HashiCorp Vault
HashiCorpidentity8 credentials
Vault Token
hashicorp-vault / vault-token
Vault tokens are the core credential used to authenticate requests to Vault. HashiCorp documents service, batch, and recovery token prefixes, including hvs., hvb., and hvr. for Vault 1.10 and later.
Looks like
examplehvs.XXXXXXXXXXXXXXXXXXXXXXXXhvb.XXXXXXXXXXXXXXXXXXXXXXXXhvr.XXXXXXXXXXXXXXXXXXXXXXXXs.XXXXXXXXXXXXXXXXXXXXXXXXb.XXXXXXXXXXXXXXXXXXXXXXXXr.XXXXXXXXXXXXXXXXXXXXXXXXLocation
VAULT_TOKENX-Vault-Token, AuthorizationVault API accepts X-Vault-Token or Authorization Bearer token headers
~/.vault-tokendefault local token helper file used by the Vault CLI
Vault Agent token sink files, application config, .env files, deployment manifests
CI/CD variables, Kubernetes Secrets, cloud secret managers, orchestration secrets
CLI output, HTTP traces, application debug logs, Vault Agent logs
automation scripts, Terraform providers, tests, notebooks, committed examples
Notes
Root tokens are Vault tokens with root policy. HashiCorp recommends root tokens only for initial setup or emergencies and revoking them when no longer needed. Treat any Vault token as a bearer credential scoped by its policies, TTL, namespace, and renewal properties.
Initial Root Token
hashicorp-vault / initial-root-token
Vault initialization produces an initial root token for a non-dev server, and the dev server also outputs a root token. This is the first authentication method for a new Vault and carries root privileges until revoked or expired.
Looks like
examplehvs.XXXXXXXXXXXXXXXXXXXXXXXXLocation
vault operator init output, dev server console output, install transcripts
initialization JSON, runbooks, screenshots, bootstrap archives, ticket attachments
break-glass vaults and bootstrap secret stores
~/.vault-tokenCLI login can cache the initial root token locally
Notes
Do not treat this as a static default. The value is generated per initialization. Exposure is high impact because root policy bypasses normal least-privilege boundaries.
Unseal / Recovery Key Share
hashicorp-vault / unseal-key
Vault initialization generates unseal key shares for Shamir-sealed clusters or recovery keys for auto-unseal and recovery workflows. A quorum of key shares can unseal Vault or authorize sensitive operations such as generating a root token.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
vault operator init output and initialization transcripts
init JSON files, printed shares, screenshots, ticket attachments, backup bundles
HSM-backed stores, password managers, enterprise vaults, escrow stores
unsafe bootstrap files or copied operator notes containing key shares
Notes
A single share is usually not enough to unseal Vault, but enough shares or recovery keys can authorize critical operations. Treat leaked shares as incident material and rotate/rekey according to quorum procedures.
AppRole RoleID / SecretID
hashicorp-vault / approle-role-id-secret-id
The AppRole auth method lets machines authenticate with a RoleID and a SecretID. The RoleID identifies the role; the SecretID is the sensitive credential used during login to receive a Vault token.
Looks like
patternrole_id\s*[:=]\s*[0-9a-fA-F-]{20,}secret_id\s*[:=]\s*[0-9a-fA-F-]{20,}Location
Vault Agent auto-auth config, application config, .env files, deployment manifests
VAULT_ROLE_ID, VAULT_SECRET_IDKubernetes Secrets, CI/CD variables, cloud secret managers
provisioning output, curl traces, Vault Agent logs, CI logs
bootstrap scripts, Terraform, Ansible, Helm values, committed examples
Notes
RoleID alone may be public in some designs, but RoleID plus SecretID is sufficient to authenticate as the AppRole and receive a Vault token. SecretID wrapping is common; unwrap tokens should be treated as bearer credentials during their TTL.
Username / Password Auth Credential
hashicorp-vault / userpass-password
Vault's userpass auth method allows users to authenticate with a username and password. Successful login returns a Vault token governed by the auth method, policies, and identity mapping.
Location
/ui, /v1/auth/userpass/login/<username>password managers, identity-provider vaults, enterprise secret stores
automation config or test fixtures that store userpass credentials
scripts, test suites, demos, notebooks, committed .env files
CLI command history, debug logs, HTTP traces containing login payloads
Notes
No universal Vault userpass default is documented. Userpass passwords are operator-defined and should be rotated if found in automation or logs.
Database Secrets Engine Credential
hashicorp-vault / database-generated-credential
Vault's database secrets engine can generate dynamic database usernames and passwords or manage static-role passwords for existing database users. Clients read the creds endpoint to receive a leased credential.
Looks like
patternusername\s+v-[A-Za-z0-9_-]+-[A-Za-z0-9_-]+password\s+[^\s]+Location
database/creds/<role> responses containing username, password, lease_id, and lease_duration
CLI output, application debug logs, CI job logs, database connection logs
application runtime variables populated from Vault database credentials
application secret caches and orchestration-managed secret sync targets
rendered templates from Vault Agent or sidecars containing leased database credentials
Notes
Dynamic credentials expire with the Vault lease. Static-role credentials map one Vault role to one database username and may be rotated by Vault.
KV Secret Value
hashicorp-vault / kv-secret-value
The key/value secrets engine stores arbitrary operator-defined secrets, including API keys, passwords, certificates, and application tokens. These values are not a Vault authentication credential, but Vault is a primary storage location for other products' credentials.
Location
Vault storage backend data encrypted by Vault's barrier
KV read responses returning data fields
Vault Agent templates, rendered config files, synced secret files
application runtime variables populated from KV secrets
CLI output, application debug logs, template rendering logs
downstream secret sync targets and external secret stores
Notes
Classify recognizable KV values under their underlying product entry as well. In this Vault entry, KV documents the storage location and leak surface for arbitrary secrets.
TLS Client Auth Private Key
hashicorp-vault / tls-client-private-key
Vault's TLS certificate auth method can authenticate clients using a client certificate and matching private key. The private key is the secret half of the credential.
Looks like
pattern-----BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY-----Location
client certificate/key files, Vault Agent config, mTLS client config
Kubernetes TLS Secrets, certificate managers, cloud secret managers
accidentally committed test cert bundles, examples, or deployment fixtures
backup archives, support bundles, CI artifacts, container/VM images
Notes
The public certificate alone is not secret; the private key is. A leaked key can authenticate to Vault where the cert auth role trusts the corresponding certificate identity.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.