Hello HashiCorp community. As a newbie in the HashiCorp ecosphere I have a question about where and how the credentials for accessing the Vault via HCP CLI are stored on a Windows 11 system. I used 'hcp auth login" and then logged in interactively in the web browser. Where are the credentials stored? Are they stored encrypted in the credential manager of Windows? Thanks in advance for an eventual answer.
Thanks a lot for your answer. I appreciate your support. I do really care about security, that is why I want to use Vault for our secret management. Honestly, I find it kind of ironic that the interactive login to the HCP Vault is leaving clear text credentials and token on my machine, even when they are bound to my user home. We will use least privilege service principals and session based enviroment variables to connect via CLI or API at this point. For a production workflow we will need a solution that stores local secrets (also those needed to connect to the Vault and other APIps) in an encrypted format. Thanks again.
@markuseicher - are you referring to HCP Vault Secrets? There are two options in the HashiCorp Cloud Platform - HCP Vault Secrets, which uses the HCP CLI in your question, and HCP Vault Dedicated, which uses the Vault CLI.
Based on the question that you are using the HCP CLI, I am assuming HCP Vault Secrets but would like to confirm.
Hi Jonathan. Thanks for reaching out. I am currently using the HCP Vault Secrets with the free plan and not the dedicated one. My final goal will be to have a Vault self-hosted. But for now and to learn how to use and configure it, I am good with the free plan.
Cool - thanks for confirming. The previous answer is partially correct. The HCP CLI ( and Vault CLI) work on common authentication and authorization workflows.
Your credentials are NOT stored on your local machine (unless you have saved them there).
When you log into the the HCP portal with your username and password (wherever that comes from) the platform checks your authentication request and authorizes access based on whatever roles are associated with that username/password.
Once authenticated, an access token is returned. That token is stored, but its not your username and password. This is common OAuth flow - for example the Azure CLI, or for browser based tools something like Okta.
Personally, I prefer this to say the AWS CLI which does store your credentials in the form your access key and secret key in a file.
I hope that eases your concerns on security.
Please note, however, if you are planning to self host Vault (not Vault Secrets which is SaaS only) there are differences in how they work. HCP Vault Secrets is similar to the Vault K/V secrets engine, but they are two different tools.
You can check out tutorials on
HCP Vault Secrets:
Vault (which you can self-host, or run on HCP):
Very grateful for this explanation, Jonathan. Thank you. Will check out the two documents next.