Scoped, auditable credential access for ADK-Rust Enterprise agents. Provides 8 MCP tools over 5 pluggable vault backends — never exposes raw secrets to LLM context.
Credentials Vault MCP Server
Scoped, auditable credential access for ADK-Rust Enterprise agents. Provides 8 MCP tools over 5 pluggable vault backends — never exposes raw secrets to LLM context.
Architecture
Key Principles
- Zero secret exposure — raw secrets never reach LLM context. Tools return handles and short-lived tokens only.
- Scoped access — credentials declare which agents, skills, and MCP servers can use them.
- Full audit trail — every access, denial, rotation, and revocation is logged.
- Pluggable backends — use one or many vault backends simultaneously.
- Registry-ready — ships with
mcp-server.tomlfor automatic ADK-Rust Enterprise onboarding.
Tools
| Tool | Purpose | Risk Class |
|------|---------|------------|
| list_credentials | List credential metadata (never raw values) | Read-only |
| get_credential_metadata | Inspect owner, scope, expiry, rotation, risk | Read-only |
| request_runtime_secret | Issue scoped runtime handle after policy checks | Identity/Security |
| request_workload_token | Mint short-lived OIDC/workload identity token | Identity/Security |
| rotate_credential | Rotate secret through approved workflow | Identity/Security |
| revoke_credential | Disable compromised or expired credential | Identity/Security |
| audit_credential_access | Retrieve access/denial/rotation audit events | Read-only |
| validate_secret_scope | Check if an actor can use a credential | Read-only |
Backends
| Backend | Feature Flag | Use Case |
|---------|-------------|----------|
| HashiCorp Vault | hashicorp | Self-hosted, KV v2, dynamic secrets |
| AWS Secrets Manager | aws | AWS-native workloads |
| GCP Secret Manager | gcp | GCP-native workloads |
| Azure Key Vault | azure | Azure-native workloads |
| ADK Vault | adk-vault | Platform-managed credentials (default) |
| ADK Platform API | adk-platform | ADK-Rust Enterprise centralized management |
Installation
Build from source
git clone https://github.com/zavora-ai/mcp-credentials-vault
cd mcp-credentials-vault
cargo build --release --features all-backends
The binary is at target/release/mcp-credentials-vault.
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault",
"args": [],
"env": {
"RUST_LOG": "info"
}
}
}
}
Kiro
Add to your project's .kiro/settings/mcp.json:
{
"mcpServers": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault",
"args": [],
"env": {
"RUST_LOG": "info"
}
}
}
}
Codex (OpenAI)
Add to ~/.codex/config.json:
{
"mcpServers": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault"
}
}
}
Antigravity
Add to your Antigravity workspace MCP configuration:
{
"servers": [
{
"name": "credentials-vault",
"transport": "stdio",
"command": "/path/to/mcp-credentials-vault",
"env": {
"RUST_LOG": "info"
}
}
]
}
Open Code
Add to ~/.config/opencode/config.json:
{
"mcp": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault",
"args": []
}
}
}
Cursor
Add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault",
"args": []
}
}
}
Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"credentials-vault": {
"command": "/path/to/mcp-credentials-vault",
"args": []
}
}
}
Any MCP Client (Streamable HTTP)
For clients that support HTTP transport, run the server in HTTP mode:
mcp-credentials-vault --transport http --port 8080
Then connect your client to http://localhost:8080/mcp.
Docker
docker run -p 8080:8080 \
-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-e GOOGLE_APPLICATION_CREDENTIALS=/creds/gcp.json \
-v ~/.config/gcloud/application_default_credentials.json:/creds/gcp.json \
ghcr.io/zavora-ai/mcp-credentials-vault:latest
Quick Start
Installation
[dependencies]
mcp-credentials-vault = { version = "1.0", features = ["all-backends"] }
Or select specific backends:
[dependencies]
mcp-credentials-vault = { version = "1.0", features = ["aws", "gcp"] }
Running as MCP Server
use mcp_credentials_vault::{adk_vault::AdkVaultBackend, server::CredentialsVaultServer};
use rmcp::{ServiceExt, transport::stdio};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let backend = AdkVaultBackend::new(Some("./credentials.json".into()));
let server = CredentialsVaultServer::new(vec![Box::new(backend)]);
let service = server.serve(stdio()).await?;
service.waiting().await?;
Ok(())
}
Multi-backend Configuration
use mcp_credentials_vault::{
adk_vault::AdkVaultBackend,
aws::AwsBackend,
gcp::GcpBackend,
server::CredentialsVaultServer,
};
let server = CredentialsVaultServer::new(vec![
Box::new(AdkVaultBackend::new(None)),
Box::new(AwsBackend::new(Some("us-east-1".into())).await),
Box::new(GcpBackend::new("my-project".into()).await?),
]);
Configuration
Environment Variables
| Variable | Backend | Purpose |
|----------|---------|---------|
| ADK_PLATFORM_URL | ADK Platform | Platform base URL |
| ADK_PLATFORM_API_KEY | ADK Platform | API key (ep_live_xxxx) |
| ADK_WORKSPACE_ID | ADK Platform | Workspace UUID |
| ADK_VAULT_PATH | ADK Vault | JSON persistence file path |
| VAULT_ADDR | HashiCorp | Vault server URL |
| VAULT_TOKEN | HashiCorp | Authentication token |
| AWS_REGION | AWS | AWS region |
| AWS_ACCESS_KEY_ID | AWS | AWS credentials (or use IAM role) |
| GCP_PROJECT_ID | GCP | GCP project ID |
| AZURE_VAULT_URL | Azure | Key Vault URL |
| AZURE_ACCESS_TOKEN | Azure | Azure AD token |
MCP Server Manifest
The server ships with mcp-server.toml for ADK-Rust Enterprise registry onboarding:
server_id = "mcp_credentials_vault"
display_name = "Credentials Vault MCP"
version = "1.0.0"
domain = "platform"
risk_level = "critical"
writes_allowed = "gated"
transports = ["stdio", "streamable_http"]
governance_gates = ["policy_evaluation_required", "audit_all_access"]
Security Model
Agent requests credential → Scope validation → Policy check → Handle issued
│
▼
Runtime worker resolves
handle to actual secret
(outside LLM context)
- Agents never see raw secrets — only handles with expiry and scope
- Scope enforcement — credentials declare allowed actors
- Audit everything — access, denials, rotations, revocations
- Short-lived tokens — workload tokens expire (default 5 min for runtime, 1 hour for workload)
- Governance gates —
rotateandrevokerequire approval in production
Testing
# Build with all backends
cargo build --features all-backends
# Run tests (ADK Vault — no external deps)
cargo test
# Run with real backends (requires credentials)
cargo test --features all-backends
# Run the integration test binary
cargo run --features all-backends
Documentation
| Document | Description | |----------|-------------| | API Reference | All 8 tools with parameters, returns, and examples | | Backends | Configuration for each vault backend | | Security Model | Zero-exposure architecture and threat model | | CHANGELOG.md | Version history | | mcp-server.toml | ADK-Rust Enterprise registry manifest | | CONTRIBUTING.md | Development guidelines | | SECURITY.md | Vulnerability reporting | | Rust Docs | Generated API documentation |
Contributing
See CONTRIBUTING.md for development setup and guidelines.
Contributors
| 
James Karanja Maina |
|:---:|
License
Apache-2.0 — see LICENSE for details.
Part of the ADK-Rust Enterprise MCP server ecosystem.
Built with ❤️ by Zavora AI