv1;
use std::collections::HashMap;

let my_secrets = HashMap::from([
    ("key1".to_string(), "value1".to_string()),
    ("key2".to_string(), "value2".to_string())

kv1::set(&client, "secret", "my/secrets", &my_secrets).await.unwrap();

let read_secrets: HashMap<String, String> = kv1::get(&client, "secret", "my/secrets").await.unwrap();

println!("{:}", read_secrets.get("key1").unwrap()); // value1

let list_secret = kv1::list(&client, "secret", "my").await.unwrap();

println!("{:?}", list_secret.data.keys); // [ "secrets" ]

kv1::delete(&client, "secret", "my/secrets").await.unwrap();


The library currently supports all operations available for the PKI secrets engine.

use vaultrs::api::pki::requests::GenerateCertificateRequest;
use vaultrs::pki::cert;

// Generate a certificate using the PKI backend
let cert = cert::generate(
println!("{}", cert.certificate) // "{PEM encoded certificate}"


The library supports most operations for the Transit secrets engine, other than importing keys or batch_input parameters.

use vaultrs::api::transit::requests::CreateKeyRequest;
use vaultrs::api::transit::KeyType;
use vaultrs::transit::key;

// Create an encryption key using the /transit backend


All requests implement the ability to be wrapped. These can be passed in your application internally before being unwrapped.

use vaultrs::api::ResponseWrapper;
use vaultrs::api::sys::requests::ListMountsRequest;

let endpoint = ListMountsRequest::builder().build().unwrap();
let wrap_resp = endpoint.wrap(&client).await; // Wrapped response

let wrap_resp = wrap_resp.unwrap(); // Unwrap Result<>
let info = wrap_resp.lookup(&client).await; // Check status of this wrapped response

let unwrap_resp = wrap_resp.unwrap(&client).await; // Unwrap the response

let info = wrap_resp.lookup(&client).await; // Error: response already unwrapped

Error Handling and Tracing

All errors generated by this crate are wrapped in the ClientError enum provided by the crate. API warnings are automatically captured via tracing and API errors are captured and returned as their own variant. Connection related errors from rustify are wrapped and returned as a single variant.

All top level API operations are instrumented with tracing's #[instrument] attribute.


See the the tests directory for tests. Run tests with cargo test.

Note: All tests rely on bringing up a local Vault development server using Docker. In order to run tests Docker must be running locally (Docker Desktop works).


Check out the issues for items needing attention or submit your own and then:

  1. Fork the repo (https://github.com/jmgilman/vaultrs/fork)
  2. Create your feature branch (git checkout -b feature/fooBar)
  3. Commit your changes (git commit -am 'Add some fooBar')
  4. Push to the branch (git push origin feature/fooBar)
  5. Create a new Pull Request

See CONTRIBUTING for extensive documentation on the architecture of this library and how to add additional functionality to it.


~350K SLoC